Restricting Access to Virtual Machines

Managing network port restrictions for your Azure virtual machines is crucial for maintaining a secure environment. This guide provides instructions on configuring the network security group (NSG) associated with your VM to restrict general access and allow connections from specific IP addresses for port 22 (SSH) on Linux VMs and port 3389 (RDP) on Windows VMs.

Notes:

1. To connect using your public IP, select My IP Address as the source when creating an inbound rule in the NSG.
2. To connect from DTU Campus, use the DTU IP Ranges:

Ask network team to get the list of these IPs

3. For WSL (Windows Subsystem for Linux), run the command curl icahazip.com.

Steps to Restrict Access to Your Virtual Machines:

Step 1: Navigate to Virtual Machine

1. Go to your VM by selecting "Virtual Machines" from the side menu.
2. On the VM overview page, locate the Networking tab on the left panel.

Step 2: Access the Network Security Group

1. Under the Networking tab, you'll see the Network settings section.
2. In Network settings, look for the Network Security Group (NSG) associated with the VM.

Step 3: Create a New Inbound Security Rule

Linux VM, allow specific IPs on port 22 (SSH) 1. Under Network Security Group, click on Create port rule. 2. Click the Inbound port rule button to create a new rule.

Fill in the following details: - Source: Select IP Addresses. - Source IP Addresses/CIDR Ranges: Enter the specific IP address or range that should have access (e.g., 203.0.113.0/24 or just 203.0.113.1). - Source Port Ranges: Leave as Any. - Destination: Select Any. - Destination Port Ranges: Enter 22. - Protocol: Select TCP. - Action: Select Allow. - Priority: Set a priority number (e.g., 1000). Lower numbers have higher priority. - Name: Give the rule a descriptive name (e.g., Allow-SSH-JohnHome-Access). - Description: It is recommended to include a description when adding this rule. 3. Click Add to save the rule.

Windows VM, allow specific IPs on port 3389 (RDP) 1. Under Network Security Group, click on Create port rule. 2. Click the Inbound port rule button to create a new rule.

Fill in the following details: - Source: Select IP Addresses. - Source IP Addresses/CIDR Ranges: Enter the specific IP address or range that should have access (e.g., 203.0.113.0/24 or just 203.0.113.1). - Source Port Ranges: Leave as Any. - Destination: Select Any. - Destination Port Ranges: Enter 3389. - Protocol: Select TCP. - Action: Select Allow. - Priority: Set a priority number (e.g., 1000). Lower numbers have higher priority. - Name: Give the rule a descriptive name (e.g., Allow-RDP-JohnHome-Access). - Description: It is recommended to include a description when adding this rule. 3. Click Add to save the rule.

Consider Removing Public IPs

If some or all of these virtual machines do not need to be accessed directly from the Internet, consider removing the public IP addresses associated with them.

Related Policy

This adjustment is in alignment with Azure's security policies, specifically for enhancing network security. For more information on the policies that govern these settings, visit Azure Built-in Policies - Security Center. The specific policy can also be found on Github.