I'm currently using Azure Virtual Desktop and while it's been generally reliable, I've started questioning our setup after receiving a recent notice. We have a User Defined Route (UDR) directing traffic from 0.0.0.0/0 to a Fortigate Virtual Appliance. My concern is whether this is the optimal configuration, as it routes our broker connections through the appliance. I'm considering creating a new UDR that points TURN traffic directly to the Microsoft internet instead, using a service tag. Here's what I'm thinking:
* **Destination Type:** Service Tag
* **Destination Service Tag:** WindowsVirtualDesktop
* **Next Hop Type:** Internet
Does this change make sense for improving stability?
2 Answers
It used to be common practice according to Microsoft documentation, but finding that info now is tricky. The last I found was a note saying that routing directly to Microsoft's backbone could help avoid disconnections. For all my AVD setups, I've typically sent that service tag straight to the Internet as the next hop. Check this link out for more detail: https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop#prerequisites.
I can't find any documentation about it either but sounds like I am on the right track.
In our setup with multiple AVD pools across regions, we route all traffic through 0.0.0.0/0 to our NVA, but we also direct specific routes for ACS range, TURN range, and the WVD service tag directly to the Internet. This approach has been essential to prevent AVD traffic from unnecessarily going through our NVA globally. Now, only Internet-bound traffic goes through our firewall in the US.
Doesn't Microsoft's advice on this conflict with them getting rid of Default Outbound Access later this year?
Thank you for the response. Just so I understand correctly, in the subnet where your AVD hosts are, you add a UDR with service tag WVD directly to the Internet? You also add a UDR to the TURN relay range (51.5.0.0/16)?
How would the updates to default outbound internet access affect this?