The customer is using Microsoft Azure Virtual Desktop.

During windows update the pool of AVD devices are suffering network issues rendering the devices unusable.

Checks on the Broadcom side indicated no problem with the POP and PODs handling this AVD traffic and many other customers traffic, yet the performance and user experience was very bad and very poor during those Windows update hours for this customer tenant.

Azure AVD and Cloud SWG connecting via UDP

The AVD devices are egressing to the Internet and Cloud SWG via a set of ip address and Azure firewall devices.

During the heavy Windows update download the firewall registered traffic in excess of 700,000 packets per second.

This heavy traffic caused an egress DDoS protection rule to kick in on the Azure network (beyond the Azure firewall) that caused packet drops and poor network performance.

The customer worked with the Azure team to have some of the limits raised on the Azure network side and Broadcom also advised the customer to not send Windows Update or Microsoft Intune traffic to Cloud SWG per our general URL destination bypass recommendations.