Small Business /w Single Azure VM: Access with RDP and also HTTP(S)

Lukassss1982431 1 Reputation point
2023-10-31T16:19:47.68+00:00

Hey folks,

I'm kinda new in this topic, especially when it comes to ultra small infrastructures. I have a client that is running some local servers. We've migrated everything to Azure AD and some of the manufacturers now offer cloud solution. Two applications unfortunately need to run on a (hosted) server.

One application needs to be accessed through RDP and there is absolutely no alternative to this specific application and the second application is a web app with a built-in database.

The customer wants to be able to access both from public spaces.

Now to keep the costs and the maintenance low I had following setup in mind:

  • 1 single Azure VM running both applications
  • Use Point-To-Site Azure VPN Gateway in order to access the server (RDP or HTTPS)
  • Deploy Azure VPN via Intune
  • Use Entra for authentication

Do you have any suggestions? What is best-practise?

Thank you very much!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,400 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,764 questions
{count} votes

3 answers

Sort by: Most helpful
  1. vipullag-MSFT 25,446 Reputation points
    2023-11-07T06:43:31.5233333+00:00

    Hello Lukassss1982431

    We noticed your have rated low on one of the answer as not helpful. Thank you for taking time to share feedback.

    Your proposed setup seems reasonable for a small infrastructure with a single Azure VM running both applications. Here are some additional suggestions and best practices to consider:

    1. Use Azure Bastion instead of RDP.
    2. Use Azure Application Gateway for HTTPS: By using Application Gateway, you can offload the SSL encryption and decryption from your VM and simplify your network configuration.
    3. Use Azure Site Recovery for disaster recovery: By using Site Recovery, you can ensure business continuity and minimize downtime for your applications.
    4. Use Azure Monitor for monitoring and alerting.
    5. Use Azure Security Center for security and compliance: By using Security Center, you can improve your security posture and meet your regulatory and industry standards.

    Overall, your proposed setup is a good starting point, but you may want to consider these additional services and best practices to enhance your security, reliability, and scalability.

    We are here to help you and strive to make your experience better and greatly value your feedback. If the answer is helpful, request you to take a resurvey.

    1 person found this answer helpful.
    0 comments No comments

  2. Andriy Bilous 11,011 Reputation points MVP
    2023-10-31T18:35:47.0933333+00:00

    Hello @Lukassss1982431

    Azure has multiple solutions for Hybrid Infrastructure

    App Service Hybrid Connection

    There are a number of benefits to the Hybrid Connections capability, including:

    • Apps can access on-premises systems and services securely.
    • The feature doesn't require an internet-accessible endpoint.
    • It's quick and easy to set up. No gateways required.
    • Each Hybrid Connection matches to a single host:port combination, helpful for security.
    • It normally doesn't require firewall holes. The connections are all outbound over standard web ports.
    • Because the feature is network level, it's agnostic to the language used by your app and the technology used by the endpoint.
    • It can be used to provide access in multiple networks from a single app.
    • It's supported in GA for Windows apps and Linux apps. It isn't supported for Windows custom containers.

    Things you cannot do with Hybrid Connections

    Things you cannot do with Hybrid Connections include:

    • Mount a drive.
    • Use UDP.
    • Access TCP-based services that use dynamic ports, such as FTP Passive Mode or Extended Passive Mode.
    • Support LDAP, because it can require UDP.
    • Support Active Directory, because you cannot domain join an App Service worker.

    Azure VPN Solution
    Benefits

    • High bandwidth available; up to 10 Gbps depending on the connectivity provider.
    • Lower and more consistent latencies compared to typical connections over the Internet.
    • Supports dynamic scaling of bandwidth to help reduce costs during periods of lower demand. However, not all connectivity providers have this option.
    • May allow your organization direct access to national clouds, depending on the connectivity provider.
    • 99.9% availability SLA across the entire connection.

    Challenges

    • Can be complex to set up. Creating an ExpressRoute connection requires working with a third-party connectivity provider. The provider is responsible for provisioning the network connection.
    • Requires high-bandwidth routers on-premises.

    Azure VPN consideration documentation:
    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/

    Hybrid benefits consideration documentation:
    https://learn.microsoft.com/en-us/hybrid/app-solutions/overview-app-design-considerations
    https://learn.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections


  3. Lukassss1982431 1 Reputation point
    2023-11-07T13:47:40.6433333+00:00

    Hey all,

    I've decided to use

    • 1 Azure VM for both applications
    • Site-to-Site Azure VPN for every branch office (per office 1-2 people use the software regurarly)
    • Point-to-Site Azure VPN for every user
    • Entra Auth mit MFA

    Thanks for the support.

    Lukas