Azure Virtual Desktop session hosts need to communicate with various Azure services. One common health check failure is "TURN relay access" - and it's usually a network configuration issue.
What is TURN Relay?
TURN (Traversal Using Relays around NAT) helps establish connections when direct UDP connectivity isn't possible. AVD uses TURN for:
- RDP Shortpath fallback
- NAT traversal
- Firewall bypass scenarios
The Health Check
AVD periodically checks if session hosts can reach TURN servers. Failures appear in:
- Azure Portal → Host Pool → Session Hosts → Health
- Log Analytics (if configured)
Required Connectivity
Session hosts need outbound access to:
| Destination | Port | Protocol |
|---|---|---|
| *.turn.azure.com | 443 | TCP |
| *.turn.azure.com | 3478 | UDP |
| *.turn.azure.com | 3478 | TCP |
Testing Connectivity
From a session host, test the endpoints:
# Test TCP 443
Test-NetConnection -ComputerName global.turn.azure.com -Port 443
# Test TCP 3478
Test-NetConnection -ComputerName global.turn.azure.com -Port 3478
# For UDP, use this script
$udpClient = New-Object System.Net.Sockets.UdpClient
$endpoint = New-Object System.Net.IPEndPoint([System.Net.IPAddress]::Any, 0)
try {
$udpClient.Connect("global.turn.azure.com", 3478)
$udpClient.Send([byte[]]@(0x00, 0x01, 0x00, 0x00), 4)
$udpClient.Client.ReceiveTimeout = 5000
$response = $udpClient.Receive([ref]$endpoint)
Write-Host "UDP connectivity: OK"
} catch {
Write-Host "UDP connectivity: FAILED - $_"
} finally {
$udpClient.Close()
}
Common Causes
1. NSG Rules
Check your Network Security Group allows outbound:
resource "azurerm_network_security_rule" "avd_turn" {
name = "Allow-AVD-TURN"
priority = 100
direction = "Outbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_ranges = ["443", "3478"]
source_address_prefix = "*"
destination_address_prefix = "AzureCloud"
resource_group_name = azurerm_resource_group.this.name
network_security_group_name = azurerm_network_security_group.avd.name
}
2. Azure Firewall Rules
If routing through Azure Firewall, add application rules:
resource "azurerm_firewall_application_rule_collection" "avd" {
name = "avd-rules"
azure_firewall_name = azurerm_firewall.this.name
resource_group_name = azurerm_resource_group.this.name
priority = 200
action = "Allow"
rule {
name = "avd-turn"
source_addresses = ["10.0.0.0/24"] # AVD subnet
target_fqdns = ["*.turn.azure.com"]
protocol {
port = "443"
type = "Https"
}
}
}
# Network rule for UDP
resource "azurerm_firewall_network_rule_collection" "avd_turn" {
name = "avd-turn-udp"
azure_firewall_name = azurerm_firewall.this.name
resource_group_name = azurerm_resource_group.this.name
priority = 200
action = "Allow"
rule {
name = "turn-udp"
source_addresses = ["10.0.0.0/24"]
destination_addresses = ["AzureCloud"]
destination_ports = ["3478"]
protocols = ["UDP", "TCP"]
}
}
3. On-Premises Firewall
For session hosts with line of sight to on-premises, check:
- UDP 3478 isn't blocked
- STUN/TURN traffic isn't being inspected and dropped
4. Route Table Issues
If you have a route table forcing traffic through an NVA:
resource "azurerm_route" "internet" {
name = "default-route"
resource_group_name = azurerm_resource_group.this.name
route_table_name = azurerm_route_table.avd.name
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.0.1.4" # NVA IP
}
Make sure the NVA passes TURN traffic correctly.
Using RDP Shortpath
RDP Shortpath provides better performance when it works:
# Check if Shortpath is being used (on client)
Get-WmiObject -Namespace "root\cimv2\TerminalServices" -Class Win32_TSGeneralSetting |
Select-Object TerminalProtocol
If Shortpath fails, AVD falls back to TURN relay, then to WebSocket over HTTPS.
Monitoring
Query Log Analytics for connectivity issues:
WVDConnectionNetworkData
| where TimeGenerated > ago(24h)
| where EstRoundTripTimeInMs > 100
| summarize AvgRTT = avg(EstRoundTripTimeInMs) by SessionHostName, bin(TimeGenerated, 1h)
| order by AvgRTT desc
Need help optimising Azure Virtual Desktop? Get in touch - we help organisations deploy and troubleshoot AVD environments.