MicrosoftDocs
diff --git a/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-1.png
13.1 KB b/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-1.png
13.1 KB
diff --git a/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-2.png
18.8 KB b/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-2.png
18.8 KB
diff --git a/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-3.png
16.9 KB b/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-3.png
16.9 KB
diff --git a/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-4.png
19.4 KB b/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-4.png
19.4 KB
diff --git a/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-5.png
19.1 KB b/‎articles/virtual-desktop/media/rdp-shortpath/rdp-shortpath-scenario-5.png
19.1 KB
diff --git a/‎articles/virtual-desktop/rdp-shortpath.md
Lines changed: 43 additions & 3 deletions b/‎articles/virtual-desktop/rdp-shortpath.md
Lines changed: 43 additions & 3 deletions
@@ -62,7 +62,7 @@ All connections begin by establishing a TCP-based [reverse connect transport](ne
 
 1. After establishing the RDP Shortpath transport, all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection, are moved to the new transport. However, if a firewall or network topology prevents the client from establishing direct UDP connectivity, RDP continues with a reverse connect transport.
 
-If your users have both RDP Shortpath for managed network and public networks available to them, then the first algorithm found will be used. Whichever connection gets established first is what the user will use for that session.
+If your users have both RDP Shortpath for managed network and public networks available to them, then the first-found algorithm will be used. The user will use whichever connection gets established first for that session.
 
 # [Public networks](#tab/public-networks)
 
@@ -121,7 +121,7 @@ All connections begin by establishing a TCP-based [reverse connect transport](ne
 
 1. After RDP establishes the RDP Shortpath transport, all Dynamic Virtual Channels (DVCs), including remote graphics, input, and device redirection move to the new transport.
 
-If your users have both RDP Shortpath for managed network and public networks available to them, then the first algorithm found will be used. Whichever connection gets established first is what the user will use for that session.
+If your users have both RDP Shortpath for managed network and public networks available to them, then the first-found algorithm will be used. The user will use whichever connection gets established first for that session.
 
 > [!IMPORTANT]
 > When using a TCP-based transport, outbound traffic from session host to client is through the Azure Virtual Desktop Gateway. With RDP Shortpath, outbound traffic is established directly between session host and client over the internet. This removes a hop which improves latency and end user experience. However, due to the changes in data flow between session host and client where the Gateway is no longer used, there will be standard [Azure egress network charges](https://azure.microsoft.com/pricing/details/bandwidth/) billed in addition per subscription for the internet bandwidth consumed. To learn more about estimating the bandwidth used by RDP, see [RDP bandwidth requirements](rdp-bandwidth.md).
@@ -132,7 +132,7 @@ To support RDP Shortpath for public networks, you typically don't need any parti
 
 As RDP Shortpath uses UDP to establish a data flow, if a firewall on your network blocks UDP traffic, RDP Shortpath will fail and the connection will fall back to TCP-based reverse connect transport. Azure Virtual Desktop uses STUN servers provided by Azure Communication Services and Microsoft Teams. By the nature of the feature, outbound connectivity from the session hosts to the client is required. Unfortunately, you can't predict where your users are located in most cases. Therefore, we recommend allowing outbound UDP connectivity from your session hosts to the internet. To reduce the number of ports required, you can [limit the port range used by clients](configure-rdp-shortpath-limit-ports-public-networks.md) for the UDP flow. Use the following tables for reference when configuring firewalls for RDP Shortpath.
 
-If your users are in a scenario where RDP Shortpath for both managed network and public networks is available to them, then the first algorithm found will be used. Whichever connection gets established first is what the user will use for that session.
+If your users are in a scenario where RDP Shortpath for both managed network and public networks is available to them, then the first algorithm found will be used. The user will use whichever connection gets established first for that session.
 
 > [!NOTE]
 > RDP Shortpath doesn't support Symmetric NAT, which is the mapping of a single private source *IP:Port* to a unique public destination *IP:Port*. This is because RDP Shortpath needs to reuse the same external port (or NAT binding) used in the initial connection. Where multiple paths are used, for example a highly available firewall pair, external port reuse cannot be guaranteed. Azure Firewall and Azure NAT Gateway use Symmetric NAT and so are not supported. For more information about NAT with Azure virtual networks, see [Source Network Address Translation with virtual networks](../virtual-network/nat-gateway/nat-gateway-resource.md#source-network-address-translation).
@@ -187,6 +187,46 @@ RDP Shortpath uses a TLS connection between the client and the session host usin
 > [!NOTE]
 > The security offered by RDP Shortpath is the same as that offered by reverse connect transport.
 
+## Example scenarios
+
+Here are some example scenarios to show how connections are evaluated to decide whether RDP Shortpath is used across different network topologies.
+
+### Scenario 1
+
+A UDP connection can only be established between the client device and the session host over a public network (internet). A direct connection, such as a VPN, is not available.
+
+:::image type="content" source="media/rdp-shortpath/rdp-shortpath-scenario-1.png" alt-text="Diagram that shows RDP Shortpath for public networks is used." border="false":::
+
+### Scenario 2
+
+A UDP connection can be established between the client device and the session host over a public network or over a direct VPN connection, but RDP Shortpath for managed networks is not enabled. When the client initiates the connection, the ICE/STUN protocol can see multiple routes and will evaluate each route and choose the one with the lowest latency.
+
+In this example, a UDP connection using RDP Shortpath for public networks over the direct VPN connection will be made as it has the lowest latency, as shown by the green line.
+
+:::image type="content" source="media/rdp-shortpath/rdp-shortpath-scenario-2.png" alt-text="Diagram that shows a UDP connection using RDP Shortpath for public networks over the direct VPN connection will be made as it has the lowest latency." border="false":::
+
+### Scenario 3
+
+Both RDP Shortpath for public networks and managed networks are enabled. A UDP connection can be established between the client device and the session host over a public network or over a direct VPN connection. When the client initiates the connection, there are simultaneous attempts to connect using RDP Shortpath for managed networks through port 3390 (by default) and RDP Shortpath for public networks through the ICE/STUN protocol. The first-found algorithm will be used and the user will use whichever connection gets established first for that session.
+
+Since going over a public network has additional steps, for example a NAT device, a load balancer, or a STUN server, it is likely that the first-found algorithm will select the connection using RDP Shortpath for managed networks and be established first.
+
+:::image type="content" source="media/rdp-shortpath/rdp-shortpath-scenario-3.png" alt-text="Diagram that shows the first-found algorithm will select the connection using RDP Shortpath for managed networks and be established first." border="false":::
+
+### Scenario 4
+
+A UDP connection can be established between the client device and the session host over a public network or over a direct VPN connection, but RDP Shortpath for managed networks is not enabled. To prevent ICE/STUN from using a particular route, an admin can block one of the routes for UDP traffic. Blocking a route would ensure the remaining path is always used.
+
+In this example, UDP is blocked on the direct VPN connection and the ICE/STUN protocol establishes a connection over the public network.
+
+:::image type="content" source="media/rdp-shortpath/rdp-shortpath-scenario-4.png" alt-text="Diagram that shows UDP is blocked on the direct VPN connection and the ICE/STUN protocol establishes a connection over the public network." border="false":::
+
+### Scenario 5
+
+Both RDP Shortpath for public networks and managed networks are configured, however a UDP connection could not be established. In this instance, RDP Shortpath will fail and the connection will fall back to TCP-based reverse connect transport.
+
+:::image type="content" source="media/rdp-shortpath/rdp-shortpath-scenario-5.png" alt-text="Diagram that shows a UDP connection could not be established. In this instance, RDP Shortpath will fail and the connection will fall back to TCP-based reverse connect transport." border="false":::
+
 ## Next steps
 
 - Learn how to [Configure RDP Shortpath](configure-rdp-shortpath.md).