Forum Discussion

TaranjeetSM11's avatar
TaranjeetSM11
Copper Contributor
Jul 25, 2021
Solved

Traffic Path - Azure Virtual Desktop

Hi Guys   Is there any documentation available that explains the actual network path that client to session host traffic takes both to and from. The article does explains the connection flow (how i...
  • lukemurraynz's avatar
    lukemurraynz
    Jul 26, 2021


    1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

    Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).

    2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

    Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/

     

    Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.

     

TaranjeetSM11's avatar
TaranjeetSM11
Copper Contributor
Jul 26, 2021
Thanks Luke

It is correct to say that:

1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

2. The reverse connect connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Thanks
Taranjeet Singh
lukemurraynz's avatar
lukemurraynz
Learn Expert
Jul 26, 2021


1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).

2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/

 

Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.

 

Resources