Ways to connect to Azure Virtual Machine
- Native RDP: Connect via native RDP without any additional software needed. Recommended for testing only. Here by default a rule to enable RDP connections is added by azure as shown below.
Requirements: Public IP of VM, Admin Username and Password
2. Just-In Time Access:
You can use Microsoft Defender for Cloud’s just-in-time (JIT) access to protect your Azure virtual machines (VMs) from unauthorized network access (because many times firewalls contain allow rules that leave your VMs vulnerable to attack and hackers always scan the internet for these kinds of open ports like RDP and SSH) and once they get access of any such open port and one of your VMs, it can be used as an entry point to attack other servers and resources within our environment.
JIT lets you allow access to your VMs only when the access is needed, on the ports needed, and for the period of time needed. Connection is closed once the time is elapsed.
Prerequisites for Just-in time Policy on Azure VM:
JIT requires Microsoft Defender for Servers Plan 2 to be enabled on the subscription.
Reader and Security Reader roles can both view the JIT status and parameters.
How to enable JIT Access from azure portal for a particular VM?
- Go to the dedicated VM and under Settings, check for “Connect” option.
2. Make sure the port (for which access is required) is configured here in Port option as shown above.
3. Click on configure “Just in-time policy” for the port by clicking on the link “Configure for this port”.
4. After configuring JIT, a pop-up window will appear for you to “Request Access”.
5. Choose the appropriate option and configure required IP/IPs to allow connection.
6. Once all settings are in place, if you look at Inbound Port Rules, you will observe something like this: Rule with 1002 signifies that access is denied for port 3389 from any source and any protocol and private IP address of VM is given here.
Rule with 100 signifies that access is allowed for a particular Source IP on port 3389. And rule with lower priority always wins. Hence, here rule 100 will be given the highest preference.
7. Once JIT is configured and IP is added, you can take the RDP of VM using public IP Address of VM and its admin username and password.
8. If you want to see how many request are approved and for which ports, just click on the “Configure” option after JIT Policy as shown below:
Just click on 3 dots given in right hand side in above snip. You will get 4 options as shown below. Click on “Edit” option if you want to update the time or add more IPs for the 3389 port to give temporary access on VM.
Minimum Access Time for JIT — 1 hour
Maximum Access Time for JIT — 24 hours
Point to remember: If JIT is enabled on VM and your system IP is not whitelisted, then while taking RDP connection of VM, you will get an error like below:
4. Windows Admin Center: Windows Admin Center is a locally deployed, browser-based app for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows 10 PCs. It is a free product and is ready to use in production.
Windows Admin Center in the Azure portal provides the essential set of management tools for managing Windows Server in a single Azure VM:
· Certificates, Devices, Events, Files and file sharing
· Firewall, Installed apps, Local users and groups, Performance Monitor
· PowerShell, Processes, Registry, Remote Desktop
· Roles and features, Scheduled tasks, Services, Storage, Updates
Use Case 1: Connecting to VMs with a public IP
If your target VMs (the VMs you want to manage with Windows Admin Center) have public IPs, add them to your Windows Admin Center gateway by IP address, or by fully qualified domain name (FQDN). There are a couple considerations to take into account:
Use Case 2: Connecting to VMs without a public IP
If your target Azure VMs don’t have public IPs, and you want to manage these VMs from a Windows Admin Center gateway deployed in your on-premises network, you need to configure your on-premises network to have connectivity to the VNet on which the target VMs are connected. There are 3 ways you can do this: ExpressRoute, Site-to-Site VPN, or Point-to-Site VPN.
Pre-requisites to Manage a Windows Server VM using Windows Admin Center in Azure
Costing Associated with Windows Admin Center: There’s no cost to using the Windows Admin Center in the Azure portal.
Points to Remember:
Windows Admin Center must be installed on every Azure VM you want to use it on.
Windows Admin Center is supported for VMs behind a load balancer.
Process to enable Window Admin Center When VM has a Public IP Address:
1. Go to VM and then go to connect option.
2. Search for Windows Azure Admin as shown below.
3. Click on “Connect to Browser” and you will get a list of pre-requisites that needs to be place for its configuration as given below:
4. Once you click on “Configure” option, below things will be configured in background:
a. Windows Admin Center Administrator Login role will be configured. This role will let you manage the OS of your resource (and resource here is the VM.
b. Install Windows Admin Center
The Windows Admin Center extension is a small agent that runs on your VM, allowing you to securely connect to your machine.
c. Outbound port rule
Outbound access to the Windows Admin Center and Azure Active Directory services is required.
d. Just In Time on the VM for all configured IPs will temporarily configure a network security group rule for all incoming traffic to port 6516.
e. Once everything will be configured, go to “Windows Admin Center” Tab and click on connect:
Azure Bastion: Azure Bastion protects your virtual machines by providing lightweight, browser-based connectivity without the need to expose them through public IP addresses. Deploying will automatically create a Bastion host on a subnet in your virtual network.
Azure Bastion service enables you to securely and seamlessly RDP & SSH to your VMs in Azure virtual network, without the need of public IP on the VM, directly from the Azure portal, and without the need of any additional client/agent or any piece of software. Once you provision an Azure Bastion service in your virtual network, the seamless RDP/SSH experience is available to all your VMs in the same virtual network.
Azure Bastion Pricing: Azure Bastion pricing is a combination of hourly pricing based on SKU and instances (scale units), plus data transfer rates. Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage.
Steps to manually configure Azure Bastion:
1. Go to VM and then go to connect option.
2. Browse Azure Bastion and Click on “Configure Manually”.
3. You need to fill multiple details including Subscription, Resource Group, Instance Name, region, count and Vnet and Subnet details.
Subnet for Azure Bastion must have a name “AzureBastionSubnet” and Address Space with /26 as shown below.
4. In the Advanced Tab, select the features which you want for bastion:
5. Once Bastion is deployed, go to connect option as shown below:
6. Enter the IP address of the VM and the login credentials.