Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,565 questions
Can Azure Virtual Desktop Function with Forced Tunneling?
Danny Chuah
40
Reputation points
Is it possible for Azure Virtual Desktop (AVD) to operate with forced tunneling? The scenario is as follows:
- AVD is deployed in a VNet that is peered with a hub VNet containing Azure Firewall and a VPN gateway.
- Internet traffic from the AVD needs to be directed to the firewall with forced tunneling configured, which then routes traffic to the VPN Gateway. This gateway has a site-to-site connection to an on-premises firewall and web proxies.
Will this configuration work? Specifically, will users be able to access AVD from the internet?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 66%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
Lijitha B 495 Reputation points Microsoft Vendor2024-10-17T15:47:15.64+00:00 Hi Danny Chuah,
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
You can configure Azure Virtual Desktop to work with forced tunneling in the scenario you've outlined. Your AVD is deployed in a Virtual Network that is peered with a hub VNet. This is a standard setup for leveraging central resources like firewalls and VPN gateways.
This setup will allow users to access Azure Virtual Desktop from the internet. However, it is important that their traffic will pass through the Azure Firewall and the VPN Gateway, which could add some delay. Make sure the right ports and protocols are open on both the Azure Firewall and your on-premises firewall to ensure smooth traffic flow.
Please take a look at the documents below:
Azure Firewall forced tunneling
Network topology and connectivity for Azure Virtual Desktop
About forced tunneling for site-to-site configurations
Azure Virtual Desktop documentation for usersIf you have any further queries, do let us know.
If the comment is helpful, please click upvote on this post.
-
Danny Chuah 40 Reputation points
2024-10-18T04:33:05.61+00:00 Hi @Lijitha B
Thank you for your response but we've tried force tunnelling but the AVDs becomes unavailable as the AVDs need to talk to the broker services and these services only allow traffic from Azure IPs, therefore I'm hoping someone that has deployed the above and how are they able to resolve it.
Danny
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-18T16:55:07.1+00:00 Hi Danny Chuah,
Thanks for replying back to us. We are looking into it and will get back to you soon.
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-21T17:02:45.2666667+00:00 Hi Danny Chuah,
Thanks for your response,
I have further investigated this issue and found some information which might be useful.Create rules in Azure Firewall that specifically allow outbound traffic to the Azure IPs required for AVD. Allow traffic on necessary ports (e.g., 443 for HTTPS) to these Azure services.
All Internet-bound traffic goes directly to the Internet if you don't have forced tunneling configured. When forced tunneling is configured, all Internet-bound traffic is sent to your on-premises location.In some cases, you may want Internet-bound traffic only from certain subnets (but not all subnets) to traverse from the Azure network infrastructure directly out to the Internet, rather than to your on-premises location. This scenario can be configured using a combination of forced tunneling and virtual network custom user-defined routes (UDRs). Route Internet-bound traffic for specific subnets
If you feel that your quires have been resolved, if it was helpful, please click "Upvote" on his post to let us know.
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-22T16:02:51.13+00:00 Hi Danny Chuah,
Just checking in to see if you have got a chance to see the comment posted in resolving the issue. If you have any further updates on this issue, please feel free to reach out!
-
Danny Chuah 40 Reputation points
2024-10-23T00:09:12.7533333+00:00 Hi Lijitha B,
Thank you for taking the time to answer but none of the links you've specified shows how I can direct my internet traffic to on-premise firewall without breaking AVD availability. As I understand it AVD will break as the AVD services, e.g. the broker service will only allow known Azure IPs to connect to it and wont' allow public IPs from my on-premise gateway to connect to it and therefore the AVD's host will show as unavailable.
Please let me know if you know of any real-world solution on how to route traffic so that the AVD will still work when directing internet traffic to on-premise firewall. Thanks.
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-23T16:29:36.3533333+00:00 Hi Danny Chuah,
Thank you for your patience. We are checking our internal team will get back to you.
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-24T18:32:14.7466667+00:00 Hi Danny Chuah,
Have you made any progress and tried anything from your end please let us know until we are checking with internal team.
Thank you!
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-25T13:34:25.39+00:00 Hi Danny Chuah,
Thank you for your patience.
Azure environment and on-premises network and configuring routing appropriately, you can effectively manage internet traffic through your on-premises firewall without disrupting AVD availability. This approach allows you to maintain the necessary connectivity for AVD services while also securing specific traffic as needed. Please ensure that you are not blocking the traffic from on-prem to AVD. Forced tunneling
If you have any further queries, do let us know.
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-28T17:49:51.71+00:00 Hi Danny Chuah,
I'm just checking to see if you've got any resolution on the given above. Please let us know if you need any assistance.
-
Lijitha B 495 Reputation points Microsoft Vendor
2024-10-29T09:18:50.71+00:00 Hi Danny Chuah,
Let us know if the issue has been resolved. If you have any further query do let us know
Sign in to comment
Sign in to answer