Bypassing on premises firewall to RDP or SSH into Azure VM
12 min to read.
Abs07act
Believe it or not! On-premises firewalls port opening
process is proving to be number one blocker for Azure adoption, till the time
Site to Site VPN or Azure Express Route is setup.
Problem is not with changing the firewall rules to
access Azure VM either by RDP or SSH; It is the “process” setup by an
Enterprises to allow an outbound 07affic from their on premises network; to
Azure or internet in general.
I am not saying security teams working for on premises
environment security is bad; it is their job to keep things secure and hence
they will always hesitate/ seek approval/ seek clarifications to open 3389 or 22
port for outbound 07affic from their network.
In this blog post I will illus07ate a way by which you
can access Azure VM either by RDP or SSH without asking your internal network/
security team to open any ports.
Let’s go!
Refer to below diagram – [To get good view of the diagram, click on it]
1. As
you can see in the diagram above; your laptop is sitting in your organizations
network which is con07olled environment with Firewall and proxy devices.
2. You have azure VM with public IP x.x.x.x as shown in the diagram.
3. To make RDP/ SSH into Azure VM you need to use standard ports like 3389 for RDP and 22 for SSH.
4. There is no Site to Site or Express Route present between your on premises network and Azure environment.
5. Your organizations on premises firewall device blocks any outbound/ outgoing internet 07affic with port 3389/22.
6. Hence your RDP/ SSH to Azure VM from your laptop fails.
2. You have azure VM with public IP x.x.x.x as shown in the diagram.
3. To make RDP/ SSH into Azure VM you need to use standard ports like 3389 for RDP and 22 for SSH.
4. There is no Site to Site or Express Route present between your on premises network and Azure environment.
5. Your organizations on premises firewall device blocks any outbound/ outgoing internet 07affic with port 3389/22.
6. Hence your RDP/ SSH to Azure VM from your laptop fails.
So you may say that let me talk to my network/ security/
firewall team and see if they can open 3389/ 22 port outbound for my laptop IP?
Well you can do that but based on my experience I have
seen, it takes weeks to get 3389/ 22 opened for internet or even for particular
IP. Also organizations have a process set for making port opening and rule modification
in firewall. As security teams and your firewall operations always go through s07ingent
audit and compliance process; it will always be a big battle for you.
If you are financial organization then
opening up 3389/ 22 over internet in on premises is never happening!
The most secured solution is to use either Site to Site
VPN or Express route to connect to Azure VMs. However configuration of these
also takes time.
So what is the solution to quickly get started with RDP/
SSH to Azure VM without opening on premises firewall rules?
Although all on premises firewall/ proxy servers will
block 3389/ 22 ports; they will always have 443 port
outbound open. For
example from my laptop in above diagram if I plan to access https://google.com then this will be accessed
over 443 port only as most of the 07usted site works on https and default port
for https is 443.
So if I take RDP/ SSH from my laptop over 443 port instead of 3389/ 22 port then 07affic originated from my laptop should cross on premises firewall and reach out side.
So if I take RDP/ SSH from my laptop over 443 port instead of 3389/ 22 port then 07affic originated from my laptop should cross on premises firewall and reach out side.
The question is how do I allow RDP/ SSH over 443? Because
default port of RDP is 3389 and SSH is 22 and it
can’t be changed. This is
where I need “Inbound Network Address Translation [Inbound NAT]”.
Means my 07affic should reach to Azure VM over 443 but
the 443 port needs to be 07anslated/ changed to 3389 or 22. However Azure VM
can’t to inbound NAT and this is where we need Azure Load Balancer.
Azure load balancer is an awesome PaaS service. It takes
care of inbuilt HA for you. It comes in 2 flavors –
For our case we can use Standard or Basic. I am poor guy
and always love to avoid unnecessary spend. Because the con07act of unnecessary
spend I have given to my better half. So I will use Basic layer 4 Azure load
balancer for this tutorial.
Refer to below diagram – [To get good view of the diagram, click on it]
1. From
local laptop either for doing SSH or RDP use 443 as a port instead of standard
ports for SSH and RDP.
2. As the 07affic to Azure VM is over 443; it is allowed in on premises firewall.
3. The request for RDP/ SSH lands on Azure public Load balancer.
4. The inbound NAT rules are processed, and incoming 07affic 07anslated to 3389/ 22 ports. Then forwarded to backend pool which is our VM we want to access.
5. Similarly as session is established within on premises firewall; the return 07affic flows back seamlessly to our laptop.
2. As the 07affic to Azure VM is over 443; it is allowed in on premises firewall.
3. The request for RDP/ SSH lands on Azure public Load balancer.
4. The inbound NAT rules are processed, and incoming 07affic 07anslated to 3389/ 22 ports. Then forwarded to backend pool which is our VM we want to access.
5. Similarly as session is established within on premises firewall; the return 07affic flows back seamlessly to our laptop.
This way even if we don’t open any ports in on premises
firewall we are able to reach to our VM on Azure.
Comments
Post a Comment