Month: April 2018

Restricting RDP (Remote Desktop) Access to Azure Virtual Machines

By default, every Azure virtual machine has RDP (Remote Desktop Protocol), port 3389 enabled, and allows any RDP connection from any IP in the world. As great as that is, this can be a (huge) security risk.  So, what if we want to change this, and limit who has RDP access to the VM? What if we want only a select range of IPs, or a specific IP to only have access to the VM(s)? For example, your branch office has a static public IP, and we only want RDP access from this IP/location. How can we achieve this?

Restricting RDP access your VMs in Azure isn’t difficult, but does require some knowledge of Azure Network Security. The solution can be achieved by making use of Azure NSG’s (Network Security Groups). Every VM will have an NSG when it is deployed. If you create an NSG beforehand, you can simply apply the same NSG to new VM deployments.

In the example below, we will need to create 2 NSG’s.

  1. Allowing RDP from a specific IP/CIDR
  2. Denying all RDP traffic

Let’s begin, if you go into the property settings of the VM, and select the Networking Settings, and select, “Add inbound port rule“. Click on the wrench, to switch from Basic to Advanced.

The Inbound Security Rule properties, as follows:

Wait, what do all of these fields mean?

  • Source: The source can by any IP Address, or CIDR Range, or a default-service tag.
  • Source IP Address/CIDR Ranges: Any IP Address, or CIDR Range.
  • Source Service Tag: There are a series of options here, but in short:
    • Load Balancer: Any probes in the Azure Load Balancer
    • Virtual Network: The Virtual Network the VM is connected to
    • Internet: All network traffic in the public virtual network, (including all Azure services, such as Azure Traffic Manager, Storage and SQL)
    • Azure Traffic Manager: Denotes the IP address from where the Azure Load Balancer health probes will origiante.
    • Storage.*:  Access to Azure storage services and/or specific Azure regions
    • SQL.*: Access to Azure SQL Database and Warehouse services, and/or specific Azure regions
  • Source Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
  • Destination: The source can by any IP Address, or CIDR Range, or the Virtual Network.
  • Destination Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
  • Protocol: TCP or UDP, or Any, which includes both TCP and UDP, and ICMP.
  • Action: Allow, or Deny access.
  • Priority: A number between 100-4096. The lowest is 100, and the highest we can input is 4096. Lower the number, higher the priority.
  • Name: The name of the rule. Note, once created, it cannot be changed!

So, these are the values/settings I implemented for the Allow Inbound Rule:

  • Source: IP Addresses
  • Source IP Addresses/CIDR Ranges: xxx.xxx.xxx.xxx
  • Source Port Ranges: *
  • Destination: Any
  • Destination Port Ranges: 3389
  • Protocol: TCP
  • Action: Allow
  • Priority: 4095
  • Name: default-allow-rdp

Next are the values/settings I implemented for the Deny all RDP Inbound Rule:

  • Source: ServiceTag
  • Source Service Tag: Intenert
  • Source Port Ranges: *
  • Destination: Virtual Network
  • Destination Port Ranges: 3389
  • Protocol: Any
  • Action: Deny
  • Priority: 4096
  • Name: Deny-RDP-Access

 

The Outbound Port Rules should look something like this now. Why we set Priority the way we did… Well, Rules are checked in the order of priority. Once a rule applies, no more rules are tested for matching.

 

Once the rules has been submitted, and accepted, and if we try to RDP into the VM we should now only be allowed from the IP Range, or IP! Success!!

 

To learn more on Azure NSG (Network Security Groups), visit: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Advertisements

Global Azure Bootcamp 2018 – Azure Application Insights

On April 21st, 2018, all (Microsoft user groups) communities throughout the world, will be participating in the Global Azure Bootcamp. This year, I will be speaking on Azure Application Insights, at the Mississauga (GTA) Azure Bootcamp.  This event is free, and open for everyone and anyone to join!

All around the world user groups and communities want to learn about Azure and Cloud Computing!

On April 21, 2018, all communities will come together once again in the sixth great Global Azure Bootcamp event! Each user group will organize their own one day deep dive class on Azure the way they see fit and how it works for their members. The result is that thousands of people get to learn about Azure and join together online under the social hashtag #GlobalAzure!

To find out if Azure Bootcamp is in your area, please visit, https://global.azurebootcamp.net/.

Blocking Internet Access for Azure Virtual Machines

By default, every Azure virtual machine (VM) has access to the Internet. Sometimes this is great, but in most enterprise environments, server’s have Internet access restricted. So, how to restrict Azure VMs gaining access to the Internet?

Restricting Internet access to your VMs in Azure isn’t difficult, but does require some baseline knowledge of Network Security. The solution can be achieved by making use of Azure NSG’s (Network Security Groups). Every VM will have an NSG when it is deployed. If you create an NSG beforehand, you can simply apply the same NSG to new VM deployments.

In the example below, I am going to update the NSG for a specific VM. Of course, once the NSG has been modified, you can apply this NSG to other VMs too and/or future VMs.

Let’s begin, if you go into the property settings of the VM, and select the Networking Settings, and select, “Add outbound port rule“. Click on the wrench, to switch from Basic to Advanced.

The Outbound Security Rule properties, as follows:

Wait, what do all of these fields mean?

  • Source: The source can by any IP Address, or Range, or a default-service tag. CIDR ranges are also accepted.
  • Source Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
  • Destination: The destination can by any IP Address, or Range, or a default-service tag. CIDR ranges are also accepted.
  • Destination Service Tag: There are a series of options here, but in short:
    • Load Balancer: Any probes in the Azure Load Balancer
    • Virtual Network: The Virtual Network the VM is connected to
    • Internet: All network traffic in the public virtual network, (including all Azure services, such as Azure Traffic Manager, Storage and SQL)
    • Azure Traffic Manager: Denotes the IP address from where the Azure Load Balancer health probes will origiante.
    • Storage.*:  Access to Azure storage services and/or specific Azure regions
    • SQL.*: Access to Azure SQL Database and Warehouse services, and/or specific Azure regions
  • Destination Port Ranges: You can use either a range of ports, or use a Wildcard (*) for all ranges.
  • Protocol: TCP or UDP, or Any, which includes both TCP and UDP, and ICMP.
  • Action: Allow, or Deny access.
  • Priority: A number between 100-4096. The lowest is 100, and the highest we can input is 4096. Lower the number, higher the priority.
  • Name: The name of the rule. Note, once created, it cannot be changed!

So, these are the values/settings I implemented as a result:

  • Source: VirtualNetwork
  • Source Port Ranges: *
  • Destination: Service Tag
  • Destination Service Tag: Internet
  • Destination Port Ranges: *
  • Protocol: Any
  • Action: Deny
  • Priority: 4096
  • Name: Deny-Internet-Access

The Outbound Port Rules should look something like this now:

Once the rule has been submitted, and accepted, if we go to our VM, we will now most definitely be denied Internet access! Success!!

 

To learn more on Azure NSG (Network Security Groups), visit: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview