I need to confirm if my Azure Virtual Desktop is taking an alternative route to the internet, bypassing the NVA in it's path.

Question

I need to confirm if my Azure Virtual Desktop is taking an alternative route to the internet, bypassing the NVA in it's path.

Cormac Kelly 5

The deployment is an AVD, Standard Load Balancer, Gateway Load Balancer and Network Virtual Appliance. All traffic from the AVD should route through the SLB, through the GWLB and hit the NVA where it will either be blocked, or passed through out to the internet via the GWLB.

I have added the relevant routes and config to ensure all traffic follows this path, however I am seeing logs on the NVA showing it is blocking the AVD's access to particular URLs, but the AVD can still get to these URLs, which suggests it may be taking an alternative route to the internet.

Can you confirm what additional check I can do to validate this?

Thanks.

Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-21T14:01:59.08+00:00
Hello Cormac Kelly

consider the following follow-up questions to gather more details:

What specific URLs is the NVA blocking that the AVD is still able to access?

Can you share the routing table entries you’ve configured for both the AVD and NVA?

Are there other services or firewall appliances that might be influencing the traffic flow?

Meantime,

check your route tables associated with the subnets where your AVD and NVA are deployed. Ensure that the routes are correctly configured to direct traffic through the Standard Load Balancer (SLB), Gateway Load Balancer (GWLB), and then to the NVA.

Review your NSG rules to make sure nothing is inadvertently allowing traffic to bypass the expected route. Ensure that the rules are set to allow traffic only through the desired path via the NVA.

Use Azure Network Watcher to analyze the flow of traffic. The "Connection Monitor" feature can help you determine the route traffic takes to reach the internet. This tool provides insights into any deviations from the expected routing path.

Since your NVA logs are indicating blocked traffic, compare the timestamps of the blocked logs against when the traffic was expected to flow through the NVA. If the timestamps don't align, it could further suggest that some traffic is bypassing the NVA.

Ensure you don’t have any user-defined routes that specifically route traffic from the AVD directly to the internet without passing through the NVA.

Enable diagnostic logging on the SLB and GWLB to capture more detailed information about the traffic flowing through these resources.

Refer: Network virtual appliance issues in Azure

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Cormac Kelly 5 Reputation points

2025-08-22T10:07:05.9466667+00:00

Hi Ganesh, thanks for your speedy reply, I will gather this info and update you with my findings later. Cheers.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-22T10:54:13.4666667+00:00

Hello Cormac Kelly

Thanks for the reply!

Could you please provide me with the above details so I can further troubleshoot the issue in detail?
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-25T14:38:23.91+00:00

Hello Cormac Kelly

Thanks for the reply!

Could you please provide me with the above details so I can further troubleshoot the issue in detail?

1 answer

Your answer

Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-21T14:01:59.08+00:00

Hello Cormac Kelly

consider the following follow-up questions to gather more details:

What specific URLs is the NVA blocking that the AVD is still able to access?

Can you share the routing table entries you’ve configured for both the AVD and NVA?

Are there other services or firewall appliances that might be influencing the traffic flow?

Meantime,

check your route tables associated with the subnets where your AVD and NVA are deployed. Ensure that the routes are correctly configured to direct traffic through the Standard Load Balancer (SLB), Gateway Load Balancer (GWLB), and then to the NVA.

Review your NSG rules to make sure nothing is inadvertently allowing traffic to bypass the expected route. Ensure that the rules are set to allow traffic only through the desired path via the NVA.

Use Azure Network Watcher to analyze the flow of traffic. The "Connection Monitor" feature can help you determine the route traffic takes to reach the internet. This tool provides insights into any deviations from the expected routing path.

Since your NVA logs are indicating blocked traffic, compare the timestamps of the blocked logs against when the traffic was expected to flow through the NVA. If the timestamps don't align, it could further suggest that some traffic is bypassing the NVA.

Ensure you don’t have any user-defined routes that specifically route traffic from the AVD directly to the internet without passing through the NVA.

Enable diagnostic logging on the SLB and GWLB to capture more detailed information about the traffic flowing through these resources.

Refer: Network virtual appliance issues in Azure

I hope this was helpful!

If the above is unclear or you are unsure about something, please add a comment below.
Cormac Kelly 5 Reputation points

2025-08-22T10:07:05.9466667+00:00

Hi Ganesh, thanks for your speedy reply, I will gather this info and update you with my findings later. Cheers.
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-22T10:54:13.4666667+00:00

Hello Cormac Kelly

Thanks for the reply!

Could you please provide me with the above details so I can further troubleshoot the issue in detail?
Ganesh Patapati 9,005 Reputation points Microsoft External Staff Moderator

2025-08-25T14:38:23.91+00:00

Hello Cormac Kelly

Thanks for the reply!

Could you please provide me with the above details so I can further troubleshoot the issue in detail?

Answer 1

You've done a lot of the initial work by adding the routes and checking the NVA logs, so the next critical step is to validate the actual traffic flow path. The fact that the AVD can reach URLs the NVA logs show as blocked strongly suggests a routing bypass.

To confirm this, you can use Azure Network Watcher's Connection Monitor feature.

How to Use Connection Monitor

Select Source and Destination: Configure a test in Connection Monitor with the AVD's private IP address as the source. For the destination, use the public IP address of one of the URLs the AVD can access but the NVA is blocking. You can use a tool like nslookup or a website like whatsmydns.net to find the public IP for the URL.

Run the Test: Connection Monitor will trace the path of the network packets between the AVD and the destination IP.

Analyze the Results: The results will show you the exact route the traffic is taking. If the traffic is indeed bypassing the SLB/GWLB/NVA chain, the trace will reveal a direct route to the internet as the next hop, rather than going through your configured appliances.

This will provide a definitive answer as to whether the traffic is following your intended path or taking an alternative one.

Another check you can do is to verify the effective routes on the network interface of the AVD host. You can do this in the Azure portal: navigate to the AVD VM's network interface and look at the "Effective routes" under the "Support + troubleshooting" section. This view shows all the routes that apply to that specific network interface, including system routes, user-defined routes (UDRs) from a route table, and BGP routes. You can then compare these effective routes to your intended routing table to see if there are any unexpected system routes or other UDRs that are taking precedence and directing traffic to the internet.

This video provides an excellent visual tutorial on how to use Azure Network Watcher to diagnose network issues.

Share via

I need to confirm if my Azure Virtual Desktop is taking an alternative route to the internet, bypassing the NVA in it's path.

1 answer

Your answer