Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Windows 365 provides two deployment options for network connectivity used by the Cloud PC.
Microsoft Hosted Network - (Recommended)
Azure Network Connection (ANC) - (For legacy or specialized requirements)
Microsoft Hosted Network is the recommended deployment option for most scenarios. It’s simple, modern, and aligns with Zero Trust principles. This approach is preferred because it reduces complexity and management overhead. Azure Network Connection (ANC) is an alternative when legacy requirements, such as Hybrid Azure AD Join or direct line-of-sight to the corporate network, can't be avoided.
Microsoft Hosted Network – Recommended Deployment Option
You should choose the Microsoft Hosted Network option when deploying Cloud PCs. Only revert to ANC deployments as a last resort.
Microsoft Hosted Network is a fully managed option where Microsoft configures and manages the underlying network for your Cloud PCs. This approach delivers a complete SaaS deployment of Windows 365, simplifying network management, enhancing security, and reducing costs. It’s an ideal choice for organizations that want a modern, simple, secure, and scalable Windows 365 deployment.
When you choose Microsoft Hosted Network, the only infrastructure setup required is the choice of region for deployment, Microsoft takes care of the rest, including any future management and maintenance requirements.
Benefits of the Microsoft Hosted Network option
Choosing Microsoft Hosted Network reduces complexity, accelerates time to value, and improves reliability for Windows 365.
Simple by design - No customer‑managed Azure Virtual Network, firewalls, routes/UDRs, NAT gateways, or rules to build and maintain. All that is required is to choose a region to deploy to; for best provisioning success, select Automatic.
Rapid deployment - Minimal dependencies on customer network elements enable Cloud PCs to be deployed quickly.
Elastic capacity - Microsoft manages scale, so you can add large numbers of Cloud PCs on demand without first expanding network infrastructure. Cross‑region disaster recovery, for example doesn’t require pre‑provisioned networking if Microsoft Hosted network is chosen.
Lower infrastructure cost - You don’t pay to run Virtual Networks, network virtual appliances, bandwidth, or NAT gateways for Cloud PCs, Microsoft operates the underlying network on your behalf.
Lower operational overhead - No dedicated Azure networking team is needed to configure or maintain this environment.
No Azure subscription required - Microsoft supplies and manages the Azure infrastructure that Cloud PCs need to operate.
Aligned with Zero Trust - Access is based on identity, device, workload, and data signals rather than network location. Modern Secure Web Gateway (SWG) and Private Access tools on the device integrate well with this model.
High‑throughput connectivity - Cloud PCs have high‑speed connectivity and direct entry onto Microsoft’s global network for services like Microsoft 365.
Secure by default - Only outbound connections are allowed, no inbound, or lateral connectivity is possible. Apply your standard VPN or SWG on the device in the same way as is done with your managed laptops.
Simpler operations - Troubleshooting is more straightforward and fits modern device management via Intune policies, security controls, and built‑in reporting.
Higher reliability - A managed, standardized network reduces the risk of misconfiguration and improves overall Cloud PC reliability.
Considerations for Microsoft Hosted Network
Before you choose Microsoft Hosted Network, review these points to confirm it fits your deployment goals.
Not compatible with Microsoft Entra hybrid join - This model supports only cloud-joined Cloud PCs and has no direct connectivity to on-premises Active Directory Domain Services (AD DS). If you depend on Group Policy, migrate those policies to Microsoft Intune by using the Settings Catalog, ADMX ingestion, or security baselines.
No customer control of the VNet - The virtual network is fully managed by Microsoft. Apply outbound controls on the Cloud PC (for example, device‑based VPN/SWG client rules, Windows Firewall, Microsoft Defender for Endpoint web controls) or at your organization’s internet egress, not inside the VNet.
VPN or Private Access solution required to access on-premises resources - Use a VPN or Private Access/ZTNA solution to reach on‑prem apps. Split tunneling is required so RDP and other service traffic to Windows 365 doesn't traverse the VPN. This pattern aligns with a Zero Trust approach.
Cloud‑native management required - Plan for modern endpoint management with Intune rather than GPO‑centric operations.
Default network restrictions.
Port 25 (SMTP) is blocked.
ICMP/ping is blocked.
No lateral (Cloud PC to Cloud PC) communication.
No direct inbound connectivity to Cloud PCs.
IP addressing is service‑managed. You can’t choose private IP ranges or outbound NAT address space. Windows 365 assigns and manages IP addressing automatically.
Diagram: Microsoft Hosted Network option
Diagram 1: Example Microsoft Hosted Network Deployment
This diagram shows three key elements of Microsoft Hosted Network:
Both the Cloud PC and its underlying network connectivity are deployed into an environment fully managed by Microsoft
Outbound connectivity can be managed with a modern Secure Web Gateway and Private Access solution deployed to the Cloud PC.
Alternatively, a traditional VPN can be used.
Both 2 & 3 can be provided in identical ways to how you may already be doing so for roaming users devices.
Azure Network Connection Deployment Option
When to choose Azure Network Connection (ANC)
Use ANC when you have specific legacy or network requirements that can't be solved and thus prevent using Microsoft Hosted Network, for example:
Microsoft Entra hybrid join is required.
Apps/services require direct line‑of‑sight to on‑premises resources (for example, AD DS, Kerberos/NTLM, SMB shares, legacy protocols).
You’re not ready to move fully to a Zero Trust model and need more time for the transition.
You require privately managed connectivity from on‑premises networks to Cloud PCs (for example, site‑to‑site VPN, ExpressRoute, fixed egress IPs, private DNS).
Recommendation: Operate Microsoft Hosted Network as your default. Use ANC only for personas and scenarios that strictly require it. Both models can run side by side.
What ANC provides
Full Virtual Network (VNet) control. The Cloud PC's virtual network card (vNIC) lives in your Azure subscription and VNet. You control Network Security Groups (NSGs), User Defined Routes (UDRs), route tables, Azure Firewall, NAT Gateway, and logging.
Direct connectivity to on‑premises. Use site‑to‑site VPN or ExpressRoute for access to AD DS, file shares, print servers, and on‑premises apps.
“On‑network” behavior. Extending the corporate network to the VNet lets Cloud PCs operate as if they’re inside your network boundary.
Peering to other VNets. Peer the Cloud PC VNet with other Azure VNets and reach Azure‑hosted resources directly.
Trade‑offs and responsibilities
Choosing ANC shifts network ownership to your team and increases complexity:
Azure subscription required. All networking lives in (and bills to) your subscription.
You own design and operations. Addressing, routing, DNS, security controls, logging, high availability and disaster recovery for Network Virtual Appliances (NVAs), patching, capacity, and change management are your responsibility.
Higher cost profile. Your organization is responsible for the costs of network bandwidth, network virtual appliances (NVAs), Azure Firewall, NAT Gateway, and log storage in addition to staffing costs to oversee the connectivity infrastructure.
Longer timelines. More prerequisites and approvals typically extend deployment considerably compared to Microsoft Hosted Network.
Higher risk of misconfiguration. More moving parts can lead to higher risk of connectivity or performance issues if not carefully managed.
Diagram: Azure Network Connection option
Diagram 2: Example ANC Deployment
Key elements shown in this diagram:
The Cloud PC is deployed in a Microsoft-managed Azure environment.
In Azure Network Connection (ANC) deployments, the Cloud PC network interface is placed in a customer-owned and managed virtual network (VNet) within the customer’s subscription. The customer is responsible for providing all required network connectivity to that VNet.
Service connectivity must route directly into Microsoft’s network. Do not route this traffic through on-premises egress points.
High-speed Internet connectivity can be provided directly from Azure. This approach delivers significantly better performance than routing through on-premises egress locations.
Use ExpressRoute or site-to-site VPN to connect the VNet to the corporate network.
Simultaneous deployment options
You can run Microsoft Hosted Network and Azure Network Connection (ANC) side by side. Use ANC only for the subset of users or workloads that have strict legacy needs, such as a Finance team that requires direct line of sight to on‑premises data. For all other users without those requirements, use Microsoft Hosted Network to minimize complexity, cost, and time to value.
Deployment Option comparison
| Category | Microsoft Hosted Network | Azure Network Connection (ANC) |
|---|---|---|
| Recommended Use case | Default and preferred option for most users | Only for legacy or specific use cases requiring on-premises access |
| Infrastructure Management | Fully managed by Microsoft | Managed by customer |
| Azure Subscription Required | No | Yes |
| Deployment Complexity | Low – minimal setup required | High – requires configuration of Virtual Networks, firewalls, routing, etc. |
| Scalability | High – automatic and flexible | Limited – depends on customer-managed infrastructure |
| Security Model | Zero Trust aligned | Traditional network trust model |
| Connectivity to on-premises | Requires VPN or SWG | Direct line-of-sight via Site-to-Site VPN or ExpressRoute. Or point-to-site VPN/SWG |
| Cost Implications | No network infrastructure or management costs | Costs incurred for infrastructure, egress, and network management |
| Troubleshooting & Reliability | Easier and more reliable due to managed setup | More complex and prone to misconfiguration |
| Use Case Examples | Cloud-native users, remote workforce, modern identity management | Hybrid join users, legacy apps needing direct access to on-premises resources |
| Limitations | No control over IP ranges or underlying network. | Requires Azure networking expertise, longer deployment timelines |