TimurD - Fotolia
How to secure Azure RDP virtual machine access with a jumpbox
A jumpbox can be a handy tool to improve security in a Microsoft Azure deployment. For starters, it blocks the public IP address automatically associated with any VMs.
There are many ways to access a Microsoft Azure cloud deployment, including through a VPN, terminal services or Remote Desktop Protocol. No matter the method, security should always be top of mind.
One way to connect to an Azure cloud deployment that enables secure access between on-premises resources and the cloud is through a jumpbox, which delivers Azure RDP virtual machine access. A jumpbox is a Windows server that IT can put in front of its other servers to add a security layer preventing all Azure VMs from being exposed to the public.
Jumpbox and public IP addresses
When accessing Azure servers, an endpoint gets both a public and private IP address by default. The public IP address is exactly that -- an address that is available to anyone who has access to the internet.
If an Azure server has a public IP address, it is an instant security risk because the server becomes accessible to anyone with internet access. Ideally, administrators should secure their servers by removing the public IP address, but when they do so, it can knock out access to the server. This is where the jumpbox becomes an option.
The jumpbox removes the public IP on each Azure server. When configuring the jumpbox virtual machine access approach, only the jumpbox has access to the internal VMs. This ensures that the only virtual machine access in Azure is through the jumpbox.
Apply jumpbox in the real world
An enterprise has a solid and well-adopted Microsoft Office 365 deployment with on-premises Active Directory synchronized to Azure Active Directory through Azure AD Connect. IT also has a properly configured network in place between on premises, the cloud and Azure servers for its development and product teams. The deployment is secured with a VPN and firewalls, so no public IPs have virtual machine access from domain-joined computers. Everything is in working order.
A new project requires the organization to purchase a test of the Office 365 tenant for a Microsoft SharePoint project. The test tenant must mimic production as closely as possible. This means that it has its own Active Directory server with its own accounts set up. The project will use Azure Active Directory and be populated by Azure AD Connect. The infrastructure for Active Directory and Azure AD Connect is in the Azure subscription that comes with the test tenant.
The test tenant does not need to connect to an on-premises infrastructure in this scenario. In fact, to ensure Active Directory isolation, it should not be connected. Given that this is a test tenant that could go away in time, IT does not need to set up networking to communicate with the on-premises deployment.
Once IT evaluates all the requirements and determines that jumpbox is the best security approach to deliver secure virtual machine access in the cloud, all an admin has to do is connect to the Active Directory server and the Azure AD Connect server in Azure.