cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Traffic Path - Azure Virtual Desktop

Taranjeet Malik
Copper Contributor

‎Jul 25 2021 08:11 PM

‎Jul 25 2021 08:11 PM

Traffic Path - Azure Virtual Desktop

Hi Guys

 

Is there any documentation available that explains the actual network path that client to session host traffic takes both to and from. The article does explains the connection flow (how it is established), however, doesn't clarifies the actual path.

 
Specifically, what I'm trying to understand is - At the end of the reverse connect process when a channel is established between client on Internet and the session host in customers' Azure VNet. Does the outgoing traffic originated from AVD infrastructure, exits from customers' VNet ? If yes, does that mean there's a need for an NVA / firewall in the Azure environment?
 
I know that an NVA is recommended to filter and provide controlled internet access to users of the virtual desktop (here--> https://docs.microsoft.com/en-us/azure/virtual-desktop/security-guide#consider-which-users-should-ac...). However, assuming the users don't need Internet access, do we still need this NVA / firewall?
 
Thanks
Taranjeet Singh 
5,147 Views
0 Likes
3 Replies
Reply
3 Replies
Luke Murray

‎Jul 26 2021 01:23 AM

‎Jul 26 2021 01:23 AM

Re: Traffic Path - Azure Virtual Desktop

Does the outgoing traffic originate from AVD infrastructure, exit from customers' VNet ?

Yes, it does in regards to Internet Traffic, unless you have Force Tunneling enabled, to force traffic back over a Site to Site VPN. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm
Also check out RDP short-path: https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath

The actual Azure Load balancer/Brokers and Azure Virtual Desktop gateways are all running in the Azure fabric, the session hosts don't need Public IPs, the only thing you might need a firewall for is for logging the traffic, blocking traffic between VNETs and blocking outgoing web traffic.

0 Likes
Reply
Taranjeet Malik

‎Jul 26 2021 02:49 AM

‎Jul 26 2021 02:49 AM

Re: Traffic Path - Azure Virtual Desktop

Thanks Luke

It is correct to say that:

1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

2. The reverse connect connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Thanks
Taranjeet Singh
0 Likes
Reply
best response confirmed by Taranjeet Malik (Copper Contributor)
Luke Murray

‎Jul 26 2021 03:12 AM - edited ‎Jul 26 2021 03:13 AM

‎Jul 26 2021 03:12 AM - edited ‎Jul 26 2021 03:13 AM

Solution

Re: Traffic Path - Azure Virtual Desktop


1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).

2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/

 

Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Taranjeet Malik (Copper Contributor)
Luke Murray

‎Jul 26 2021 03:12 AM - edited ‎Jul 26 2021 03:13 AM

‎Jul 26 2021 03:12 AM - edited ‎Jul 26 2021 03:13 AM

Solution

Re: Traffic Path - Azure Virtual Desktop


1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).

2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/

 

Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.

 

View solution in original post

0 Likes
Reply