add warning about azfw and avd

duongau · web-flow · commit a4e3e4fcec0a · 2025-03-17T10:59:23.000-07:00
diff --git a/articles/firewall/protect-azure-virtual-desktop.md b/articles/firewall/protect-azure-virtual-desktop.md
@@ -25,6 +25,9 @@ Follow the guidelines in this article to provide extra protection for your Azure
 
 To learn more about Azure Virtual Desktop terminology, see [Azure Virtual Desktop terminology](../virtual-desktop/terminology.md).
 
+> [!WARNING]
+> Azure Virtual Desktop disconnections may occur during Azure Firewall scale-ins if all traffic is routed to the Azure Firewall using a default route. We recommend having direct access to the gateway and broker for Azure Virtual Desktop to avoid these disconnections. To resolve this issue, add a route to the route table applied to the Azure Virtual Desktop subnet with the *destination type* set to **Service tag**, the *destination service* set to **WindowsVirtualDesktop**, and the *next hop* set to **Internet**.
+
 ## Host pool outbound access to Azure Virtual Desktop
 
 The Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall uses the Azure Virtual Desktop FQDN tag `WindowsVirtualDesktop` to simplify this configuration. You need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an *allow* or *deny* action.
