Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
Clarification on External User Connectivity in AVD Landing Zone Accelerator
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 52%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
InfraSolutions
731
Reputation points
Hi,
As part of transition project, we're adopting the Azure Virtual Desktop (AVD) Landing Zone Accelerator. While reviewing this architectural design - https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/ , I found detailed guidance on SD-WAN and VPN traffic routing for internal users. However, I couldn’t find a specific reference architecture for external users especially those connecting from different countries.
My current understanding is:
- Both internal and external users connect via the Microsoft-managed gateway.
- Internal users route traffic through ExpressRoute to reach shared services (connectivity, identity, management) and new subscription for AVD.
- External users use the public internet, hitting the nearest Microsoft gateway, and bypass the connectivity subscription.
- Reverse Connect is used by both internal and external users to reach session hosts securely.
- Traffic flow for internal users (Hub-and-Spoke model): Internal user → Corporate network → Connectivity subscription (includes Palo Alto firewall, DNS, VPN, etc.) → Microsoft-managed AVD Gateway → AVD Session Host.
- Traffic flow for external users: External user → Public internet → Nearest Microsoft-managed AVD Gateway
Could you confirm if my understanding is correct?
- Question 1 : External users connect via the public internet, reaching the nearest Microsoft-managed gateway and bypassing the connectivity subscription. Since their traffic does not route through centralized infrastructure (Shared service- connectivity subscription) , which typically provides visibility and control, what are the recommended approaches to achieve similar levels of control beyond Conditional Access, MFA, Defender and Intune policies?
- Question 2: If external users access AVD via the web client in a browser, is it highly recommended to use Azure Front Door before the traffic reaches the nearest Microsoft-managed gateway?.
- Question 3: Is there a reference architecture or diagram specifically for external users that aligns with the Landing Zone Accelerator model?
Azure Virtual Desktop
Sign in to answer