I have just deployed my first Windows Server instance on Azure, but I am struggling to log in. I tried using the public IP address, but the connection keeps timing out. Do I need to enable specific ports in the Network Security Group, or is there a way to connect directly through the Azure Portal using Bastion? I want to ensure my connection is secure and follows best practices for administrative access without exposing the VM to the public internet.
3 answers
To connect to your Azure Windows VM, the most common method is using Remote Desktop Protocol (RDP). First, navigate to the Azure Portal, select your VM, and click 'Connect.' You must ensure that port 3389 is open in your Network Security Group (NSG) inbound rules for your specific local IP address. However, for better security, I highly recommend using Azure Bastion. Bastion allows you to connect through your browser over SSL (port 443), meaning you don't have to expose port 3389 to the internet. Once Bastion is provisioned, you simply enter your VM credentials directly in the portal interface, and a secure desktop session will open in a new tab without requiring a public IP.
Have you checked if your local corporate firewall blocks outgoing traffic on port 3389, and are you using a Just-In-Time (JIT) access policy through Microsoft Defender for Cloud? If JIT is enabled, you won't be able to connect until you explicitly request access via the portal, which temporarily opens the necessary ports only for your current IP address to minimize the window of vulnerability.
The simplest way for a quick test is to download the RDP file directly from the 'Connect' blade in the Azure Portal. It pre-fills the IP address for you, so you just need to enter the admin username and password.
I agree with Linda for dev environments, but just a reminder to everyone: never leave port 3389 open to 'Any' source. I checked my logs once and saw thousands of brute-force attempts within minutes of the VM going live. Always restrict that NSG rule to your specific IP!
Christopher, that JIT point is crucial for production environments. To answer your question, if the corporate firewall is the issue, that's exactly where Azure Bastion shines because it uses standard HTTPS port 443. Most firewalls allow 443 by default, so switching to Bastion usually bypasses those local connectivity headaches while simultaneously improving the overall security posture of the cloud infrastructure.