You have the Azure virtual network named VNet1 that contains a subnet named Subnet1. Subnet1 contains three Azure virtual machines. Each virtual machine has a public IP address.
The virtual machines host several applications that are accessible over port 443 to users on the Internet.
Your on-premises network has a site-to-site VPN connection to VNet1.
You discover that the virtual machines can be accessed by using the Remote Desktop Protocol (RDP) from the Internet and from the on-premises network.
You need to prevent RDP access to the virtual machines from the Internet, unless the RDP connection is established from the on-premises network. The solution must ensure that all the applications can still be accessed by the Internet users.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B
You can use a site-to-site VPN to connect your on-premises network to an Azure virtual network. Users on your on-premises network connect by using the RDP or
SSH protocol over the site-to-site VPN connection. You don't have to allow direct RDP or SSH access over the internet.
https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practicesThe correct answer to this question is B. Create a deny rule in a network security group (NSG) that is linked to Subnet1.
Explanation:
In this scenario, the goal is to prevent RDP access to the virtual machines from the Internet, while still allowing access to the applications on port 443. To achieve this, we can use a network security group (NSG) to create a deny rule that blocks RDP traffic from the Internet and only allows RDP connections from the on-premises network.
Here are the steps to implement this solution:
Open the Azure portal and navigate to the virtual network (VNet1) that contains Subnet1.
Select the Subnet1 and click on "Network security group" under the Settings section.
If there is no existing NSG, create a new one and associate it with Subnet1.
Create a new inbound security rule with the following settings:
This rule will block RDP traffic from the Internet.
Create a new inbound security rule with the following settings:
This rule will allow RDP traffic from the on-premises network.
After implementing these rules, RDP traffic from the Internet will be blocked, but users will still be able to access the applications on port 443. RDP connections from the on-premises network will still be allowed.
Option A, Modify the address space of the local network gateway, is incorrect because it refers to the on-premises network and not the virtual network. Changing the address space of the local network gateway will not prevent RDP access from the Internet.
Option C, Remove the public IP addresses from the virtual machines, is incorrect because this will prevent access to the applications on port 443 from the Internet, which is not the desired outcome.
Option D, Modify the address space of Subnet1, is incorrect because it will not prevent RDP access from the Internet. Changing the address space of Subnet1 will affect the IP addresses of the virtual machines, but it will not address the RDP access issue.