Different VNETs, peering and routing between these and managing it all requires a bit of planning and experimenting to get it right. The challenge with P2S in a scenario like this is first and foremost with routing. You have several protocols to choose from (SSTP, OpenVPN, IKEv2), there’s support for all major platforms (Windows and macOS use native clients, Linux uses StrongSwan and even iOS is supported) and VPNs are typically well understood. Azure P2S VPN is a great solution for very limited scenarios. ![]() “Use a VPN!” is so easy to throw around without thinking about the operational issues. ![]() Another option from my 20+ years as a consultant. Provision a Point-to-Site (P2S) VPN solution. Monitoring this would be a nightmare also. With multiple VMs it also becomes a burden to maintain and manage. I also don’t feel comfortable opening RDP for the whole world as it wouldn’t take more than a few minutes for portscans to hit the VMs. Many times external guests have dynamic IP addresses or proxy services that require allowing access from huge and mostly unknown networks. And also inherently insecure, and hard to manage. This is the obvious “top of my head” solution, as it’s a classic approach. Open port 3389/TCP (Remote Desktop) for selected IPs or networks. So, I started this journey by mapping out the options – or at least researching a bit to find out what I needed to focus on.Īssuming we have a select number of virtual machines in Azure and needed to provide access for these I was able to find out the following options: If it was easy, everyone would be doing it. Back when life was still more datacenters and on-premises focused I remember jokingly saying to myself that there are always technical blockers and challenges to be figured out. I love challenges, if you couldn’t already tell by my previous posts. How do we grant and enforce secure remote access for both in-house IT staff as well as select few external consultants for these virtual machines? Mapping the options The business problem came when we had these virtual machines provisioned and it became time to grant permissions. I know this is not a common approach but still very much used. These VMs are aimed to run certain business apps that require remote access to the server for continuous configuration and tweaking. They will be provisioned in a new VNET together and both will have a public IP address. I needed to set up a few Windows Server 2016-based virtual machines in Azure. Ideally, we’d like to secure authentication with Azure AD, and optionally enforce Multi-Factor Authentication (MFA) – especially for guest users. This post stemmed from the idea of figuring out what options do we have for accessing and managing virtual machines remotely while enforcing a secure approach. This is especially true in the Nordics, where Azure is commonly accepted as a trusted option for data centers and PaaS services. It seems there really is a second wave of adoption for cloud-based infrastructure and services from organizations. I’ve had some fun times lately with Azure. Building a secure remote access solution for Azure-based virtual machines using Azure AD and Windows Admin Center
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |