How Does the User Connect to Azure Virtual Desktop?
It is important to understand the user session connection flow from the Azure Virtual Desktop client to Azure Virtual Desktop so that you can consider all the session requirements in the Azure Virtual Desktop design phase and set up the network accordingly. Understanding user session flow can also help to troubleshoot the Azure Virtual Desktop access and performance issues.
The Azure Virtual Desktop client is available for all devices and operating systems so that users can log in to Azure Virtual Desktop from anywhere using any device. Connecting from Azure Virtual Desktop client to your host pool (session host) works differently with Windows Virtual Desktop than other VDI sessions. Azure Virtual Desktop uses a reverse connection, which means no inbound IP/ports are required on the session host (back-end VM) to set up the Azure Virtual Desktop connection.
Figure 2-2 shows the detail user session flow from the Azure Virtual Desktop client to Azure Virtual Desktop.
Figure 2-2. Azure Virtual Desktop user session flow
This diagram shows a typical Azure Virtual Desktop client flow to an Azure Virtual Desktop session host.
•\ The user launches an RD client and enters credentials that connect to Azure AD for sign-in. If third-party MFA is enabled, then theauthentication request will go to the MFA server/provider aswell. Clients get a token after successful authentication (flow 1 in Figure 2-2).
•\ The client presents a token to Web Access to determine the resources authorized for the user from the Azure Virtual Desktop metadata; currently the Azure Virtual Desktop metadata is available in limited regions, so you must select a nearby metadata region for better performance if the metadata is not available in the region selected for Azure Virtual Desktop (flow 2 in Figure 2-2).
•\ The user gets the authorized resources (Azure Virtual Desktop/ application) to select in the RD client. See Figure 2-3.
Figure 2-3. Azure Virtual Desktop’s Remote Desktop client view
•\ The user selects a resource by clicking the workspace name visible in the RD client.
•\ The RD client connects to the gateway and gateway contact broker from the same region (flows 3 and 4 in Figure 2-2).
•\ The broker orchestrates a connection from the host agent to the gateway (flows 4 and 5 in Figure 2-2).
•\ RDP traffic now flows between the RD client and session host VM over connections 6 and 3 shown in Figure 2-2 (only if RDP shortpath is not enabled on AVD).
If RDP shortpath is enabled, then it establishes the direct connectivity between the Remote Desktop client and the session host. Direct connectivity reduces the dependency on the Azure Virtual Desktop gateways, improves the connection’s reliability, and increases the bandwidth available for each user session.
•\ Once the connection flow proceeds, bidirectional communication between your session hosts/host pool will go over port HTTPS (443).