Azure VM RDP 出站 NSG 规则
Azure VM RDP outbound NSG rule
我想保护我的网络服务器虚拟机,主要严格限制在 443 和 3389 端口。我拒绝了网络虚拟机 NSG 中的所有其他出站和入站信息。但是这样做之后我不能进行rdp。当我放松 NSG 以允许所有出站时,rdp 开始工作。我的问题是rdp服务需要在3389旁边的nsg中打开哪些出站端口和协议?
thesushil:事实证明,在我的例子中,我只需要添加一个出站规则以允许 Azure AD 通过 http 和 https 进行通信,因为我启用了 azure AD 身份验证。但我认为下面的答案对其他人有帮助。
默认情况下,RDP 服务器监听 TCP 端口 3389 和 UDP 端口 3389。阅读 wiki. You also could change the listening port for remote desktop。
如果您想将 Azure VM 限制在 443 和 3389 个端口,您可以像这样添加入站端口规则以仅允许您的客户端特定 IP 地址访问您的 Azure VM。
此外,请注意,如果允许通过端口的入站流量,则无需
指定出站安全规则以响应端口上的流量。阅读 https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#security-rules
Network security group security rules are evaluated by priority using
the 5-tuple information (source, source port, destination, destination
port, and protocol) to allow or deny the traffic. A flow record is
created for existing connections. Communication is allowed or denied
based on the connection state of the flow record. The flow record
allows a network security group to be stateful. If you specify an
outbound security rule to any address over port 80, for example, it's
not necessary to specify an inbound security rule for the response to
the outbound traffic. You only need to specify an inbound security
rule if communication is initiated externally. The opposite is also
true. If inbound traffic is allowed over a port, it's not necessary to
specify an outbound security rule to respond to traffic over the port.
Existing connections may not be interrupted when you remove a security
rule that enabled the flow. Traffic flows are interrupted when
connections are stopped and no traffic is flowing in either direction,
for at least a few minutes.
希望对您有所帮助。
thesushil:事实证明,在我的例子中,我只需要添加一个出站规则以允许 Azure AD 通过 http 和 https 进行通信,因为我启用了 azure AD 身份验证。但我认为下面的答案对其他人有帮助。
默认情况下,RDP 服务器监听 TCP 端口 3389 和 UDP 端口 3389。阅读 wiki. You also could change the listening port for remote desktop。
如果您想将 Azure VM 限制在 443 和 3389 个端口,您可以像这样添加入站端口规则以仅允许您的客户端特定 IP 地址访问您的 Azure VM。
此外,请注意,如果允许通过端口的入站流量,则无需 指定出站安全规则以响应端口上的流量。阅读 https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#security-rules
Network security group security rules are evaluated by priority using the 5-tuple information (source, source port, destination, destination port, and protocol) to allow or deny the traffic. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it's not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it's not necessary to specify an outbound security rule to respond to traffic over the port. Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.
希望对您有所帮助。