Mar 27 2020 05:33 PM
Mar 27 2020 09:44 PM
You could definitely deploy this all in one VM knowing it is for temporary use. The simplest setup would be to put a Network Security Group in front of the VM and only open TCP 3389 to the ip's of where your users are coming from. If this is going to connect to any services on premises I would highly recommend to firewall the traffic. The NSG does not do deep packet inspection it simply deny's or allows traffic based on your rules.
Mar 31 2020 08:40 AM
Hello,
there is a dedicated service for that called Azure Bastion.
- User will connect to the portal with there Azure AD credential (MFA enabled as a good practice)
- They will click on the "Bastion" panel of the VM and use the VM credential and this connection will be done over HTTPS.
As another good practice you could also set is to configure NSG on the Bastion subnet and on your VM, for that you could refer to this article: https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg
Just keep in mind that an Azure Bastion could cover the connection to the VM located in only one virtual network. If you have over vnet you will need to create one bastion per vnet.
Regards,
James