How to provide a temporary and secure remote access to Microsoft Azure VMs
Introduction
Microsoft Azure allows opening public ports for remote administration of VMs. By exposing the VMs to internet, the attack surface increases and that is why this feature should be used with caution and administrators should be able to have a good control of remote accesses and how they are granted.
This Wiki article shares a way to provide a temporary and secure remote access to Microsoft Azure VMs. It provides a method for Microsoft Azure administrators to restrict the accesses to VMs and enable them only when required.
How can you provide a temporary and secure remote access to Microsoft Azure VMs?
Administrators allow remote access to Microsoft Azure VMs by configuring Endpoints. Each endpoint has a public and a private port where inbound traffic comes on the public port and gets redirected to the private port. Endpoints use ACLs to filter traffic and permit the communication from specific IPs or subnets.
To provide a temporary and secure remote access to Microsoft Azure VMs, you can use the following recommendations:
- By default, no remote administration port should be opened
- Administration ports should be opened only when required
- Inbound administration traffic should be allowed only from a trusted IP address
- Administration ports should be blocked when the administrators’ sessions are closed
How to use Windows PowerShell to open or block remote access to Microsoft Azure VMs?
Windows PowerShell can be used to implement the recommendations shared previously. All you need to have are two scripts:
- A script that enables remote access to a Microsoft Azure VM for a single IP address
- A script that disables remote access to a Microsoft Azure VM
To enable remote access to a Microsoft Azure VM for a single IP address, you can use the following PowerShell script:
$publicIP = Read-host "What is your public IP? (You can get it from http://whatismyipaddress.com/)" $servicename = Read-host "What is the Windows Azure Service Name?" $vmname = Read-host "What is the VM name?" $publicIP = $publicIP + "/32" $acl1 = New-AzureAclConfig Set-AzureAclConfig –AddRule –ACL $acl1 –Action permit –RemoteSubnet $publicIP –Description “Temporary ACL” $title = "Protocol" $message = "Which administration protocol do you want to enable?"
$rdp = New-Object System.Management.Automation.Host.ChoiceDescription "&RDP", ` "RDP"
$powershell = New-Object System.Management.Automation.Host.ChoiceDescription "&PowerShell", ` "PowerShell"
$SSH = New-Object System.Management.Automation.Host.ChoiceDescription "&SSH", ` "SSH"
$options = [System.Management.Automation.Host.ChoiceDescription[]]($rdp, $powershell, $SSH)
$result = $host.ui.PromptForChoice($title, $message, $options, 0)
switch ($result) { 0 { Get-AzureVM -ServiceName $servicename –Name $vmname | Add-AzureEndpoint -Name "Remote Desktop" -LocalPort 3389 -Protocol tcp –ACL $acl1 | Update-AzureVM $publicRDPPortmessage = "The RDP public port is " + (Get-AzureVM -ServiceName $servicename -Name $vmname | Get-AzureEndpoint -Name "Remote Desktop").port + "" write-host $publicRDPPortmessage -foregroundcolor "Green" } 1 { Get-AzureVM -ServiceName $servicename –Name $vmname | Add-AzureEndpoint -Name "PowerShell" -LocalPort 5986 -Protocol tcp –ACL $acl1 | Update-AzureVM $publicRDPPortmessage = "The PowerShell public port is " + (Get-AzureVM -ServiceName $servicename -Name $vmname | Get-AzureEndpoint -Name "PowerShell").port + "" write-host $publicRDPPortmessage -foregroundcolor "Green" } 2 { Get-AzureVM -ServiceName $servicename –Name $vmname | Add-AzureEndpoint -Name "SSH" -LocalPort 22 -Protocol tcp –ACL $acl1 | Update-AzureVM $publicRDPPortmessage = "The SSH public port is " + (Get-AzureVM -ServiceName $servicename -Name $vmname | Get-AzureEndpoint -Name "SSH").port + "" write-host $publicRDPPortmessage -foregroundcolor "Green" } } |
When you run the script, it will ask you the following questions:
- What is your public IP? (You can get it from http://whatismyipaddress.com/): You need to specify your public IP address. To get it you can use http://whatismyipaddress.com/ Website.
- What is the Windows Azure Service Name?: You need to specify the Microsoft Azure Service Name
- What is the VM name?: You need to specify the Microsoft Azure VM name
- Which administration protocol do you want to enable? You can choose between RDP, PowerShell and SSH. To enable multiple administration protocols, you can run the script multiple times
[
](resources/6866.1.png)Remark: The script displays the public port in Green once executed.
When you have provided the required input information, the script will create a new Endpoint as shown in the screen capture below:
The public port would not be the same as the private one and an ACL will be created to allow only the provided public IP address:
To disable remote access to a Microsoft Azure VM, you can use the following PowerShell script:
$servicename = Read-host "What is the Windows Azure Service Name?" $vmname = Read-host "What is the VM name?" $protocols = Get-AzureVM –ServiceName $servicename –Name $vmname | Get-AzureEndpoint foreach ($protocol in $protocols) { if ($protocol.name -eq "Remote Desktop") {Get-AzureVM –ServiceName $servicename –Name $vmname | Remove-AzureEndpoint –Name "Remote Desktop" | Update-AzureVM} if ($protocol.name -eq "SSH") {Get-AzureVM –ServiceName $servicename –Name $vmname | Remove-AzureEndpoint –Name "SSH" | Update-AzureVM} if ($protocol.name -eq "PowerShell") {Get-AzureVM –ServiceName $servicename –Name $vmname | Remove-AzureEndpoint –Name "PowerShell" | Update-AzureVM} } |
When you run the script, it will ask you the following questions:
- What is the Windows Azure Service Name?: You need to specify the Microsoft Azure Service Name
- What is the VM name?: You need to specify the Microsoft Azure VM name
When you have provided the required input information, the script will remove the Endpoints that were created using the previously described script.
Conclusion
This Wiki article shared a way to provide a temporary and secure remote access to Microsoft Azure VMs. It actually shares two PowerShell scripts that allow providing the required accesses to a trusted IP address and revoking them when no access is required. It can be used by Microsoft Azure administrators to have a better control of accesses on VMs.