Port Mapping on new Azure Portal

%3CLINGO-SUB%20id%3D%22lingo-sub-63181%22%20slang%3D%22en-US%22%3EPort%20Mapping%20on%20new%20Azure%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63181%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20needed%20to%20access%20to%20one%20of%20our%20VM%20via%20RDP%20protocol%20from%20a%20customer%20location%20where%20RDP%20ports%20are%20restricted%20on%20Firewall.%20I%20searched%20internet%20for%20a%20way%20to%20map%20default%203389%20RDP%20port%20to%20443%20so%20I%20can%20access%20the%20VM.%3C%2FP%3E%3CP%3EEverything%20is%20showing%20the%20way%20on%20the%20Classical%20Portal%20where%20there%20was%20a%20functionality%20called%20End%20Points.%20Endpoints%20were%20allowing%20you%20to%20map%20internal%20and%20external%20ports%20differently.%3C%2FP%3E%3CP%3EOther%20resources%20shows%20that%20doing%20it%20with%20Network%20Security%20Groups%20(NSG)%20not%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20if%20you're%20new%20in%20Azure%20and%20started%20to%20use%20Azure%20Portal%20only%20way%20to%20map%20ports%20is%20to%20use%20a%20Load%20Balancer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Add%20a%20new%20Load%20Balancer.%20And%20then%20add%20a%20new%20inbound%20NAT%20rule%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F13424iCFFC290A260714D8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22nat1.png%22%20title%3D%22nat1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E2.%20Configure%20the%20nat%20to%20ponit%20to%20the%20VM%20you%20wish%20to%20connect.%20And%20give%20the%20port%20443%20as%20Port%20number.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20481px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F13423iC7D94A9BDCDE0B7C%2Fimage-dimensions%2F481x617%3Fv%3D1.0%22%20width%3D%22481%22%20height%3D%22617%22%20alt%3D%22nat2.png%22%20title%3D%22nat2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThats%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-63181%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-287176%22%20slang%3D%22en-US%22%3ERe%3A%20Port%20Mapping%20on%20new%20Azure%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-287176%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20you%20not%20just%20set%20the%20DNAT%20rule%20on%20firewall%20%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1328637651%22%20id%3D%22toc-hId-1794227203%22%3EConfigure%20a%20DNAT%20rule%3C%2FH2%3E%3COL%3E%3CLI%3EOpen%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ERG-DNAT-Test%3C%2FSTRONG%3E%2C%20and%20click%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EFW-DNAT-test%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efirewall.%20%2F%2Fexample%3C%2FLI%3E%3CLI%3EOn%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EFW-DNAT-test%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Epage%2C%20under%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESettings%3C%2FSTRONG%3E%2C%20click%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ERules%3C%2FSTRONG%3E.%20%2F%2Fexample%3C%2FLI%3E%3CLI%3EClick%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAdd%20DNAT%20rule%20collection%3C%2FSTRONG%3E.%3C%2FLI%3E%3CLI%3EFor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%2C%20type%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ERC-DNAT-01%3C%2FSTRONG%3E.%3CSPAN%3E%26nbsp%3B%2F%2Fexample%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3EFor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EPriority%3C%2FSTRONG%3E%2C%20type%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E200%3C%2FSTRONG%3E.%3CSPAN%3E%26nbsp%3B%2F%2Fexample%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3EUnder%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ERules%3C%2FSTRONG%3E%2C%20for%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EName%3C%2FSTRONG%3E%2C%20type%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ERL-01%3C%2FSTRONG%3E.%3CSPAN%3E%26nbsp%3B%2F%2Fexample%3C%2FSPAN%3E%3C%2FLI%3E%3CLI%3EFor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ESource%20Addresses%3C%2FSTRONG%3E%2C%20type%20*.%3C%2FLI%3E%3CLI%3EFor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EDestination%20Addresses%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Etype%20the%20firewall's%20public%20IP%20address.%3C%2FLI%3E%3CLI%3EFor%26nbsp%3B%3CSTRONG%3EDestination%20ports%3C%2FSTRONG%3E%2C%20type%26nbsp%3B%3CSTRONG%3E443%3C%2FSTRONG%3E%3C%2FLI%3E%3CLI%3EFor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ETranslated%20Address%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Etype%20the%20private%20IP%20address%20for%20the%20virtual%20machine.%3C%2FLI%3E%3CLI%3EFor%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ETranslated%20port%3C%2FSTRONG%3E%2C%20type%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E3389%3C%2FSTRONG%3E.%3C%2FLI%3E%3CLI%3EClick%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EAdd%3C%2FSTRONG%3E.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-188092%22%20slang%3D%22en-US%22%3ERe%3A%20Port%20Mapping%20on%20new%20Azure%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-188092%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20know%20it%20is%20now%20a%20year%20ago%20since%20this%20post%20was%20created.%20But%20I%20have%20had%20the%20exact%20same%20issue%20and%20I%20wrote%20two%20blog%20posts%20about%20it.%20Maybe%20it%20can%20be%20useful%20for%20you%20as%20well%20and%20maybe%20you%20can%20give%20some%20feedback%20and%20whether%20I%20forgot%20something%20important%20%3A)%3C%2Fimg%3E%20you%20can%20find%20the%20post%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Frasmusg.net%2F2017%2F11%2F20%2Fpart-1-of-2-port-forwarding-in-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Frasmusg.net%2F2017%2F11%2F20%2Fpart-1-of-2-port-forwarding-in-azure%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHave%20a%20nice%20day!%3CBR%20%2F%3E%3CBR%20%2F%3E%2Frasmus%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64152%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Port%20Mapping%20on%20new%20Azure%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64152%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20huseyin%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20RDP%20gateway%20provides%20en%20encrypted%20tunnel%20via%20443%20from%20the%20end%20user%20to%20RDP%20GW%20and%20once%20in%20your%20internal%20network%20port%203389%20is%20used%20to%20connect%20to%20any%20machine%20you%20allowed%20on%20your%20internal%20network.%3C%2FP%3E%3CP%3Etherefor%20you%20dont%20acutally%20need%20to%20do%20port%20mapping.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20just%20wanted%20to%20suggest%20an%20alternate%20solution%20to%20your%20specific%20problem%2C%20the%20RDP%20gw%20can%20also%20use%20MFA%20and%20provide%20you%20with%20a%20more%20secure%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20nice%20contribution%20on%20showing%20port%20mapping%20in%20general.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ekind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63768%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Port%20Mapping%20on%20new%20Azure%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63768%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Kent%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20general%2C%20information%20can%20be%20used%20for%20any%20port.%20So%203389%20is%20an%20example%20and%20can%20be%20adapted%20to%20any%20port%20mapping.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnswer%20to%20your%20question%20is%3A%20Think%20that%20you%20needed%20to%20connect%20to%20the%20system%20where%20firewall%20prevents%20you%20to%20connect%20default%20RDP%20port.%20So%20it%20is%20not%20possible%20to%20setup%26nbsp%3BRemote%20desktop%20Gateway.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63717%22%20slang%3D%22en-US%22%3ERE%3A%20Port%20Mapping%20on%20new%20Azure%20Portal%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63717%22%20slang%3D%22en-US%22%3Ewhy%20would%20you%20want%20to%20map%20443%20(the%20SSL%20Default)%20to%203389%2C%20what%20are%20you%20trying%20to%20achieve%20%3F%20I'm%20just%20curious%2C%20have%20you%20considered%20a%20Remote%20desktop%20Gateway%20%3F%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We needed to access to one of our VM via RDP protocol from a customer location where RDP ports are restricted on Firewall. I searched internet for a way to map default 3389 RDP port to 443 so I can access the VM.

Everything is showing the way on the Classical Portal where there was a functionality called End Points. Endpoints were allowing you to map internal and external ports differently.

Other resources shows that doing it with Network Security Groups (NSG) not possible.

 

So, if you're new in Azure and started to use Azure Portal only way to map ports is to use a Load Balancer.

 

1. Add a new Load Balancer. And then add a new inbound NAT rule

nat1.png

2. Configure the nat to ponit to the VM you wish to connect. And give the port 443 as Port number.

nat2.png

 

Thats it!

5 Replies
Highlighted
why would you want to map 443 (the SSL Default) to 3389, what are you trying to achieve ? I'm just curious, have you considered a Remote desktop Gateway ?
Highlighted

Hi Kent,

 

In general, information can be used for any port. So 3389 is an example and can be adapted to any port mapping.

 

Answer to your question is: Think that you needed to connect to the system where firewall prevents you to connect default RDP port. So it is not possible to setup Remote desktop Gateway.

 

Regards

Highlighted

Hi huseyin

 

The RDP gateway provides en encrypted tunnel via 443 from the end user to RDP GW and once in your internal network port 3389 is used to connect to any machine you allowed on your internal network.

therefor you dont acutally need to do port mapping.

 

Any just wanted to suggest an alternate solution to your specific problem, the RDP gw can also use MFA and provide you with a more secure solution.

 

but nice contribution on showing port mapping in general. 

 

kind regards

Highlighted
Hi,

I know it is now a year ago since this post was created. But I have had the exact same issue and I wrote two blog posts about it. Maybe it can be useful for you as well and maybe you can give some feedback and whether I forgot something important :) you can find the post here: https://rasmusg.net/2017/11/20/part-1-of-2-port-forwarding-in-azure/

Have a nice day!

/rasmus
Highlighted

Can you not just set the DNAT rule on firewall ??

 

 

Configure a DNAT rule

  1. Open the RG-DNAT-Test, and click the FW-DNAT-test firewall. //example
  2. On the FW-DNAT-test page, under Settings, click Rules. //example
  3. Click Add DNAT rule collection.
  4. For Name, type RC-DNAT-01. //example
  5. For Priority, type 200. //example
  6. Under Rules, for Name, type RL-01. //example
  7. For Source Addresses, type *.
  8. For Destination Addresses type the firewall's public IP address.
  9. For Destination ports, type 443
  10. For Translated Address type the private IP address for the virtual machine.
  11. For Translated port, type 3389.
  12. Click Add.