SOLVED

Traffic Path - Azure Virtual Desktop

%3CLINGO-SUB%20id%3D%22lingo-sub-2585346%22%20slang%3D%22en-US%22%3ETraffic%20Path%20-%20Azure%20Virtual%20Desktop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2585346%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Guys%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20documentation%20available%20that%20explains%20the%20actual%20network%20path%20that%20client%20to%20session%20host%20traffic%20takes%20both%20to%20and%20from.%20The%20article%20does%20explains%20the%20connection%20flow%20(how%20it%20is%20established)%2C%20however%2C%20doesn't%20clarifies%20the%20actual%20path.%3C%2FP%3E%3CDIV%3E%3CA%20title%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fnetwork-connectivity%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fnetwork-connectivity%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fnetwork-connectivity%3C%2FA%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3ESpecifically%2C%20what%20I'm%20trying%20to%20understand%20is%20-%20At%20the%20end%20of%20the%20reverse%20connect%20process%20when%20a%20channel%20is%20established%20between%20client%20on%20Internet%20and%20the%20session%20host%20in%20customers'%20Azure%20VNet.%20Does%20the%20outgoing%20traffic%20originated%20from%20AVD%20infrastructure%2C%20exits%20from%20customers'%20VNet%20%3F%20If%20yes%2C%20does%20that%20mean%20there's%20a%20need%20for%20an%20NVA%20%2F%20firewall%20in%20the%20Azure%20environment%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EI%20know%20that%20an%20NVA%20is%20recommended%20to%20filter%20and%20provide%20controlled%20internet%20access%20to%20users%20of%20the%20virtual%20desktop%20(here--%26gt%3B%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fsecurity-guide%23consider-which-users-should-access-which-resources%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fsecurity-guide%23consider-which-users-should-access-which-resources%3C%2FA%3E).%20However%2C%20assuming%20the%20users%20don't%20need%20Internet%20access%2C%20do%20we%20still%20need%20this%20NVA%20%2F%20firewall%3F%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3EThanks%3C%2FDIV%3E%3CDIV%3ETaranjeet%20Singh%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2586012%22%20slang%3D%22en-US%22%3ERe%3A%20Traffic%20Path%20-%20Azure%20Virtual%20Desktop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2586012%22%20slang%3D%22en-US%22%3EDoes%20the%20outgoing%20traffic%20originate%20from%20AVD%20infrastructure%2C%20exit%20from%20customers'%20VNet%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3EYes%2C%20it%20does%20in%20regards%20to%20Internet%20Traffic%2C%20unless%20you%20have%20Force%20Tunneling%20enabled%2C%20to%20force%20traffic%20back%20over%20a%20Site%20to%20Site%20VPN.%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-forced-tunneling-rm%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvpn-gateway%2Fvpn-gateway-forced-tunneling-rm%3C%2FA%3E%3CBR%20%2F%3EAlso%20check%20out%20RDP%20short-path%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fshortpath%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fvirtual-desktop%2Fshortpath%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20actual%20Azure%20Load%20balancer%2FBrokers%20and%20Azure%20Virtual%20Desktop%20gateways%20are%20all%20running%20in%20the%20Azure%20fabric%2C%20the%20session%20hosts%20don't%20need%20Public%20IPs%2C%20the%20only%20thing%20you%20might%20need%20a%20firewall%20for%20is%20for%20logging%20the%20traffic%2C%20blocking%20traffic%20between%20VNETs%20and%20blocking%20outgoing%20web%20traffic.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2586191%22%20slang%3D%22en-US%22%3ERe%3A%20Traffic%20Path%20-%20Azure%20Virtual%20Desktop%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2586191%22%20slang%3D%22en-US%22%3EThanks%20Luke%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20is%20correct%20to%20say%20that%3A%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20The%20outgoing%20AVD%20traffic%20(not%20the%20Internet%20access)%20is%20going%20to%20pass%20through%20default%20Azure%20NAT%20Gateway%20and%20if%20we%20want%20to%20control%20%2F%20police%20this%20without%20default%20route%2C%20a%20NVA%20%2F%20firewall%20is%20inevitable%3F%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20The%20reverse%20connect%20connect%20traffic%20is%20all%20HTTPS%20(TCP%20443)%20or%20web%20traffic%2C%20but%20it%20doesn't%20requires%20anything%20like%20App%20Gateway%20because%20it's%20not%20originated%20from%20outside%20of%20Azure%20-%20always%20Azure%20originated%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%3CBR%20%2F%3ETaranjeet%20Singh%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi Guys

 

Is there any documentation available that explains the actual network path that client to session host traffic takes both to and from. The article does explains the connection flow (how it is established), however, doesn't clarifies the actual path.

 
Specifically, what I'm trying to understand is - At the end of the reverse connect process when a channel is established between client on Internet and the session host in customers' Azure VNet. Does the outgoing traffic originated from AVD infrastructure, exits from customers' VNet ? If yes, does that mean there's a need for an NVA / firewall in the Azure environment?
 
I know that an NVA is recommended to filter and provide controlled internet access to users of the virtual desktop (here--> https://docs.microsoft.com/en-us/azure/virtual-desktop/security-guide#consider-which-users-should-ac...). However, assuming the users don't need Internet access, do we still need this NVA / firewall?
 
Thanks
Taranjeet Singh 
3 Replies
Does the outgoing traffic originate from AVD infrastructure, exit from customers' VNet ?

Yes, it does in regards to Internet Traffic, unless you have Force Tunneling enabled, to force traffic back over a Site to Site VPN. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm
Also check out RDP short-path: https://docs.microsoft.com/en-us/azure/virtual-desktop/shortpath

The actual Azure Load balancer/Brokers and Azure Virtual Desktop gateways are all running in the Azure fabric, the session hosts don't need Public IPs, the only thing you might need a firewall for is for logging the traffic, blocking traffic between VNETs and blocking outgoing web traffic.

Thanks Luke

It is correct to say that:

1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

2. The reverse connect connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Thanks
Taranjeet Singh
best response confirmed by Taranjeet Malik (Occasional Contributor)
Solution


1. The outgoing AVD traffic (not the Internet access) is going to pass through default Azure NAT Gateway and if we want to control / police this without default route, a NVA / firewall is inevitable?

Yes, although I don't know how much control or visibility you would have over this kind of traffic, as it would stop the AVD brokers/gateway from communicating to the session hosts, I doubt you could control this, only the traffic to and from the session hosts (not the backend NAT gateway).

2. The reverse connect traffic is all HTTPS (TCP 443) or web traffic, but it doesn't requires anything like App Gateway because it's not originated from outside of Azure - always Azure originated?

Yep - https://ryanmangansitblog.com/2019/11/09/a-deep-dive-in-to-windows-virtual-desktop-reverse-connect/

 

Keep in mind Firewall/NVA will offer better logging, visibility and ability to lock down traffic etc but it is not a requirement.