Blog Post

Azure PaaS Blog
2 MIN READ

Intermittently Succeed to RDP to the Cloud Service (Extended Support)

Yi_Yang's avatar
Yi_Yang
Icon for Microsoft rankMicrosoft
Jun 14, 2022

Symptom

 

Users can only intermittently succeed to RDP to the Cloud Service (Extended Support). Users can RDP to the Cloud Service (Extended Support) after different times attempts and the RDP connection is stable once it is built. In the following, I will use "CSES" instead of "Cloud Service (Extended Support)".

 

Cause

 

The following picture explains the whole workflow of the RDP request.

 

  • “SLB” means Load Balancer. “RoleA” and “RoleB” are the role kinds like “WebRole” and “WorkerRole”. “Tenant” means the whole CSES deployment.
  • If the user targets RDP to “RoleB_IN_1”, the Load Balancer may decide to firstly send the request to the “RoleA_IN_0”.
  • For the next RDP attempt with the same target role instance, the Load Balancer may decide the “RoleA_IN_1” as the first jump.
  • For the third RDP attempt, the Load Balancer may decide to send the RDP request to the target “RoleB_IN_1” directly without any jump instance. 

 

If users configure multiple NSG rules on the CSES and do not allow communication between the role instances, users may succeed in RDP to role instances if the Load Balancer sends the request directly to the target instance. But users may fail to RDP to the instance due to the NSG rules blocking it if the Load Balancer sends the request to another jump instance before forwarding this RDP request to the target role instance. Users cannot control how the RDP request is transferred by the Load Balancer so the RDP connection may be built successfully intermittently.


Reference doc: Network security group - how it works | Microsoft Docs

 

The following is a sample NSG that will lead to this issue. The no.300 rule opens port 3389 and port 20000 to users’ local IPs but the no.400 rule does not allow internal discussion between different role instances.

 

 

Solution

 

If the CSES is protected by an NSG, in order to ensure that each RDP connection can be successfully established, users need to configure the NSG rules which not only allow the communication from local to role instances (no.300 rule below) but also allow communications between different role instances RDP ports (no.350 rule below).

 

 

 

Updated Jun 14, 2022
Version 1.0
Azure Cloud Service
No CommentsBe the first to comment