One of the first things you do, after you create your new Azure virtual machine, is remote desktop into it.
Depending on the type of Azure environment you have, you might want to define the best access policy to the virtual machines, determining for example if you need to be connected to a VPN corporate network or not.
In my example, my Azure subscription is used for testing and therefore I will allow external access to my virtual machine.
It’s also important to understand that, to give remote desktop access to the virtual machine, what you need to configure are Inbound Port Rules in the network security group.
You have three options when it comes to configuring security access policies to a new Virtual Machine.
Option 1: Select the ports you want open, during the virtual machine creation
This is the simplest option, unless you want to keep things organized and manageable by using the same network security group for multiple virtual machines (see option 3).
When creating the virtual machine in the main menu you should see a section called “Select inbound ports”, after selecting the “Allow selected ports” right above that one.
All you have to do is select the ports that you want to open, for example 443, 25 and 3389 for an Exchange Server and the new network security group will be configured automatically.
Option 2: Create a new virtual machine with default settings. Once the VM is created edit the newly created Network Security Group.
This is the option you should follow in case you either forgot or chosen not to follow the option above and you didn’t selected an existing and already configured network security group, during the virtual machine creation.
A newly created network security group, should have the following Inbound Port Rules created as default:
And what you need to do is add an inbound port rule.
You can do it via the azure portal, by either going to the virtual machine and then the networking section under settings and clicking “Add Inbound Port Rule” under the correspondent tab.
You can also go directly to the network security group (under all resources) and then the inbound security rules under settings and clicking “Add”.
The above is how the inbound rule should look like. You can click in the “Basic” button in the top left to select from an existing service template. There’s an excellent article on how to open ports to a virtual machine with the Azure portal, that you might also look at for additional details.
Option 3: Create a new Network Security group and select it when creating the new virtual machine.
The other more advanced option is to create a network security group and use it for multiple Virtual Machines when you create them. That way you won’t have unique security groups per virtual machine and you won’t have to keep opening one or multiple services for those virtual machines, each time you create a new one.
I won’t go into details on how to create the network security group. For that just follow the official guidance on the link above.
Once you have your group created and upon creation of the new Virtual Machine, make sure you select it, instead of the default option to create a new one.
When creating the virtual machine, in the “Networking” tab, selected “Advanced” under “NIC network security group” and select an existing security group.
And that’s it. It’s a very simple process and one you need done if you want to start accessing those Virtual Machines or publishing services like HTTPS or SMTP. Hopefully after reading this post you understand the several options you have.
All of the above can of course be done via PowerShell, but to keep this post as simple as possible, I’ve used the portal.
Note: I want to make clear that you should not allow Internet unrestricted access to your virtual machine, unless it’s a test machine where you have no type of sensitive data. Even in those cases you can always easily set the source address or range of addresses for that inbound port rule.