Better way to restrict RDP via NSG

Question

Bit new to Azure, was able to make a Powershell script to create a VM.

# $MyPublicIP = (Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
$MyPublicIP = $(Get-NetIPAddress -AddressFamily IPv4 -PrefixOrigin Dhcp).IPAddress

Write-Host "Creating network security group, that can be only accessed from my public IP address - '$MyPublicIP'"

$nsgRuleRDP = New-AzNetworkSecurityRuleConfig `
     -Name "$NSGRuleName-RDP"  `
     -Description "Open RDP"  `
     -Protocol Tcp `
     -Direction Inbound `
     -Priority 1000 `
     -SourceAddressPrefix $MyPublicIP `
     -SourcePortRange * `
     -DestinationAddressPrefix * `
     -DestinationPortRange 3389 `
     -Access Allow

But the issue is $MyPublicIP is my local computer IP address (only on our company network), and my public facing one comes from the VPN provider my company uses. I am not sure how to programmatically get the IP address of my VPN provider. I can manually copy it from https://www.whatismyip.com/

And even if I was able to figure out how to fetch my public facing IP address, it seems to change frequently and I am finding myself updating the RDP rule on NSG.

Anyone know if there is a better way to restrict access? Like some sort of AD group? I am not sure of the right terminology for this in Azure land. TIA

Answer 1

I am not sure how to programmatically get the IP address of my VPN provider. I can manually copy it from https://www.whatismyip.com/

You can use the below PowerShell script to get your Public IP without copying it manually.

#IPV4 Public IP 
$ipApiUrl = "https://api.ipify.org?format=json"
$publicIpResponse = Invoke-RestMethod -Uri $ipApiUrl
$publicIpAddress = $publicIpResponse.ip
Write-Host "Public IPv4 Address: $publicIpAddress"

Write-Host "Creating network security group, that can be only accessed from my public IP address :$publicIpAddress"

Get-AzNetworkSecurityGroup -Name "NRMS-tut2qoxap3z3yv-venkal-Mindtree-vnet" -ResourceGroupName "v-venkal-Mindtree" | 
    Add-AzNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" -Access `
        Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix $publicIpAddress  `
        -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 |
        Set-AzNetworkSecurityGroup

Output:

And even if I was able to figure out how to fetch my public facing IP address, it seems to change frequently and I am finding myself updating the RDP rule on NSG.

If your public IP frequently changes, that will impact your VM connectivity. There are ways to connect to your VM without a public IP, such as using Azure Bastion, or you can check with your company network to provide a list of VPN network public IPs to whitelist them in NSG rules

If your company uses a full tunnel VPN, the network team will provide the public IP details of the VPN network. If using a split tunnel VPN, it should be a combination of the company VPN network and the broadband public IP. You need to whitelist both IPs to establish the connection. Sometimes, the broadband public IP may change automatically.

To address the challenge of a dynamic public IP address causing frequent updates to the Network Security Group rule, you can use Azure Bastion. It provides secure RDP and SSH access to your Azure VMs directly from the Azure portal without exposing the VMs to the public internet.

Reference: Create an RDP connection to a Windows VM using Azure Bastion