For security reasons it is good practice to lock down access to Azure resources and not leave management ports open to the internet.
One way to restrict access to remote access protocols like RDS / SSH is to create a Network Security Groups (NSG) and apply this to either virtual machines or virtual network subnets.
To create a NSG
Logon on to the Azure portal: https://portal.azure.com
Once logged on go to All Services > Network security groups
If you have created VM’s or other resources there might already be some pre-existing NSG’s.
To create a new NSG click on Add
Give the NSG a name, assign subscription, resource group and location
Once the deployment has completed, click on the NSG this will bring up the configuration page.
First part is to configure the inbound security rules.
Go to settings > Inbound security rules
Once in Inbound security rules. To add a rule click add.
I want to restrict access to a specific Public IP for RDP access. Set the source as IP Addresses and add in the IP that will be allowed this can be a full range or a single IP depending on network subnet bit. I am only going to add one address so I used /32 below is an example 10.10.10.92/32.
I left source port ranges and destination as default as I don’t want to restrict these. Choose the required port in this case its 3389, set protocol to Any if you require both TCP/UDP I only need TCP. Set action to allow, set priority value and last step is give the port a name / description.
Below is the updated rule I have marked out my public IP
The outbound rule is set to allow any/any by default so if there is a requirement to lock down certain ports then create a new rule here to block the required ports.
Last step once all rule have been configured is to apply the NSG against resources. I am going to apply the policy to both my subnet and NIC’s assigned to both my test VM’s.
The policy should only need to be applied to either the subnet or VM’s, I just want to show how to apply to both. If you apply a rule to both VM and subnet they need to match or any port that is not allowed on both wont be work.
To assign to subnet: go to settings > Subnets
Select virtual network and subnet.
To apply to each VM Nic: Go to settings > network interfaces
As I already had NSG’s associated from the VM deployments I need to re-associate to the new NSG.
Select the NSG of the VM you want to move and go to network interfaces
Chose the required NSG
Once applied I can now only access the VM’s from my own network.