RDP Shortpath, Multipath and QoS
The default AVD connection goes through Microsoft's gateway over TCP. RDP Shortpath creates a direct UDP tunnel for better performance. RDP Multipath adds resilience. QoS ensures real-time traffic gets priority.
Why RDP Shortpath matters
Think of it as choosing between a highway and a side road.
The default AVD connection (reverse connect) is like driving through the city centre — you go through traffic lights (the Microsoft gateway) on every trip. RDP Shortpath is the highway bypass — a direct road between your device and the desktop VM. It is faster because there are fewer stops. And with RDP Multipath, you have multiple lanes — if one lane gets blocked, traffic automatically moves to another.
The three RDP transport methods
| Feature | Reverse Connect (TCP) | RDP Shortpath (UDP) | RDP Multipath |
|---|---|---|---|
| Protocol | TCP 443 (HTTPS) | UDP (STUN or TURN) | Multiple — UDP + TCP backup |
| Path | Client to Gateway to session host | Direct (STUN) or relayed (TURN) | Best of all available paths |
| Latency | Higher — extra hop through gateway | Lower — direct or near-direct | Dynamic — picks lowest-latency path |
| Reliability | Very reliable (TCP guarantees delivery) | Good for real-time (tolerates loss) | Best — automatic failover |
| QoS support | No | Yes (managed networks) | Inherits from Shortpath |
| Requirements | Default — works everywhere | UDP outbound access | RDP Shortpath configured + supported client |
| When used | Always — initial connection | When available, takes over from TCP | Layered on top of Shortpath |
RDP Shortpath — two flavours
Managed networks (direct connection)
For users on your corporate network (connected via VPN or ExpressRoute):
- The client establishes a direct 1:1 UDP connection to the session host
- Works when there is direct network line-of-sight between client and session host
- Best performance — no relay, no gateway in the data path
- Supports QoS with DSCP marking
- Configurable source port (default: 3390)
Public networks (STUN and TURN)
For users on public internet (home, hotel, coffee shop):
- STUN (direct): Uses ICE/STUN protocol to establish a direct UDP connection through NATs. Works when both sides can punch through their NAT devices
- TURN (relayed): When direct connection fails, uses Microsoft’s TURN relay servers. Still UDP, still better than TCP, but adds one relay hop
| Method | Protocol | Port | When Used |
|---|---|---|---|
| STUN (direct) | UDP | 1024-65535 (default: 49152-65535) | NAT traversal succeeds |
| TURN (relayed) | UDP | 3478 | Direct connection blocked |
| Reverse connect (fallback) | TCP | 443 | UDP completely blocked |
🌐 Priya’s experience: “Most of our remote workers are on home internet with consumer routers. STUN works for about 70% of them. The other 30% fall back to TURN. Only a handful behind strict corporate firewalls need TCP. The performance improvement was immediately noticeable — the designers stopped complaining about lag.”
Exam tip: STUN vs TURN
The exam tests your understanding of when each method is used:
- STUN = direct UDP, NAT traversal, best performance after managed networks
- TURN = relayed UDP via Microsoft servers, used when STUN fails (symmetric NAT, firewall restrictions)
- Reverse connect = TCP fallback, always works but highest latency
If a question mentions “symmetric NAT” or “UDP blocked on port 3478 but allowed elsewhere” — think TURN. If “all UDP blocked” — think reverse connect (TCP).
RDP Multipath — automatic failover
RDP Multipath builds on RDP Shortpath by maintaining multiple transport paths simultaneously:
- Primary path: UDP via STUN (best performance)
- Backup path: UDP via TURN (relayed)
- Backup path: TCP via reverse connect
If the primary path degrades or fails, Multipath automatically switches to the next best path — no user intervention, no disconnection.
Prerequisites for RDP Multipath
- RDP Shortpath must be configured as the primary transport
- Windows App client version 2.0.559.0 or later
- Redundant TCP paths (preview) require host pools in the Validation ring
How to verify Multipath is working
Users can check the connection bar in their remote session — it shows “RDP Multipath enabled” when active. Administrators can view connection reliability data in AVD Insights.
🎧 Mia’s win: “Before Multipath, Tom the night-shift nurse would disconnect every time the hospital’s WiFi switched access points during rounds. Now Multipath seamlessly switches paths and Tom stays connected. It was our biggest support ticket reducer.”
Quality of Service (QoS)
QoS prioritises RDP traffic over other network traffic by marking packets with DSCP (Differentiated Services Code Point) values.
Why QoS matters
Without QoS, all network traffic is treated equally. A large file download can starve RDP traffic, causing:
- Jitter — packets arrive at inconsistent intervals (audio/video glitches)
- Packet loss — dropped packets require retransmission (lag)
- High RTT — delays between input and response
Implementing QoS
QoS is only supported with RDP Shortpath for managed networks (direct UDP). It does not work with reverse connect (TCP).
Steps to implement:
-
Create a Group Policy QoS policy on session hosts:
- Name: “RDP Shortpath”
- DSCP value: 46 (Expedited Forwarding — highest priority for real-time traffic)
- Apply to: svchost.exe (the process that hosts RDP sessions)
- Protocol: UDP
- Source port: 3390
-
Configure network devices (routers, switches, firewalls) to honour DSCP markings
-
Apply Group Policy to session hosts and run
gpupdate /force
Deep dive: DSCP value 46
DSCP 46 maps to the Expedited Forwarding (EF) per-hop behaviour in QoS. This is the highest-priority class, typically reserved for real-time voice and video traffic. By marking RDP Shortpath traffic with DSCP 46, network devices prioritise it over bulk data transfers, web browsing, and other non-real-time traffic.
The entire network path must honour DSCP markings for QoS to be effective. If any router or switch in the path strips or ignores DSCP tags, QoS breaks down at that point.
🏢 Raj’s QoS deployment: “Dmitri configured QoS end-to-end — from the Azure VNet through ExpressRoute to our corporate switches. RDP Shortpath gets DSCP 46 (highest priority). Background tasks like Windows Update get DSCP 0 (best effort). The CAD team noticed the difference immediately.”
Configuring RDP Shortpath
For managed networks
On session hosts, enable via registry or Group Policy:
- Registry:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStationssetICEControl=2 - Or: Configure via Intune device configuration profile
For public networks
RDP Shortpath for public networks is enabled by default on Azure-hosted session hosts. You just need to ensure:
- UDP outbound is allowed from the session host
- The client device supports UDP (Windows App, macOS client)
- No firewall blocks UDP ports 3478 (TURN) or 49152-65535 (STUN)
JC's government agency requires QoS for AVD to ensure desktop sessions are never degraded by bulk data transfers. Users connect over ExpressRoute. What must JC configure?
Mia discovers that 30% of Horizons Health Group remote workers cannot establish a UDP connection for RDP Shortpath. The workers are behind strict hospital guest WiFi networks. What transport will their sessions use?
🎬 Video coming soon
RDP Shortpath, Multipath and QoS
Next up: Private Link and Network Troubleshooting — keep AVD traffic on private networks and learn to diagnose connectivity issues.