Applies to: Nerdio for Azure (NFA) Professional and Enterprise Accounts Only.
Refer to this KB article to determine if you are an NFA user.
This article applies to anyone who would like to limit access to RDS sessions by source IP address.
Nerdio recommends the use of multi factor authentication. Creating an IP address access list is not a substitute and does not act as an additional factor, only an imposed limitation based on IP addressing. Information on enabling MFA in Nerdio.
Note: Do not create an access list for remotes sources that use dynamically assigned public IP addresses
Note: Do not remove existing NSG rules - adding new rules in the right order will preserve defaults rules while accomplishing security goals
The Network Security Groups (NSG) deployed in Azure will have a collection of rules ordered by priority. These rules are applied in order, where the lowest priority number takes precedence. The default priorities in Nerdio have been spaced to accommodate adding new rules to achieve the appropriate precedence and application of rules.
Before you get started, plan it out. Based on the number of allowed IP source you need make sure to plan to leave space for any future adjustments.
In our example, we will be adding an access list for a single site. We will need to add 2 allow rules and 2 deny rules to prohibit any unmatched IP addresses.
- We want to allow HTTPS and 3391 from a single source
- We will need an allow rule with a priority between 100 and 110
- We will need an allow rule for 3391 with a priority between 110 and 200
- We want to deny HTTPS and 3391 for all other untrusted IP addresses
- We will need a deny rule with a priority less than 110 and greater than our HTTPS allow rule
- We will need a deny rule with a priority less than 200 and greater than our 3391 allow rule
To allow for future spacing we will insert rules with the following plan:
- 105 for the allow of HTTPS from single source
- 195 for the allow of 3391 from single source
- 109 to deny the 110 rule from allowing all HTTPS traffic
- 199 to deny the 200 rule from allowing all 3391 traffic
Step 1: Create allow rule for the trusted source IP(s) to HTTPS (443)
Give your rule an appropriate name. This could include source site information and a brief description of what the rule is doing.
Set a priority of 105, with TCP protocol and a source IP or CIDR block of the trusted remote source(s).
Direction will be inbound to the gateway and an allow for the access.
For the destination select servers and choose RDGW01. Add port 443 to the first port input box.
Step 2: Create allow rule for the trusted source IP(s) to 3391
Everything is the same as Step 1 with a few exceptions. For the priority input 195. For the protocol select UDP. For the destination port input 3391.
Step 3: Create deny rule for all other sources to HTTPS (443)
Give your rule an appropriate name. This could include something about deny and the scope of the denial.
Set a priority of 109, with TCP protocol and a source of any.
Direction will be inbound to the gateway and deny for the access.
For the destination select servers and choose RDGW01 and add destination port 443 to the first input box.
Step 4: Create deny rule for all other sources to port 3391
Everything is the same as Step 3 with a few exceptions. For the priority input 199. For the protocol select UDP. For the destination port input 3391.
When everything is complete the DMZ precedence/priority list should appear as follows: