Connecting to an Azure Virtual Machine

The purpose of this post is to illustrate how to connect to an Azure virtual machine (VM). Firstly, by connecting via the less secure RDP and then via the more secure Bastion

1.) Connecting via RDP

A virtual machine is created with a public IP address of (Figures 1 & 2)

Figure 1
Figure 2

The PC being used to RDC to the VM is running on a network that has port 3389 opened. So, the following call will successfully connect to the VM (Figures 3 & 4)

Figure 3
Figure 4

If port 3389 is blocked

If the PC being used to RDP to the VM is running on a network that blocks port 3389. A load balancer needs to be created in order to connect to the VM (Figure 5)

Figure 5

The load balancer is exposed to the internet via a frontend IP (Figure 6)

Figure 6

The load balancer is exposed via port 443 (Figure 7) (An inbound NAT rule is used to forward traffic from the load balancer frontend to the VM instance exposed on port 3389.)

Figure 7
Figure 8
Figure 9

The VM is now exposed to the internet via two IP addresses (Figures 10 & 11)

Figure 10
Figure 11
Figure 12

The resources that have been created are listed in Figure 13

Figure 13

The physical PC being used to RDC to the VM can now successfully connect (Figures 14 & 15)

Figure 14
Figure 15


Two publicly exposed IPs have been created: & Either of these can be used to RDP to the VM

2.) Connecting via Bastion

(Note: this section assumes that all the steps in section one have been followed.)

Bastion is a more secure way of connecting to a VM (than connecting via RDP) and is recommended by Microsoft

Implementing Bastion

Figure 16
Figure 17
Figure 18

The resources that have been created to implement Bastion are listed in Figure 19 (along with the previously created resources)

Figure 19
Figure 20

Pressing the ‘Connect’ button (and selection Bastion in Figure 20) successfully connects to the VM. The VM is displayed within a Microsoft Edge browser (Figure 21)

Figure 21

This IP address was generated when Bastion was implemented (Figure 22)

Figure 22

For an extra layer of security, the Bastion IP address is specified as the source IP address for access to port 3389 (Figure 23)

Figure 23

Also, to increase security, port 443 is set to ‘Deny’ (Figure 24)

Figure 24

Disconnecting the two publicly exposed IP addresses

In section one of this post, two IP addresses where publicly exposed on the internet: & Now that Bastion has been setup, it’s no longer necessary to expose these two IP addresses

Public IP address

This IP address could simply be deleted, or, as in this case, disassociated from the virtual machine (Figure 25)

Figure 25
Public IP address

Finally, the other IP address that was exposed to the internet is disassociated from the network interface. (Figure 26 & 27)

Figure 26
Figure 27


Both publicly exposed IP addresses are now no longer exposing the VM (one being disassociated from the VM (via the NAT rule), and the other being disassociated from the network interface). Now, the only way to connect to the VM is via Bastion


Working with NSG access and Azure Bastion