Simple Remote Desktop Services deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-1260482%22%20slang%3D%22en-US%22%3ESimple%20Remote%20Desktop%20Services%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260482%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3EI%20need%20to%20expose%20a%20windows%20server%20vm%20which%20is%20hoated%20in%20Azure%2C%20to%203%20users%20for%20temporary%20use.%20I%20could%20simply%20setup%20RDP%20with%20public%20IP%20and%20get%20the%20users%20to%20connect%2C%20but%20I%20am%20afraid%20this%20is%20not%20secure%20and%20I%20could%20be%20exposing%20the%20vm%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20use%20case%20is%20too%20small%20for%20a%20full%20blown%20vdi%20solution%20because%20this%20is%20for%20time%20to%20time%20use.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20though%20about%20using%20WebRD%20to%20push%20the%20rdp%20app%20or%20tje%20server%20desktop.%20This%20would%20add%20another%20layer%20of%20security.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20can%20not%20find%20a%20clear%20guide%20of%20what%20i%20need%20to%20deploy%20this%20and%20if%20i%20can%20do%20it%20all%20with%201%20single%20vm%20which%20is%20actually%20the%20hoat%20i%20am%20trying%20to%20provision%20access%20to.%3CBR%20%2F%3EAlso%2C%20i%20can%20not%20understand%20what%20do%20i%20need%20from%20a%20service%20license%20point%20of%20view.%20From%20license%20i%20already%20have%20vm%20running%20so%20i%20know%20about%20these%20costs.%20Its%20more%20about%20the%20rds%20setup%20and%20access.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you.%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1260482%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20%26amp%3B%20Compliance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1260659%22%20slang%3D%22en-US%22%3ERe%3A%20Simple%20Remote%20Desktop%20Services%20deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1260659%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20could%20definitely%20deploy%20this%20all%20in%20one%20VM%20knowing%20it%20is%20for%20temporary%20use.%20The%20simplest%20setup%20would%20be%20to%20put%20a%20Network%20Security%20Group%20in%20front%20of%20the%20VM%20and%20only%20open%20TCP%203389%20to%20the%20ip's%20of%20where%20your%20users%20are%20coming%20from.%20If%20this%20is%20going%20to%20connect%20to%20any%20services%20on%20premises%20I%20would%20highly%20recommend%20to%20firewall%20the%20traffic.%20The%20NSG%20does%20not%20do%20deep%20packet%20inspection%20it%20simply%20deny's%20or%20allows%20traffic%20based%20on%20your%20rules.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F229723%22%20target%3D%22_blank%22%3E%40Rui%20Cabral%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hi,
I need to expose a windows server vm which is hoated in Azure, to 3 users for temporary use. I could simply setup RDP with public IP and get the users to connect, but I am afraid this is not secure and I could be exposing the vm access.

The use case is too small for a full blown vdi solution because this is for time to time use.

I though about using WebRD to push the rdp app or tje server desktop. This would add another layer of security.

I can not find a clear guide of what i need to deploy this and if i can do it all with 1 single vm which is actually the hoat i am trying to provision access to.
Also, i can not understand what do i need from a service license point of view. From license i already have vm running so i know about these costs. Its more about the rds setup and access.

Thank you.
2 Replies
Highlighted

You could definitely deploy this all in one VM knowing it is for temporary use. The simplest setup would be to put a Network Security Group in front of the VM and only open TCP 3389 to the ip's of where your users are coming from. If this is going to connect to any services on premises I would highly recommend to firewall the traffic. The NSG does not do deep packet inspection it simply deny's or allows traffic based on your rules. 

 

@Rui Cabral 

Highlighted

Hello,

 

there is a dedicated service for that called Azure Bastion.

- User will connect to the portal with there Azure AD credential (MFA enabled as a good practice)

- They will click on the "Bastion" panel of the VM and use the VM credential and this connection will be done over HTTPS.

 

As another good practice you could also set is to configure NSG on the Bastion subnet and on your VM, for that you could refer to this article: https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg

 

Just keep in mind that an Azure Bastion could cover the connection to the VM located in only one virtual network. If you have over vnet you will need to create one bastion per vnet.

 

Regards,

James