Administration Host Security Group

Allow the following inbound traffic:

Type Protocol Port / Port Range Source Description
RDP TCP 3389 Your IP address Remote connection to the Administration Host

The inbound rule is applicable for Windows instance in our case. Enter the source address from which you plan to connect to the Administration Host.

Access your servers using Administration host

When designing the Administration host for your Azure infrastructure, you should use it only for maintenance and administration. You need to keep it locked down as much as possible and avoid opening unnecessary security holes. You could look into hardening your chosen operating system for even tighter security. In order to minimize security risks, you should start your Administration host instances only when you need access to your servers in Azure.

Here are the basic steps for creating a bastion host for your Azure infrastructure (see section Launch an instance for the Administration Host):

  1. Launch a VM.
  2. Apply your OS hardening as required.
  3. Set up the appropriate network security groups (NSG).
  4. Implement either SSH-Agent Forwarding (Linux connectivity) or Remote Desktop Gateway (Windows connectivity).

Network Security groups are essential for maintaining tight security and play a big part in making this solution work. First, you need to create a network security group or update an existing one that will be used to allow connectivity from the Administration host for your existing private instances (see the SecureTransport Server Network Security Group in the Network Security groups section of the guide). This NSG should only accept SSH or RDP inbound requests from your Administration hosts. Apply this group to all your private instances that require connectivity.

Next, create a network security group to be applied to your Administration host. Inbound and outbound traffic must be restricted at the protocol level as much as possible. The inbound rule base should accept SSH or RDP connections only from the specific IP addresses (usually those of your administrators' work computers). See the Administration Host Network Security Group in the Network Security groups section of the guide. Your outbound connection should again be restricted to SSH or RDP access to the private instances of your Azure infrastructure. An easy way to do this is to populate the 'Destination' field with the IP of your private instances.

Related Links