My company routes all AVD traffic through global protect in azure. The benefits of this include being able to access on prem resources, connect to ad ds services and is secure. Cons being if GP is down, our entire multisession pool goes down with it.
Wondering if there is a better way to architect this and also hear if anyone else sets this up the same way.
Recommendation is to exclude avd traffic from the VPN
Express Route or VPN gateway
Create a route table, and use the ServiceTag ‘WindowsVirtualDesktop’ with next hop internet.
It´s what we do as well
So don’t have it go thru global protect, and instead set up a route to access on prem resources instead through a site to site VPN with on prem?
We do this way + route tables to route service traffic directly to Azure internet
Yep, and then NAT GW for outbound to more easily manage IP controlled external services.
Can you elaborate on what this does? Basically if on and or w365 vm if accessing the internet allow it without routing thru the VPN? What about accessing on prem resources, should a VPN gateway be created from on prem to azure and we route it that way
So if you create the route table it we’ll send all Microsoft traffic straight out to the internet, removing a potentially issues if you have a F/W or proxy.
Then send the rest of the traffic through a f/w.
Then either set local ip ranges on your local g/w, anything specified here will be routed back on premise to back databases etc.
Or
Create a forced tunnel to send all traffic down the vpn, not generally recommended as it will saturate the vpn and your external line if you don’t have an express route.
Does this make sense?
I think I understand. Wirh your method it will allow w365 / avd to access internet despite the vpn going down. Pretty much is split tunneling isn’t it?
Yes only traffic that is required to go down the VPN (defined in the local network gateway) will use the VPN. All other traffic will go out through Azure, for production make sure you’re going through a F/W (Azure Firewall or similar).
Make sure you’ve got some DC’s and DNS in Azure if you’re Hybrid Joining the machines.