I have:
- An Azure virtual network
- A Point-To-Site (P2S) Virtual Network Gateway
- A subnet inside that network
- A virtual machine inside the subnet
- A network security group that the VM is a member of, with default rules set
The only way I've been able to RDP into the machine is using the public IP address and setting the following network security group rule:
- Priority: 1000
- Name: default-allow-rdp
- Port: 3389
- Protocol: TCP
- Source: Any
- Destination: Any
- Action: Allow
My goal is to allow users to RDP to the VM only when connected to the VPN. How can I achieve this?
Bonus: can it be achieved with the private (vs public) IP address?
I have played with different sources (service tags, VPN IP address space), destinations (specific IP address ranges), with no success.
Obviously I don't want port 3389 exposed for the world to exploit.
Best Answer
Yes, you can achieve this with just private ip address of the vm. you dont need to do anything (unless you specifically block traffic inside vnet with nsg). you can remove the public ip address and it will just work
if you do block traffic inside vnet you need to add allow rule to port 3389 (or whatever your rdp port is) from the p2s vpn range