Can you establish a Remote Desktop session to a VM that allows the inbound traffic but denies the outbound traffic?

Question

Can you establish a Remote Desktop session to a VM that allows the inbound traffic but denies the outbound traffic?

David Oslander 20

Hello, I'm trying to determine what will happen in this Azure Network Security Group (NSG) scenario.

If there are two VMs in the same virtual network named VM1 and VM2, and you want to initiate a Remote Desktop session from VM1 to VM2. And there is an NSG associated with the NIC of VM2 that has a custom rule that Denies outbound TCP 3389 to VirtualNetwork. What will happen when you try to establish a Remote Desktop session from VM1 to VM2?

It seems to me that the default NSG inbound rules would allow TCP 3389 inbound to VM2 since the VMs are in the same virtual network. Ordinarily, when inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. But in this case, we have a custom outbound rule that Denies traffic (assume it has a higher priority than the default rules). So does that mean that the session cannot be established? Or is the oubound response allowed because communication was initatied externally? Thank you.

Anonymous

2024-10-15T12:24:27.54+00:00
Hi @DavidO-0335,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

When you tried to connect from VM1 (It will be outbound for VM1) to VM2 (It will be inbound for VM2) with in the VNet, the connection will be succeeded because there is no inbound deny rule configured for VM2.

As you have a custom rule that Denies outbound TCP 3389 to Virtual Network with high priority, which is associated with VM2. You cannot connect from VM2 to VM1 because it is an outbound connection for VM2 (The outbound deny rule, which is associated with VM2, it will block the outbound connections)

For testing, you can turn off the windows defender firewall and IE enhanced security configuration in local server and do ping test from VM2 to VM1. It will deny the request. For your reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#denyallinbound

If you have any further queries, do let us know. If the answer is helpful, please click "Accept Answer" and "Upvote it."

Thanks,

Sai Prasanna.
Anonymous

2024-10-16T00:56:43.62+00:00

Hi @DavidO-0335,

Greetings!

I wanted to follow up with you to see if the last response answered all of your questions.

If so, I would appreciate it if you could accept the response as a "Accept Answer" and "Upvote it" so that it can help other members of the community who may be experiencing similar challenges.

Regards,

Sai Prasanna.
David Oslander 20 Reputation points

2024-10-16T17:01:05.6566667+00:00

<removing this duplicate comment>
David Oslander 20 Reputation points

2024-10-16T17:14:31.13+00:00

Hi Sai, thank you for your response.

On #1 you said the connection will succeed. I agree that the request from VM1 will reach VM2. But is it technically correct to say that there is a "connection" if the NSG blocks any kind of acknowledgement or response from VM2? To me, the term "connection" means that the handshake of the connection has completed, but VM2 is unable to respond to VM1.

In answer to the question, can you establish a Remote Desktop session from VM1 to VM2, would you agree that the answer is No?

Thank you!
David Oslander 20 Reputation points

2024-10-17T13:23:58.7033333+00:00

This helps, thank you, Sai.
Anonymous

2024-10-17T13:32:19.1333333+00:00

Hi @DavidO-0335,

Glad we could be of help.

I would appreciate it if you could accept the response as a "Accept Answer" and "Upvote it" so that it can help other members of the community who may be experiencing similar challenges.

Your contribution is highly appreciated.

Regards,

Sai Prasanna.

Answer accepted by question author

0 additional answers

Your answer

Anonymous

2024-10-15T12:24:27.54+00:00

Hi @DavidO-0335,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

When you tried to connect from VM1 (It will be outbound for VM1) to VM2 (It will be inbound for VM2) with in the VNet, the connection will be succeeded because there is no inbound deny rule configured for VM2.

As you have a custom rule that Denies outbound TCP 3389 to Virtual Network with high priority, which is associated with VM2. You cannot connect from VM2 to VM1 because it is an outbound connection for VM2 (The outbound deny rule, which is associated with VM2, it will block the outbound connections)

For testing, you can turn off the windows defender firewall and IE enhanced security configuration in local server and do ping test from VM2 to VM1. It will deny the request. For your reference: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview#denyallinbound

If you have any further queries, do let us know. If the answer is helpful, please click "Accept Answer" and "Upvote it."

Thanks,

Sai Prasanna.
Anonymous

2024-10-16T00:56:43.62+00:00

Hi @DavidO-0335,

Greetings!

I wanted to follow up with you to see if the last response answered all of your questions.

If so, I would appreciate it if you could accept the response as a "Accept Answer" and "Upvote it" so that it can help other members of the community who may be experiencing similar challenges.

Regards,

Sai Prasanna.
David Oslander 20 Reputation points

2024-10-16T17:01:05.6566667+00:00

<removing this duplicate comment>
David Oslander 20 Reputation points

2024-10-16T17:14:31.13+00:00

Hi Sai, thank you for your response.

On #1 you said the connection will succeed. I agree that the request from VM1 will reach VM2. But is it technically correct to say that there is a "connection" if the NSG blocks any kind of acknowledgement or response from VM2? To me, the term "connection" means that the handshake of the connection has completed, but VM2 is unable to respond to VM1.

In answer to the question, can you establish a Remote Desktop session from VM1 to VM2, would you agree that the answer is No?

Thank you!
David Oslander 20 Reputation points

2024-10-17T13:23:58.7033333+00:00

This helps, thank you, Sai.
Anonymous

2024-10-17T13:32:19.1333333+00:00

Hi @DavidO-0335,

Glad we could be of help.

I would appreciate it if you could accept the response as a "Accept Answer" and "Upvote it" so that it can help other members of the community who may be experiencing similar challenges.

Your contribution is highly appreciated.

Regards,

Sai Prasanna.

Answer 1

Hi @DavidO-0335

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

To Answer your question,

Can you establish a Remote Desktop session from VM1 to VM2, would you agree that the answer is No?

To answer your question: Yes, we can establish an RDP session from VM1 to VM2, unless and until there is a deny all outbound rule configured with high priority on NSG of VM1.

As you said previously, you have configured a deny outbound rule with high priority on NSG of VM2, so we cannot do the RDP session from V2 to VM1.

Kindly let us know if the above helps or you need further assistance on this issue.

If this answers your query, do click **Accept Answer** and **Yes** for was this answer helpful. And, if you have any further query do let us know.

Thanks,

Sai Prasanna.

Share via

Can you establish a Remote Desktop session to a VM that allows the inbound traffic but denies the outbound traffic?

0 additional answers

Your answer