A question I see periodically is how to restrict RDP access for PaaS services to specific network IP addresses. In the past this has always been difficult to do and the typical solution was to use a Startup task to configure firewall rules (ie. using Set-NetFirewallRule or netsh advfirewall per http://msdn.microsoft.com/en-us/library/azure/jj156208.aspx). This technique generally works fine, but it introduces the extra complexity of a startup task and is not built into the Azure platform itself.
Network ACLs
With the (relatively) recent introduction of network ACLs it becomes much easier to robustly secure an input endpoint on a cloud service. My colleague Walter Myers has a great blog post about how to enable network ACLs for PaaS roles at http://blogs.msdn.com/b/walterm/archive/2014/04/22/windows-azure-paas-acls-are-here.aspx. To apply a network ACL to the RDP endpoint it is simply a matter of defining your ACL rules targeting the role which imports the RemoteForwarder plugin, and specifying the name of the RDP endpoint in the endPoint attribute.
Here is the resulting NetworkConfiguration section to add to the CSCFG file:
<NetworkConfiguration>
<AccessControls>
<AccessControl name="RDPRestrict">
<Rule action="permit" description="PermitRDP" order="100" remoteSubnet="167.220.26.0/24" />
<Rule action="deny" description="DenyRDP" order="200" remoteSubnet="0.0.0.0/0" />
</AccessControl>
</AccessControls>
<EndpointAcls>
<EndpointAcl role="WebRole1" endPoint="Microsoft.WindowsAzure.Plugins.RemoteForwarder.RdpInput" accessControl="RDPRestrict" />
</EndpointAcls>
</NetworkConfiguration>
Important information:
- You must enable RDP in the package before publishing your service. The new model of enabling RDP post-deployment via the management portal or extension APIs will not work. You can enable RDP in the package using Visual Studio by right-clicking the cloud service project in Solution Explorer and selecting ‘Configure Remote Desktop…’, or in the Publish wizard by checking the ‘Enable Remote Desktop for all roles’ checkbox.
- The role="WebRole1" attribute must specify the role which imports the RemoteForwarder plugin. You can look in the CSDEF file and find the role which has <Import moduleName="RemoteForwarder" />. If you have multiple roles in your service then all of them will import RemoteAccess, but only one of them will import RemoteForwarder and you must specify the role which imports RemoteForwarder.
- The network configuration defined above will restrict all client’s except for those with IP addresses in the range 167.220.26.1-167.220.26.255. See Walter’s blog post for more information about how to specify network ACLs, and the MSDN documentation (http://msdn.microsoft.com/en-us/library/azure/dn376541.aspx) for more information about order and precedence of rules.