Skip to content
Menu
IT-DRAFTS
  • About
  • My Statistics at Microsoft Q&A
  • Privacy policy
IT-DRAFTS
June 4, 2025

Global Expansion of TURN Relay Infrastructure for Azure Virtual Desktop and Windows 365

Effective Date: June 15, 2025
New IP Subnet: 51.5.0.0/16

Microsoft is expanding the global infrastructure supporting RDP Shortpath by introducing a dedicated TURN relay IP range across 40 Azure regions. This update is a major leap in performance and reliability for Windows 365 and Azure Virtual Desktop (AVD), particularly in environments with strict network policies or high-latency paths.

🔍 What Is TURN and Why It Matters?

TURN (Traversal Using Relays around NAT) is a protocol enabling UDP-based connectivity for clients behind firewalls and NAT devices. In Microsoft’s implementation of RDP Shortpath for public networks, TURN serves as a fallback mechanism when direct UDP connectivity cannot be established.

With this update, Microsoft is moving TURN relay traffic from the current ACS range (20.202.0.0/16) to a new, dedicated IP block (51.5.0.0/16) that is part of the WindowsVirtualDesktop service tag—simplifying firewall and routing configurations at scale.

🌐 Regional Expansion: From 14 to 40 Regions

The infrastructure scale-out means relay nodes are now closer to users geographically, improving performance and resiliency:

Improvement Impact
Lower Latency Faster round-trip times and better session responsiveness
Higher Reliability Reduced connection drops, particularly over variable networks
Improved UDP Success Rate Better handling of real-time traffic (voice, video, interactive sessions)

📶 Benefits of the Dedicated TURN IP Range

  1. Optimized for Azure Virtual Desktop & Windows 365
    Dedicated IP routing reduces contention and avoids unnecessary filtering or proxy interference.

  2. Enhanced Security Control
    Organizations can explicitly whitelist TURN traffic without affecting other services using ACS.

  3. Better Routing Behavior
    Allows direct, local breakout and integration with Microsoft’s low-latency global backbone.

  4. Easier Management
    The inclusion in the WindowsVirtualDesktop service tag simplifies network rule enforcement in both on-prem and cloud firewalls.

🌍 Supported TURN Relay Regions

Relays are now deployed in 40 strategic locations, covering every major Azure geography.
Selection is based on the user’s physical location, not the virtual host:

  • EMEA: UK South/West, France Central, Germany West Central, Norway East, Sweden Central, Switzerland North, UAE Central/North, Poland Central, Italy North

  • AMERICAS: East US, East US 2, West US, West US 2/3, Central US, South Central US, West Central US, North Central US, Canada Central/East, Brazil South, Mexico Central

  • ASIA & PACIFIC: Japan East/West, Korea Central/South, Taiwan North, Southeast Asia, Central India, South India, Australia East/Southeast

  • AFRICA: South Africa North/West

⚠️ When a region is unavailable, the connection may fall back to TCP, impacting session performance.

🛠 How to Prepare: Action Required

To avoid service interruptions, network administrators must explicitly allow and optimize traffic to the new TURN IP range (51.5.0.0/16).

✅ Step 1: Ensure Accessibility

  • Allow outbound access to 51.5.0.0/16 on all egress devices.

  • Confirm the IP range is reachable from all relevant endpoints, especially if using custom firewalls or security appliances.

  • For hosted network deployments (Windows 365), this is preconfigured.

  • For AVD/ANC deployments, the WindowsVirtualDesktop service tag covers this range.

✅ Step 2: Optimize Routing

To maintain low latency and reliability, traffic must be optimized:

Requirement Why
No TLS Inspection TURN uses double encryption (TLS-in-TLS); inspection adds latency and can cause instability
Local Internet Breakout Direct egress ensures shortest path to Microsoft’s backbone
Bypass VPN/Proxies/SWG These introduce delay and may block TURN traffic; configure split tunneling or exclusions
Use UDR for Cloud-based VMs Route TURN traffic directly to Internet, not through virtual appliances

🔧 Sample Configuration Guidance

simplified conceptual diagram for routing

For UDR implementation in Azure

{
“name”: “turnRelayRoute”,
“properties”: {
“addressPrefix”: “51.5.0.0/16”,
“nextHopType”: “Internet”
}
}

📚 Learn More

  • RDP Shortpath for Public Networks (Microsoft Docs)

  • Service Tags in Azure

  • Configure Forced Tunneling with UDR

🔖 Summary

What’s Changing New dedicated TURN range 51.5.0.0/16 replacing ACS range 20.202.0.0/16
Action Needed Configure bypass rules and ensure routing optimizations for new subnet
Key Benefits Lower latency, improved reliability, simplified security control, and expanded global coverage

Let this be part of your June 2025 change management schedule. Neglecting to update routing or firewall policies may result in degraded user experience across AVD and Windows 365 sessions.

Categories

AI Azure AzureDown BetaChannel cloudnetworking Conditional Access Copilot CrowdStrike Cybersecurity DataPrivacy DataProtection DevOps DigitalTransformation DNS GDPRcompliance Howto Innovation insider licensing MFA Microsoft Microsoft365 Microsoft AI MicrosoftAzure Microsoft ML Microsoft Product MS Entra MSteams network NewRelease Office2024 OfficeSuite OWASP PrivacyRights ProductivityTools sam Security software SoftwareUpdate TechNews Technology updates Windows Windows10 Windows11

Archives

  • June 2025
  • May 2025
  • February 2025
  • October 2024
  • September 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
No comments to show.

Recent Comments

Recent Posts

  • Windows 11 Insider Preview Build 26120.4230
  • Global Expansion of TURN Relay Infrastructure for Azure Virtual Desktop and Windows 365
  • How to Create and Manage a Public DNS Zone in Azure via the Portal
  • Microsoft FrodoKEM: A Conservative Quantum-Safe Cryptographic Algorithm
  • Microsoft 365 Agents Toolkit: A Technical Deep Dive for Pro-Code AI Developers
©2025 IT-DRAFTS | Powered by WordPress and Superb Themes!