So like the title states, I'm hosting RDP servers in Azure and need to think about accessing the published applications. In the past I would have put a gateway server in the DMZ, a session broker then the host, but that's for a physical environment and I need to think more cloud base. I could do AVD's but the end users prefer to access the application through the RDP website internally.

We currently have the site published externally and limit the access by adding IP addresses to the NSG service, but this is given end user direct access to the DB/Application server/RDP host and to be honest, Lazy admins are not removing IP addresses from Hotels that the end users are staying at. However, I want something more secure if possible with an additional layer in front of the RDP servers.