-
Section-Based – Implement and Manage Virtual Networking (AZ-104) Question 5
updated 4 months, 3 weeks ago
2 Members
·
2
Posts
-
I might be wrong, but wouldn’t denying incoming RDP connection with NSG also deny the RDP connection via site-to-site VPN?
IMHO, the correct way should be
-
Deny inbound port 3389 from “Internet” or “Any”
-
Allow inbound port 3389 from your on-premises IP ranges, which are reachable via the VPN
-
-
Hi penatuna,
Thank you for your insightful feedback on the Azure question.
You’re absolutely correct that a single NSG rule denying inbound RDP (port 3389) from “Any” would block RDP from both the internet and the on-premises network via the site-to-site VPN, which doesn’t meet the requirement.
We’ve updated the question to clarify that Option 4 involves two NSG rules: one with a higher priority (e.g., 100) to allow RDP from the known on-premises IP range (e.g., 192.168.0.0/16), and another with a lower priority (e.g., 200) to deny RDP from the “Internet” service tag. This ensures on-premises RDP access works via the VPN’s private IP range, while blocking public internet access. The existing HTTPS (port 443) access from the internet remains unaffected. The updated question and explanation will soon be reflected in the portal.
Please let us know if you have any further questions or feedback!
Best,
Irene @ Tutorials Dojo
Log in to reply.