Is there a way to restrict SSH access to Azure VMs by country instead of a specific IP range?

Question

We are looking for a way to improve the security of remote access. Our teams with SSH access are only in a few countries. Restricting the SSH source country or even city would be the ideal strategy, which is clearer, simpler and more flexible than a myriad of specific IP address ranges.

To clarify, I'm talking about SSH admin access to VMs on Azure, not applications, web services, or Office365.

Any idea will be much appreciated.

Answer 1

@Tony Li Yes, Application Gateway works on Layer-7. If you are looking for Layer-3 based Geo filtering, Azure Firewall currently does not support it. Therefore, you will have to opt for a 3rd Party firewall option from Azure Marketplace that can do this for you.

As an alternative, you can also implement Azure AD Conditional Access option to restrict access. Here are more details regarding the same. Hope this helps.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer 2

@Tony Li Thank you for reaching out to Microsoft Q&A. I understand that you want to restrict SSH access to Azure VMs by country for security reasons and want to know how this can be done. Please correct me otherwise.

You can do so in the following ways:

1. You can use Application Gateway Geo-match Custom Rules to do this by simply selecting Geo location as the Match Type, and then select the country/region or countries/regions you want to allow/block from your application. So, you will have your VM as the back end for the Application Gateway and create a custom rule for allowing/blocking countries as required.
2. Another way is to use Azure CDN. With the geo-filtering feature, you can create rules on specific paths on your CDN endpoint. You can set the rules to allow or block content in selected countries/regions. Here, you will have CDN serve content for your back end and then use CDN features for filtering traffic wrt to countries.

Hope this helps. Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer 3

Thank you, SaiKishor.

I noticed Application Gateway was defined as below. It looks like it's working on layer 7 instead of layer 3. Feel free to correct me.

Azure Application Gateway is a managed web traffic load balancer and HTTP(S) full reverse proxy that can do Secure Socket Layer (SSL) encryption and decryption. Application Gateway also uses Web Application Firewall to inspect web traffic and detect attacks at the HTTP layer.
https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

Thank you so much.

Answer 4

That's a good idea!

We just logged in to a Linux virtual machine in Azure with Azure AD and disabled SSH login to local users. All Azure AD users are MFA enforced.

That's not a perfect solution. I believe it will still be attacked because the door is still open, but it's not easy to break the door, and the good news is there is no extra cost.

Thank you so much, @SaiKishor-MSFT .

For others' reference:
https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-vm-sign-in-azure-ad-linux