How to RDP Azure VM behind Azure Firewall

anil kumar 1,641 Reputation points


I have a Azure VM which is behind Azure Firewall - After adding a rule under "NAT rule collection" in FW to translate FW IP into Azure VM private IP and then tried RDP to Azure VM using Firewall IP - It worked.

I wanted to check if I can directly connect to Azure VM using it's public IP but got following error.

[Window Title]
Remote Desktop Connection
Remote Desktop can’t connect to the remote computer for one of these reasons:

  1. Remote access to the server is not enabled
  2. The remote computer is turned off
  3. The remote computer is not available on the network
    Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.
    [OK] [Help]

Then I added a new rule under "NAT rule collection" for translating the public IP of Azure VM into Private IP of Azure VM - Rule couldn't be saved and failed with below message.

Failed to update the firewall 'FW'. Error: AzureFirewallRule NATRule2: Invalid DNat destination address, destination address other than AzureFirewall PublicIP address is not supported.

Later I added a new rule under "Network rule collection" to by keeping * in source and public IP of Azure VM as destination with Allow action - Rule got saved but RDP still doesn't work with public IP.

I would like to ask if there is a way to connect to Azure VM using it's public IP after it's been behind Azure firewall - Just want to know for conceptual clarity. Since firewall is deployed for security reasons, exposing any resource directly to internet including Azure VM does weaken the security if allowed.

Kindly share your thoughts. Thank you.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,299 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
581 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,201 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
85 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,218 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sam Cogan 10,322 Reputation points MVP

    Assuming you have a route enabled on your vNet to send traffic to the Azure Firewall then you won't be able to RDP directly to the Public IP of your VM. The problem here is something called asymmetric routing. Your inbound request goes to the public IP of the VM, the RDP client expects the response to come from the same IP, however because your outbound traffic is being routed to the firewall, the response comes from the firewall IP. The client does not allow this, as it is a security issue, so your connection fails.

    To resolve this you either need to use a NAT rule on the FW to have the inbound and outbound request go via the firewall, or exclude the VM from the route that sends traffic to the FW (but this obviously means traffic from that VM is not monitored). You could also look at using Azure Bastion for your RDP connection.

1 additional answer

Sort by: Most helpful
  1. AnnaG 111 Reputation points

    The solution is to RDP the public Ip for the firewall.

    I realize i'm late to the party but better late than ever if anyone gets stuck on the same thing.

    3 people found this answer helpful.