Enhance Azure Virtual Desktop firewall guidance

[aparnabhatms]

Added guidance for Azure Virtual WAN deployment in Azure Virtual Desktop configuration.

[prmerger-automator]

@aparnabhatms : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

[learn-build-service-prod]

Learn Build status updates of commit dbc5cfa:

✅ Validation status: passed

File	Status	Preview URL	Details
articles/firewall/protect-azure-virtual-desktop.md	✅Succeeded

For more details, please refer to the build report.

[aparnabhatms]

Updated commit based on input from @MikeWedderburn-Clarke

[learn-build-service-prod]

Learn Build status updates of commit d456b10:

✅ Validation status: passed

File	Status	Preview URL	Details
articles/firewall/protect-azure-virtual-desktop.md	✅Succeeded

For more details, please refer to the build report.

[Copilot]

Pull request overview

This PR enhances the Azure Virtual Desktop firewall guidance documentation by adding specific instructions for Azure Virtual WAN deployments. The update clarifies how to implement routing configurations to prevent disconnections during Azure Firewall scale-in events in Virtual WAN scenarios.

• Added Azure Virtual WAN deployment guidance for route table configuration
• Included reference link to Azure Virtual WAN routing considerations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The warning message has become excessively long and difficult to parse. Consider breaking the Azure Virtual WAN guidance into a separate paragraph or tip block after the warning for better readability.

Suggested change

	> Azure Virtual Desktop disconnections may occur during Azure Firewall scale-ins if all traffic is routed to the Azure Firewall using a default route. We recommend having direct access to the gateway and broker for Azure Virtual Desktop to avoid these disconnections. To resolve this issue, add a route to the route table applied to the Azure Virtual Desktop subnet with the *destination type* set to **Service tag**, the *destination service* set to **WindowsVirtualDesktop**, and the *next hop* set to **Internet**. In an Azure Virtual Wan deployment, implement this by adding route table to subnet(spoke Vnet) hosting the Azure Virtual desktop wokload(s). Refer to [Azure Virtual Wan Routing considerations](../virtual-wan/how-to-routing-policies.md#considerations)
	> Azure Virtual Desktop disconnections may occur during Azure Firewall scale-ins if all traffic is routed to the Azure Firewall using a default route. We recommend having direct access to the gateway and broker for Azure Virtual Desktop to avoid these disconnections. To resolve this issue, add a route to the route table applied to the Azure Virtual Desktop subnet with the *destination type* set to **Service tag**, the *destination service* set to **WindowsVirtualDesktop**, and the *next hop* set to **Internet**.
	>
	> In an Azure Virtual WAN deployment, implement this by adding a route table to the subnet (spoke virtual network) that hosts the Azure Virtual Desktop workloads. For more information, see [Azure Virtual WAN routing considerations](../virtual-wan/how-to-routing-policies.md#considerations).

[ShannonLeavitt]

@duongau - Could you review the proposed changes?

IMPORTANT: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team