Merge pull request #272736 from dknappettmsft/avd-private-link-clarifications

AVD private link clarify scenarios, IP addresses, and connection ports

Author: PMEds28

articles/virtual-desktop/private-link-overview.md

@@ -25,23 +25,25 @@ The following high-level diagram shows how Private Link securely connects a loca
 
 :::image type="content" source="media/private-link-diagram.png" alt-text="A high-level diagram that shows Private Link connecting a local client to the Azure Virtual Desktop service.":::
 
-The following table summarizes the private endpoints required:
+## Supported scenarios
 
-| Purpose | Resource type | Target sub-resource | Quantity |
-|--|--|--|--|
-| Initial feed discovery | Microsoft.DesktopVirtualization/workspaces | global | One for all your Azure Virtual Desktop deployments |
-| Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace |
-| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
+When adding Private Link with Azure Virtual Desktop, you have the following supported scenarios to connect to Azure Virtual Desktop. Each can be enabled or disabled depending on your requirements. You can either share these private endpoints across your network topology or you can isolate your virtual networks so that each has their own private endpoint to the host pool or workspace.
 
-You can either share these private endpoints across your network topology or you can isolate your virtual networks so that each has their own private endpoint to the host pool or workspace.
+1. Both clients and session host VMs use private routes. You need the following private endpoints:
+   
+   | Purpose | Resource type | Target sub-resource | Endpoint quantity |
+   |--|--|--|--|
+   | Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
+   | Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace |
+   | Initial feed discovery | Microsoft.DesktopVirtualization/workspaces | global | **Only one for all your Azure Virtual Desktop deployments** |
 
-## Supported scenarios
+1. Clients use public routes while session host VMs use private routes. You need the following private endpoints. Endpoints to workspaces aren't required.
 
-When adding Private Link with Azure Virtual Desktop, you have the following options to connect to Azure Virtual Desktop. Each can be enabled or disabled depending on your requirements.
+   | Purpose | Resource type | Target sub-resource | Endpoint quantity |
+   |--|--|--|--|
+   | Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
 
-- Both clients and session host VMs use private routes.
-- Clients use public routes while session host VMs use private routes.
-- Both clients and session host VMs use public routes. Private Link isn't used.
+1. Both clients and session host VMs use public routes. Private Link isn't used in this scenario.
 
 For connections to a workspace, except the workspace used for initial feed discovery (global sub-resource), the following table details the outcome of each scenario:
 
@@ -75,11 +77,13 @@ When a user connects to Azure Virtual Desktop over Private Link, and Azure Virtu
 
 1. For each workspace in the feed, a DNS query is made for the address `<workspaceId>.privatelink.wvd.microsoft.com`.
 
-1. Your private DNS zone for **privatelink.wvd.microsoft.com** returns the private IP address for the workspace feed download.
+1. Your private DNS zone for **privatelink.wvd.microsoft.com** returns the private IP address for the workspace feed download, and downloads the feed using TCP port 443.
+
+1. When connecting to a remote session, the `.rdp` file that comes from the workspace feed download contains the address for the Azure Virtual Desktop gateway service with the lowest latency for the user's device. A DNS query is made to an address in the format `<hostpooId>.afdfp-rdgateway.wvd.microsoft.com`.
 
-1. When connecting a remote session, the `.rdp` file that comes from the workspace feed download contains the Remote Desktop gateway address. A DNS query is made for the address `<hostpooId>.afdfp-rdgateway.wvd.microsoft.com`.
+1. Your private DNS zone for **privatelink.wvd.microsoft.com** returns the private IP address for the Azure Virtual Desktop gateway service to use for the host pool providing the remote session. Orchestration through the virtual network and the private endpoint uses TCP port 443. 
 
-1. Your private DNS zone for **privatelink.wvd.microsoft.com** returns the private IP address for the Remote Desktop gateway to use for the host pool providing the remote session.
+1. Following orchestration, the network traffic between the client, Azure Virtual Desktop gateway service, and session host is transferred over to a port in the TCP dynamic port range of 1 - 65535. The entire port range is needed because port mapping is used to all global gateways through the single private endpoint IP address corresponding to the *connection* sub-resource. Azure private networking internally maps these ports to the appropriate gateway that was selected during client orchestration.
 
 ## Known issues and limitations
 

articles/virtual-desktop/private-link-setup.md

@@ -4,7 +4,7 @@ description: Learn how to set up Private Link with Azure Virtual Desktop to priv
 author: dknappettmsft
 ms.topic: how-to
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
-ms.date: 07/17/2023
+ms.date: 04/19/2024
 ms.author: daknappe
 ---
 
@@ -65,13 +65,24 @@ To re-register the *Microsoft.DesktopVirtualization* resource provider:
 
 ## Create private endpoints
 
-During the setup process, you create private endpoints to the following resources:
+During the setup process, you create private endpoints to the following resources, depending on your scenario.
 
-| Purpose | Resource type | Target sub-resource | Quantity | Private DNS zone name |
-|--|--|--|--|--|
-| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool | `privatelink.wvd.microsoft.com` |
-| Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace | `privatelink.wvd.microsoft.com` |
-| Initial feed discovery | Microsoft.DesktopVirtualization/workspaces | global | **Only one for all your Azure Virtual Desktop deployments** | `privatelink-global.wvd.microsoft.com` |
+1. Both clients and session host VMs use private routes. You need the following private endpoints:
+   
+   | Purpose | Resource type | Target sub-resource | Endpoint quantity | IP address quantity |
+   |--|--|--|--|--|
+   | Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool | Four per endpoint |
+   | Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace | Two per endpoint |
+   | Initial feed discovery | Microsoft.DesktopVirtualization/workspaces | global | **Only one for all your Azure Virtual Desktop deployments** | One per endpoint |
+
+1. Clients use public routes while session host VMs use private routes. You need the following private endpoints. Endpoints to workspaces aren't required.
+
+   | Purpose | Resource type | Target sub-resource | Endpoint quantity | IP address quantity |
+   |--|--|--|--|--|
+   | Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool | Four per endpoint |
+
+> [!IMPORTANT]
+> IP address allocations are subject to change as the demand for IP addresses increases. During capacity expansions, additional addresses are needed for private endpoints. It's important you consider potential address space exhaustion and ensure sufficient headroom for growth. For more information on determining the appropriate network configuration for private endpoints in either a hub or a spoke topology, see [Decision tree for Private Link deployment](/azure/architecture/networking/guide/private-link-hub-spoke-network#decision-tree-for-private-link-deployment).
 
 ### Connections to host pools
 
@@ -374,7 +385,6 @@ To create a private endpoint for the *feed* sub-resource for a workspace, select
 
 1. Select **Create** to create the private endpoint for the feed sub-resource.
 
-
 # [Azure PowerShell](#tab/powershell)
 
 1. In the same PowerShell session, create a Private Link service connection for a workspace with the feed sub-resource by running the following commands. In these examples, the same virtual network and subnet are used.