Azure WVD and Shortpath using IKEv2 VPN

Before I’ve written a bit about the Microsoft Windows Virtual Desktop architecture and how it handles traffic flow –> Windows Virtual Desktop Traffic Flow and GPU Workloads | Marius Sandbu (msandbu.org)

A While back, Microsoft also introduced a new feature called WVD ShortPath which essentially allows the client to do a direct connection to the Session Host which allows the client to connect using UDP based connections as well.

One issue with Shortpath is that it requires that the client has direct access to the host, and in most cases that is only doable using the following.

  • Public IP on Session Host (Not recommended)
  • Site-to-Site VPN between offices and Azure
  • P2S VPN from Endpoint Client to Azure

Now to showcase the difference between using the regular data flow with WVD Client and Shortpath I wanted to setup a simple environment where I was using a P2S VPN from my endpoint to the WVD environment.

It is important to note that if you want to actually gain any benefit from using Shortpath over a P2S VPN, you need to have a VPN tunnel that is UDP based. That means that it excludes OpenVPN or SSTP services in Azure since they use TCP based connections. IKEv2 VPN however is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol. 

Now looking at a regular WVD connection (If I’m using the Microsoft gateway) this is my current statistics

Then if I enabled Shortpath (which you can find the descriptions here –> Windows Virtual Desktop RDP Shortpath (preview) – Azure | Microsoft Docs ) what WVD is essentially doing is that once it is enabled, when a connection comes in, WVD will include all private IP addresses for that session host as part of the Connection and try to connect to that VM first.

NOTE: WVD will not accept any connection going to a session host that has not been authenticated by the broker first.

And use IPSEC based VPN tunnel, using the built-in P2S VPN tunnel in Azure I get the following statistics.

Now if you want to use P2S VPN connections with Shortpath you also need to take into consideration the SKU that you are using for the VPN Gateway. Since if you want to have multiple users connection the WVD across P2S VPN link you must remember that it shares the bandwidth with any other S2S VPN tunnels that you might have in place as well.

NOTE: If you are having some issues connection, check the event log first under Microsoft -> Windows -> RemoteDesktopServices-RdpCoreCDV –> Operational
And look for EventID 131. If that is present you should also ensure that firewall rules are in place both under the NSG and the OS firewall.

 

Leave a Reply

Scroll to Top