Forum Discussion

Copper Contributor

Jul 25, 2021

Solved

Traffic Path - Azure Virtual Desktop

Hi Guys Is there any documentation available that explains the actual network path that client to session host traffic takes both to and from. The article does explains the connection flow (how i...

lukemurraynz
Jul 26, 2021

1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).

2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/

Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.

lukemurraynz

Learn Expert

Jul 26, 2021

Does the outgoing traffic originate from AVD infrastructure, exit from customers' VNet ?

Yes, it does in regards to Internet Traffic, unless you have Force Tunneling enabled, to force traffic back over a Site to Site VPN. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm
Also check out RDP short-path: https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath

The actual Azure Load balancer/Brokers and Azure Virtual Desktop gateways are all running in the Azure fabric, the session hosts don't need Public IPs, the only thing you might need a firewall for is for logging the traffic, blocking traffic between VNETs and blocking outgoing web traffic.

TaranjeetSM11
Copper Contributor
Jul 26, 2021
Thanks Luke

It is correct to say that:

1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

2. The reverse connect connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Thanks
Taranjeet Singh
- lukemurraynz
  Learn Expert
  Jul 26, 2021
  
  1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?
  
  Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).
  
  2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?
  
  Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/
  
  Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.