question

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 asked BenLevy-4415 commented

Restrict Azure VM RDP to VPN

I am trying to restrict RDP access to Azure VM's to VPN connections only.

I have created the Point-to-Site VPN connection (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)

I am able to connect to the VPN (https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-resource-manager-portal)

But now I need to restrict the RDP on the VM to only allow connections from that VPN. I can't seem to find documentation for that.

95756-screenshot-2021-05-11-214425.png


azure-vpn-gateway
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SaiKishor-MSFT avatar image
0 Votes"
SaiKishor-MSFT answered BenLevy-4415 commented

@BenLevy-4415 Thank you for reaching out to Microsoft Q&A.

I understand that you want to restrict traffic to your VMs only from the P2S VPN and block everything else.

To do this you need a rule similar to the above one in the snapshot. Here instead of allowing 'any' source, allow only the 'P2S VPN client address pool' as source for RDP service. This rule needs to be setup with a lower priority and then a higher priority rule (which I see is already present) to block all other traffic as seen in your snapshot. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is the correct answer. There were other issues with my other Azure recourses. That was solved in another thread on this forum.

0 Votes 0 ·
BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered

OK. Thanks. I think that is what I was looking for. There is a Web Server that will allow HTTP and HTTPS, but I am assuming that will not conflict with the RDP rules. (lower priority!).

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered SaiKishor-MSFT commented

@SaiKishor-MSFT

This did not work. The RDP session will not connect (yes, with the VPN connected)

This is my settings.

96443-ns1.png


And

96374-p2s.png



ns1.png (17.6 KiB)
p2s.png (31.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BenLevy-4415 The rule looks good and that is the proper way to go about it. Can you please check the effective security rules to determine the rules in effect for the VM NIC? If possible please share a snapshot. Thank you!


0 Votes 0 ·
BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered SaiKishor-MSFT commented

Here is what I think you are after. note, the Ben_PC is not being used. The IP is not current. Just ignore that.

It is possible this is an issue with my VPN. I am just using the Windows 10 VPN client. My proxy is set to none.

96542-image.png



image.png (64.1 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BenLevy-4415 The rules look good. Does it work, if you change the source to 'any' ? Please let me know. Thank you!

0 Votes 0 ·
BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered

So, you cannot set source to "any". It is invalid.

I think my issue is with the VPN connection. I have never used the Windows 10 VPN. It connects, but says "No network access".

96725-image.png


And this is what I see when connected.

96743-image.png



image.png (59.1 KiB)
image.png (39.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered

So, I have managed to solve the VPN issue. This was due to the PS New-AzVpnClientConfiguration not being done correctly.

However, I still cannot connect via RDP. My VPN is connected and did get an IP as expected.

When I run PS > Get-AzNetworkInterface, I see all my VM's with the correct Azure IP (ie 10.0.0.4).

I think this has something to do with the VM's Network interface or the subnets. Can't figure that out.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenLevy-4415 avatar image
0 Votes"
BenLevy-4415 answered

@SaiKishor-MSFT

I did post all that info in a new thread:

https://docs.microsoft.com/en-us/answers/questions/401554/azure-p2s-rdp-over-vpn.html

I also sent a support ticket in, but have not had the best luck with MS Azure support.

I am trying to RDP with the internal IP of the VM's (ie 1.0.0.4)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.