Hi Everyone, I need to know if the below highlighted Azure VM to securely publish the Remote Desktop access / Terminal Server from the internet is Azure Bastion ? If not what do I need to add or configure to secure the RDP access from the internet? Thanks in advance.

@EnterpriseArchitect , there is no complete Azure alternative solution that can replace bastion. Having said that you can still be able to reduce the IP vulnerability attacks like Brute force attacks and DDoS attacks using the below solutions, 1.Deploying NSG on the subnet with necessary I/O security rules should block the IP access to certain IP's. 2.Deploying a VPN Gateway and connecting on microsoft backbone. In this method you can connect to VM using its private IP. This includes pricing. 3.Configuring Just-in-time access by configuring it through an Azure Virtual Machine blade or configure a JIT policy on a VM programmatically. This reduces the risk of attacks as the port will be closed until you access. 4.Deploying a jump host and hardening it with NSG. This increases infrastructure cost. So, deploying the Azure Bastion is the best solution to provide a complete security solution. ---------- Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

Best practice in publishing Remote Desktop access or Terminal server to Internet via Azure ?

Accepted answer

suvasara-MSFT 10,046 Reputation points

2022-01-18T04:47:17.867+00:00

@EnterpriseArchitect , there is no complete Azure alternative solution that can replace bastion. Having said that you can still be able to reduce the IP vulnerability attacks like Brute force attacks and DDoS attacks using the below solutions,

1.Deploying NSG on the subnet with necessary I/O security rules should block the IP access to certain IP's.

2.Deploying a VPN Gateway and connecting on microsoft backbone. In this method you can connect to VM using its private IP. This includes pricing.

3.Configuring Just-in-time access by configuring it through an Azure Virtual Machine blade or configure a JIT policy on a VM programmatically. This reduces the risk of attacks as the port will be closed until you access.

4.Deploying a jump host and hardening it with NSG. This increases infrastructure cost.

So, deploying the Azure Bastion is the best solution to provide a complete security solution.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.
Please sign in to rate this answer.

1 person found this answer helpful.
EnterpriseArchitect 5,406 Reputation points

2022-01-18T06:17:58.29+00:00

@suvasara-MSFT thank you for the reply, so in my case here the easiest or more cost-effective is by deploying the Bastion to replace the yellow highlighted above VM ?

As for #2 the VPN Gateway is already existing in the above Gateway Subnet.
Hence I assume just need to deploy the bastion VM, and then configure the JIT access from the Azure portal?

suvasara-MSFT 10,046 Reputation points

2022-01-18T06:47:24.74+00:00

@EnterpriseArchitect , yes, replace Jump server with Azure Bastion in your Architecture. The Gateway subnet you deployed there in your infra is used to securely connect from your on-premises server to Azure VPN. Here the internet will be on Azure backbone instead of public internet. So, if there is a site-to-site setup, and all your users are part of that site VPN then there should be no use of bastion here as the user can connect to the VM on its private IP. Do deploy Bastion service only if you want to explicitly provide access to users outside the site VPN.

EnterpriseArchitect 5,406 Reputation points

2022-01-18T12:43:24.197+00:00

No, there is no S2S VPN, hence yes, I will need to deploy Azure Bastion VM.
Do I also need to put Azure Firewall or Load Balancer in front of the Azure Bastion?

suvasara-MSFT 10,046 Reputation points

2022-01-19T06:06:14.79+00:00

@EnterpriseArchitect ,
Do I also need to put Azure Firewall or Load Balancer in front of the Azure Bastion?

Firewall:
Azure Bastion doesn't support UDR as the traffic is private to your VM. In case of providing extreme protection to your environment from public attacks then you can deploy Firewall in your VNET in separate Firewall subnet. All connections to Azure Bastion are enforced through the Azure Active Directory token-based authentication with 2FA, and all traffic is encrypted/over HTTPS. Azure Bastion is internally hardened and allows traffic only through port 443, saving you the task of applying additional network security groups (NSGs) or user-defined routes to the subnet.

Load Balancer:
Deploying Azure Bastion as a backend to ALB is not possible as LB accepts only VM or VMSS as a backend type today.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

EnterpriseArchitect 5,406 Reputation points

2022-01-19T06:09:37.577+00:00

That's great, thank you @suvasara-MSFT .
So in my case here, there is no need to add additional layer of security in front of the Azure Bastion ?

suvasara-MSFT 10,046 Reputation points

2022-01-19T06:15:28.76+00:00

@EnterpriseArchitect , Azure Bastion itself is a secure administrator for accessing VM's on port 443. Here is a guide for Azure Security Baseline to harden its security further.

----------

Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

EnterpriseArchitect 5,406 Reputation points

2022-01-19T06:19:33.957+00:00

that's great, many thanks for the assistance.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Best practice in publishing Remote Desktop access or Terminal server to Internet via Azure ?

0 additional answers

Your answer