Hello,
I’m experimenting with Azure Virtual Desktop pools as a viable option to replace physical devices. They work well and are easy to set up, but I have a problem when I bring VPN-clients to the equation.
What happens is that whenever I put on the VPN-connection, the host disconnects and I have to reboot it from the Azure portal. One way to prevent this would be to create a split-tunnel to the VPN, but in some occasions this is not possible.
Are there any workarounds for doing this without touchin g the actual VPN-client or it’s settings? Put two NIC’s to the VM and do some networking magic etc… Not sure what goes into configuring it so that the VPN only affects one network card and everything else goes through the second one…
Anyone done similar thing before?
dont force tunnel all traffic from avd - it will break lots of things - consider a S2S vpn as the other comments have mentioned.
Could you not just put in a S2S connection on the vent instead?
Could you replicate the VPN outside of the vd?
I have an RDS farm which needs a vpn service to access some portals. Apart from the fact the client wouldn’t even install properly on the sesshost it broke any one else connected.
We ended up creating a pfsense firewall, which created a tunnel and NATd the vpn traffic, then a specific route in azure for the DestNet via the ‘lan’ int on the pfsense
This worked for us.because everyone may need to be able to route.over that vpn from time to time.
why do you need the VPN? the virtual desktop is already in your network, and as long as you configure it properly will require MFA on every login attempt through the client.
Does RDShort path help? Have you looked into that option?
Did you find a solution? I have the exact same problem…
Could you crudely draw this out? I’m not OP but I don’t really understand what’s being suggested here.
Hmm, so create a site-to-site between the current VNET which the VM’s are using and the VPN endpoint? Sounds like something that might wor´k.
Are the Azure Virtual Desktops in a Host Pool any different than the VM’s you create individually? Just thinking if they limit the possibilites in any way.
I’m experimenting whether a VM would be a viable option to connect to client environments rather than having a physical machine. One of the clients has very strict security measures which includes a VPN connection which cuts out ALL public internet traffic and only allows traffic within the VPN tunnel.
Of course that also cuts all traffic to the Azure platform from the VM, which leads me to making this question. 
Other rationale was to create as separate static route for the “public” traffic and anything beside that goes to the VPN tunnel as intended, but this might also prove difficult in this particular scenario.
I looked into that, but I don’t really want to setup the necessary infrastructure for it. AVD is just so conveniently simple that I’d like to see if it would work.
instead of me trying to draw it, check out the architecture docs here:
They are no different. So just configure the s2s as normal.
