When running workloads on cloud services ones of the challenges is to manage them in a secure way; this especially true when you have to manage virtual machines.
Accessing and managing virtual machines in an on-premises environment is usually done either using Remote Desktop Protocol (RDP) for Windows machines or Secure Shell (SSH) for Linux machines.
Accessing such virtual machines in on-premises environments is usually secure because you can not connect to them unless you are connected to the corporate network and the corresponding communication ports (22 for SSH and 3389 for RDP) are (usually) blocked from the internet.
That said, when your virtual machines are running in cloud services, this becomes different as these virtual machines are no longer secured by hosted within the closed corporate network but on the virtual network running on the cloud service. Which means management ports will need to be opened on the internet, which is a big security issue as these ports are will known and continuously scanned on the internet by bad actors trying to gain access and control to unsecured workloads, in this case virtual machines, for bad activities.
On Microsoft cloud computing platform, Microsoft Azure, when you set up and/or are running virtual machines, you have a notification when you open inbound communication to your virtual machine using any of the management ports (22 or 3389).
Well, what are my options to be able to manage my virtual machines on Azure in a secure way?
Luckily you have quite few options, each of the with their pros and cons – either cost or administrative overhead.
Let’s have a look at each of them.
To secure management access to virtual machines running in Azure you have the below options:
· Configure Network Security Group (NSG) to allow access from specific IP’s on these management ports
· Azure Bastion, a feature which allows you to connect to your virtual machines using the management ports from the web browser
· VPN connections which tunnel the management traffic through a Virtual Private Network
· Azure Virtual Desktop which allows you to access a Windows virtual desktop which then will let you connect to your virtual machines using any of the management protocols
So, let’s have a detailed look at both options.
Use Network Security Group rules
Implementing NSG to manage inbound management traffic is probably the simplest and cost effective solution.
You can configure an inbound rule to allow management protocols to your virtual machines from only specific IP’s.
Well, while it sounds clear and simple, this introduces an administration overhead and potential security concern as each virtual machines will need to have a public IP address (which also add more cost) assigned to them. Indeed, in a modern workspace world, peoples (which includes your administrators but also potentially your users and partners) can work from anywhere. This means the source IP addresses may be difficult to track, especially when working from home (which is becoming part of the norm now).
Using NSG rules to allow inbound management traffic may sounds a cheap (there is not cost associated with NSG’s) and easy way but you will need to provide one way or the other the ability to update the source IP addresses to anybody which need to manage your virtual machine.
This can quickly become a nightmare to manage and maintain.
Network Security Group are a very well known and simple way to secure traffic (inbound or outbound) from an Azure Virtual Network, but any uncontrolled change or misconfiguration may put you at risk.
Plus, you are not able to implement additional security layers, such as requesting Multi Factor Authentication and home IP addresses may change, which means you can trust one IP address at one point of time but then the same IP address is being assigned to a rogue device which put you even more at risk.
Azure Bastion
Azure Bastion is a specific capability of Microsoft Azure which allows you to connect to your virtual machines for management purposes directly from the web browser.
The principal benefit of Azure Bastion is every of your virtual machines do not need anymore a public IP address associated with and you don’t need to manage NSG inbound security inbound rule.
The downsides of Azure Bastion are the cost (starting at 0.19 USD per hour plus outbound traffic over 5Gb per month and it has to be running 24/7) and you need to grant access to your Azure subscription/resource group to allow the user to access the virtual machine from the web browser.
Indeed, because Azure Bastion allows to remotely connect to the virtual machine through the web browser you need to allow the user managing the VM to connect and access the VM from the Azure portal.
Even if Microsoft has improved Azure Bastion since its introduction to allow the use of the native clients (RDP or SSH), it introduces a complexity for the users as they will have to run a specific command set to run the native clients and connect using Azure Bastion (see this article).
It can increase the security as you can enforce conditional access (MFA, compliance devices….).
VPN Connections
The next option available to remotely connect and manage virtual machines is to use a VPN connection.
While this sounds the most secure way to do, it has also its downsides.
Like Azure Bastion, using a VPN connection to remotely connect to a virtual machine, a VPN connection does not require your virtual machine to have a public IP address assigned to it, which simplifies NSG management and reduce the cost associated with the virtual machine.
But this also increase the overall cost as you need to implement an Azure Virtual Network Gateway (starting at 26 USD per month with a bandwidth limited to 100 Mbps and limited numbers of connection).
While this change over the past 10 years or so, VPN connections may be still blocked from the IP your users are connecting from.
Even if you can integrate the VPN connection with your Azure Active Directory to enforce the authentication with MFA it still requires a user account to be present in your Azure AD which can be a problem when working with partners with no guest accounts in your Azure AD.
Azure Virtual Desktop
Finally, what I think is the best option to remotely connect (and manage) virtual machines running on Azure, Azure Virtual Desktop.
This is the option I prefer because it is not limited to provide remote access tor management (RDP or SSH) but you can also use it to publish applications (helping replacing the ‘old’ on-premises remote desktop services) while being more secure and simpler as you can control access using MFA or other Azure AD conditional access without overhead administration.
The running cost can vary depending on the AVD configuration but can be optimized as you can shutdown the virtual machines used for AVD by shutting them down.
Any AVD resources (remote desktop, published applications0 can be accessed using either the AVD Remote Desktop Client or from the web browser.
Summary
I summarized all the remote access options available in Microsoft Azure in the below table.
Remote Access Options |
Pros |
Cons |
Network Security Group |
· Simple · Cheap (not cost) |
· Overhead administration · Risks due to misconfiguration · Can’t always trust the source IP |
Azure Bastion |
· No public IP assigned to the virtual machines · Access using web browser · Increase security |
· Cost · Azure subscription/resource group management overhead · Need to run 24/7 |
VPN Connection |
· No source IP management · No public IP assigned to the virtual machines |
· Can be blocked from the connecting IP address · Need to run 24/7 |
Azure Virtual Desktop |
· Can be used not only for management · Increase security using Azure AD Conditional Access · Can be shut downed and started on request |
· Variable cost · Need to maintain the AVD virtual machines |