limit access to serial console from a specific subnet

Question

Joe G 20

How does one limit serial console access to a Virtual Machine from a specific set of IP addresses?

Accepted answer

0 additional answers

Answer 1

Alistair Ross 7,466 Microsoft Employee

This isn't possible in the traditional sense of blocking a port as the connection is done from within Azure. For you to be able to achieve this, you need to control who is authorised to perform the action. First you would need to configure your RBAC model to grant the least privilege, ensuring that no one had access to the serial console ( effectively removing the ARM action "Microsoft.SerialConsole/serialPorts/connect/action" from everyone). https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-enable-disable#enabling-least-privilege-access-to-serial-console-using-rbac You would then need to implement conditional access so that only authorised users can sign in from selected ip ranges. A secure way of doing this is implementing Privileged Access workstations, which I would advised for the administration of Azure https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-deployment kind regards Alistair

Joe G 20 Reputation points

2023-04-20T15:53:41.4166667+00:00

Wouldn't the conditional access then limit that user from specific IP address for everything within the portal or can it be specific to the resource?
Alistair Ross 7,466 Reputation points Microsoft Employee

2023-04-20T17:26:31.0066667+00:00

Yes, Conditional access would limit from the specific IP. What resources they can then access would depend on their authorisation. I.e. Which permissions to which resources you have given them.