Option to change SCCM client communication with cloud distribution point to use only one fixed IP
The cloud distribution point Azure service gives the SCCM Client a list of Azure Blob Storage URLs to the content files of a package or application.
The client will then download via BITS directly from Blob Storage instead of downloading from the Cloud Distribution Point URL.
For many customers this is a problem because they have to open client firewalls for the hole Azure Datacenter IP Ranges or for the hole internet for the svchost which hosts the BITS service.
It would be great to have an option to switch the download behavior between two mode:
First Mode: The cloud distribution point as it is. The Client needs full access to the internet or at least to every Azure Datacenter IP.
Second Mode: Switch do a different download behavior so that every communication, even the download, will happen only with the cloud distribution point and not with the Azure Blob Storage.
If thats the case, the client only needs access to the cloud distribution point private virtual IP (VIP). Several customer would love that, because it only needs a simple configuration and
would decrease the attack surface if you use a VPN CLient with firewall and a simple split tunneling config. It also would simplify Proxy configurations.
This could be achieved if the new cloud proxy would be able to function as a proxy for the cloud DP.
I like the idea of the cloud proxy, but the proxy will not limit the traffic between your datacenter and Azure. Different story with the cloud DP, because azure will transfer all the data directly from blob storage instead of using express route or similar to my datacenter to transfer the data to the client.