I am being told by a presales engineer that i need to build an AVD environment with a VPN Gateway, and remove access to AVD from the internet at large.
I dont think that is possible, this isnt RDS, this is AVD, using the Remote Desktop application (red icon).
Am i wrong in this? Have i missed something? Is it possible to provision AVD using a private endpoint or something? Is it possible to lockdown a multi-session host to only allow people access though a VPN?
EDIT - Answered essentially the same way as i was thinking. You cannot lock down AVD to be accessed via a P2S VPN. You use Conditional Access and MFA to secure it. Thank you to all contributors.
Do you have any compliance or governance requirements that need traffic to flow over vpn? If so, see rdp shortpath. If you have no such requirements, I would not go down this path
Why would you want to restrict only to a vpn? You’ll unnecessarily impact performance in most cases and using conditional access to restrict access is far easier. As it stands forcing connections via a vpn will just mean client traffic will immediately hairpin out of your network to reach the public gateways and will add additional hops and latency.
Well now, that is interesting read ok.
Its a small client with 11 users. I don’t want to add unnecessary complexity, but this is very interesting
I don’t want to do this. I feel like the presales guy is using a legacy thinking to secure this. To me MFA and Conditional Access is how to handle this.
I just don’t think the presales guy is getting that AVD is a PaaS and you don’t secure a clients access through a vpn to the infrastructure
This is not true if you enable RDP Shortpath
Pre-sales guy is wrong. AVD runs through a gateway, the VMs do not have public IPs. Conditional access with MFA is the way.
Even if you enable short path If the short path isn’t available since you aren’t in LoS it’ll still connect with typical protocol.
Brilliant, thank you to all replies on this, I knew i was right, but my Google-Fu wasnt coming back with any results, so i just wanted to be certain. Thank you all