Microsoft manages the following Windows Virtual Desktop services as part of Azure:


Web Access

The Web Access service within Window Virtual Desktop lets user’s access virtual desktops and remote apps through an HTML5-compatible web browser as they would with a local PC, from anywhere on any device. Web Access is secured for Diageo users using OKTA multifactor authentication.

Gateway

The Remote Connection Gateway service connects remote users to Windows Virtual Desktop apps and desktops from any internet-connected device that can run a Windows Virtual Desktop client. The client connects to a gateway, which then orchestrates a connection from a VM back to the same gateway.

Connection Broker

The Connection Broker service manages WVD user connections to virtual desktops and remote apps. The Connection Broker provides load balancing and reconnection to existing sessions.

Diagnostics

Remote Desktop Diagnostics is an event-based aggregator that marks each user and administrator action on the Windows Virtual Desktop deployment as a success or failure. WVD Administrators can query the event aggregation to identify failing components as per requirements.

Extensibility components

Windows Virtual Desktop includes several extensibility components. Windows Virtual Desktop can be managed using Windows PowerShell or with the provided REST APIs, which also enable support from third-party tools. WVD team is using Azure ARM/GUI for WVD management for this deployment.

WVD User Connection Traffic flow

WVD uses Reverse Connect, which means that no inbound ports need to be opened on the VM to setup the RDP connection. Once the connection flow proceeds, bidirectional communication between session hosts/host pools will go over port https (443).


Windows Virtual Desktop is a global load balanced service via Azure front-door. This means that the traffic flow always goes via the nearest management control-plane/service location.

User Connection Flow

  1. User launches RD client which connects to Azure AD, Azure MFA, user signs in, and Azure AD returns token
  2. RD client presents token to Web Access, Broker queries DB to determine resources authorized for user
  3. User selects resource, RD client connects to Gateway
  4. Broker orchestrates connection from host agent to Gateway
    RDP traffic now flows between RD client and session host VM over connections 3 and 4