Thursday, August 14, 2014

Restricting remote access to Azure Virtual Machine

If you create virtual machines in Microsoft Azure, you typically connect to them using RDP (if they are of course Windows machines). What you may not be aware of is the fact that you restrict, or whitelist, which remote IP addresses are allowed to RDP to these machines. Here’s how you configure this.

image

You login to you Microsoft Azure console as shown above.

image

In here is a Windows Domain Controller machine. What I want to do is restrict remote RDP access to this machine for security reasons (since it is a Domain Controller after all).

To do that select the Virtual Machine from the list and then the Endpoints option from the menu across the top as shown above.

At the moment there are only have two endpoints, one for PowerShell and one for Remote Desktop (i.e. RDP). Both of these services are accessible to the outside world via the Public port (which I have obscured for privacy reasons). These Public ports map to familiar Private ports at the virtual machine.

Thus, Remote Desktop connects via a random port from the Internet and this then mapped to the familiar port 3389 port internally at the machine.

image

To set security on an Endpoint, simply select it and then select the MANAGE ACL button at the bottom of the screen.

image

You will then see a dialog that allows you to enter a description as well as a remote subnet. You can then set the action to be either Permit or Deny. With RDP traffic the default is to allow all inbound traffic for that endpoint. All other ports are blocked for inbound traffic unless endpoints are created for those ports.

Points to consider:

  1. No ACL – By default when an endpoint is created, Azure permits all for the endpoint.
  2. Permit - When you add one or more “permit” ranges, you are denying all other ranges by default. Only packets from the permitted IP range will be able to communicate with the virtual machine endpoint.
  3. Deny - When you add one or more “deny” ranges, you are permitting all other ranges of traffic by default.
  4. Combination of Permit and Deny - You can use a combination of “permit” and “deny” when you want to carve out a specific IP range to be permitted or denied.

(Reference - http://msdn.microsoft.com/en-us/library/azure/dn376541.aspx)

You can of course configure these ACLs using PowerShell and the reference for that is here:

http://msdn.microsoft.com/en-us/library/azure/dn376543.aspx

more information about setting endpoints for virtual machines can be found at:

http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-set-up-endpoints/