Private Link and Network Troubleshooting
Azure Private Link keeps AVD traffic off the public internet entirely. And when something goes wrong with connectivity, you need a systematic approach to diagnose the issue.
Azure Private Link for AVD
Imagine a private tunnel from your office straight to the desktop VMs β no public internet in between.
Normally, AVD traffic travels over the public internet (encrypted, but still public routes). Private Link creates a private doorway (a private endpoint) inside your own network that connects directly to the AVD service. Traffic never leaves the Microsoft backbone network. It is like having a private corridor in a building instead of walking through the public street between offices.
What Private Link protects
| Connection Type | Without Private Link | With Private Link |
|---|---|---|
| Session host to control plane | Public internet (HTTPS) | Private endpoint in VNet |
| Client feed download | Public internet | Private endpoint (workspace) |
| Initial resource discovery | Public internet | Private endpoint (global sub-resource) |
| RDP session data | RDP Shortpath (UDP) or reverse connect (TCP) via public internet | Can still use RDP Shortpath via managed network |
Private endpoint architecture
You need up to three types of private endpoints:
1. Host pool private endpoint (connection sub-resource)
- Creates a private IP for the session host to control plane connection
- Session hosts communicate with the AVD broker and gateway over this private path
- One private endpoint per host pool
2. Workspace private endpoint (feed sub-resource)
- Allows clients on your network to discover available desktops and apps
- Clients download the feed (list of published resources) over the private connection
- One private endpoint per workspace
3. Global private endpoint (global sub-resource)
- For the initial service discovery that happens before the workspace feed
- Shared across all AVD deployments in your tenant
- Only one needed per tenant, but it affects ALL host pools (be careful)
Exam tip: Global sub-resource impact
The global private endpoint is special β it applies to your ENTIRE tenant, not just one host pool. If you enable it, ALL clients in your organisation must be able to reach the global private endpoint. This means users outside your corporate network (working from home without VPN) may lose the ability to discover AVD resources.
The exam may present a scenario where βsome users can see AVD resources and others cannotβ after enabling Private Link. Check whether the global private endpoint is configured and whether all users can reach it.
ποΈ JCβs decision: βThe Federal Department requires all management traffic to stay on private networks. We deployed host pool and workspace private endpoints. But we did NOT enable the global sub-resource because field workers need to discover resources from home without VPN. We use Conditional Access policies to control who can actually connect.β
DNS requirements for Private Link
Private endpoints get private IP addresses. You must configure DNS so that AVD FQDNs resolve to these private IPs instead of public IPs.
| Approach | How It Works | When to Use |
|---|---|---|
| Azure Private DNS Zones | Auto-registration of private endpoint DNS records | Recommended for Azure-native deployments |
| Conditional DNS forwarders | On-premises DNS forwards specific zones to Azure DNS | Hybrid environments with on-premises DNS |
| Host file overrides | Manual IP mapping on each client/session host | Testing only β not scalable |
The required Private DNS zones:
privatelink.wvd.microsoft.comβ for host pool and workspace endpointsprivatelink-global.wvd.microsoft.comβ for the global endpoint
Common mistake: Forgetting to link the Private DNS zone to the VNet where session hosts reside. If the DNS zone exists but is not linked to the VNet, session hosts cannot resolve the private endpoint addresses.
Network troubleshooting
When AVD connections fail, diagnose systematically:
Step 1: Check AVD service health
- Azure portal β Service Health β check for AVD service incidents
- AVD health check API
Step 2: Verify session host health
In the Azure portal, check the host pool β Session hosts:
| Status | Meaning | Action |
|---|---|---|
| Available | Healthy and accepting connections | No action needed |
| Needs assistance | Health check failed (domain join, DNS, agent, etc.) | Check the health check details |
| Unavailable | VM is off, deallocated, or unresponsive | Start the VM or investigate OS issues |
| Upgrading | AVD agent is updating | Wait β should resolve automatically |
Step 3: Test connectivity from session host
From a session host, verify:
- DNS resolution:
Resolve-DnsName rdweb.wvd.microsoft.com - Control plane connectivity:
Test-NetConnection -ComputerName rdweb.wvd.microsoft.com -Port 443 - Time sync: Ensure the clock is within 5 minutes of UTC (Kerberos tolerance)
- Agent health: Check the
RDAgentBootLoaderandWindowsAzureGuestAgentservices
Step 4: Check from the client side
- Verify the client can reach
rdweb.wvd.microsoft.com(or the Private Link FQDN) - Check for proxy or firewall interference
- Test with the AVD web client (
client.wvd.microsoft.com) to rule out client app issues - Check certificate errors (expired TLS, untrusted CA)
Deep dive: Common connectivity failures
βNeeds assistanceβ on session host:
- Domain join failed β check DNS can resolve the domain controller, and the machine account is not stale
- SxS stack listener not ready β restart the
RDAgentBootLoaderservice - URL access check failed β ensure the session host can reach all required AVD endpoints
Client cannot see any resources:
- User is not assigned to an application group β check app group assignments
- Workspace is not published β ensure the workspace contains the application group
- Private Link DNS misconfiguration β verify FQDN resolves to the private endpoint IP
Connection drops after 30 seconds:
- Often a certificate or TLS handshake issue
- Check if a proxy is intercepting and re-signing the TLS connection
Azure Monitor for network diagnostics
Use Azure Monitor and AVD Insights workbooks to monitor:
| Metric | What It Shows | Where to Find It |
|---|---|---|
| Connection latency | RTT between client and session host | AVD Insights β Connection Performance |
| Session disconnect rate | Percentage of sessions that disconnect unexpectedly | AVD Insights β Connection Reliability |
| RDP Shortpath status | Whether connections use UDP or fell back to TCP | AVD Insights β Connection Details |
| Bandwidth utilisation | Network throughput per session | Azure Monitor β VM network metrics |
π§ Miaβs toolkit: βI check AVD Insights every morning. If the disconnect rate spikes, I look at which session hosts are affected and correlate with network metrics. Last week, a new firewall rule was blocking TURN traffic β 30% of remote connections lost Shortpath and fell back to TCP. AVD Insights showed it before users even called.β
After enabling Private Link for an AVD host pool, JC discovers that session hosts show 'Needs assistance β URL access check failed.' What is the most likely cause?
Priya enabled the global Private Link sub-resource for NomadTech. Now remote workers at home report they cannot see any AVD resources in the Windows App, but office workers can. What happened?
π¬ Video coming soon
Private Link and Network Troubleshooting
Next up: Storage Planning for User Data β choose the right storage for FSLogix profiles, user data, and session host needs.