Associate Azure Public IP to VM on-prem for RDP

Riza Marhaban 20

I have established a Site-to-Site VPN connection from Azure to On-Prem VM. The server is connected, and I can access or ping from other Azure VM within the same VNET. Now, I wanted to add a new Public IP on Azure, and I would like to associate this public IP to the on-prem VM. Similar like if we create a VM on Azure, we can associate a public IP to it so we can RDP to the Azure VM. This time I would like to RDP to the on-prem VM through Azure Public IP. As the on-prem VM is connected to Azure via site-to-site VPN, technically this can be done. Right? But, how can I do that? Please don't advise me to use Bastion or whatever way, I know that. What I need is a Public IP for RDP to the on-prem VM via Azure.

Deepanshukatara-6769 8,940 Reputation points

2024-09-05T07:29:50.3666667+00:00
Hello Riza, Welcome to MS Q&A

I think what exactly you are looking for is not possible to associate a public IP address to an on-premises VM through Azure Site-to-Site VPN. Public IP addresses can only be associated with virtual machines running in Azure.

For more information, you can refer to the following documentation:

Associate a public IP address to a virtual machine

Assign a public IP to a virtual machine

Please let me know if you have further questions

Kindly accept if it helps

Thanks!

Regards,
Deepanshu
Riza Marhaban 20 Reputation points

2024-09-05T07:37:47.5133333+00:00

I understand we cannot directly associate Azure Public IP like Azure VM. I'm looking from other IT Pro perspective. In my opinion, it should be a way as this is just networking related. Azure has route table, NAT gateway, load balancer, etc. Maybe there is a way to forward the packet to the VPN tunnel and to the VM.
Riza Marhaban 20 Reputation points

2024-09-05T07:42:30.65+00:00

I understand we cannot directly associate Azure Public IP like Azure VM. I'm looking from other IT Pro perspective. In my opinion, it should be a way as this is just networking related. Azure has route table, NAT gateway, load balancer, etc. Maybe there is a way to forward the packet to the VPN tunnel and to the VM.
Neuvi Jiang 1,075 Reputation points Microsoft Vendor

2024-09-06T02:53:18.0133333+00:00
Hi Riza Marhaban,

Thank you for posting in the Microsoft Community Forums.

Here is a possible solution:

Setting up the Azure VPN Gateway and Local Gateway in Azure

First, make sure that your Site-to-Site VPN connection is properly set up and that the connection between the Azure VPN gateway and the local gateway is active. This is the basis for enabling access to local resources over the Azure network.

Create a virtual machine in Azure as a springboard machine

Create Azure VM: Create a new virtual machine (springboard machine) in Azure and assign it a public IP address.

Configure the network: make sure this Azure VM can connect to your local network via Site-to-Site VPN.

Install RDP service (if not already installed): Install and configure the Remote Desktop Service on the Azure VM so that it can connect via RDP.

Configure routing and firewall rules

Configure routing: Ensure that the routing table on the Azure VM allows access to the local network through the Site-to-Site VPN.

Configure firewall rules:

Configure firewall rules on the Azure VM to allow RDP connections (default port is 3389).

Configure firewall rules on the local VM to allow RDP connections from the Azure VM.

Connecting to the local VM through the Azure VM

Connect to Azure VM using RDP: First, connect to the Azure VM through its public IP address and RDP port (3389 by default).

Connecting to the local VM from the Azure VM: On the Azure VM, connect to the local VM over an internal network (i.e., Site-to-Site VPN) using an RDP client or other remote desktop tool.

Consider using Azure Bastion (if needed in the future)

While you have made it clear that you do not want to use Azure Bastion, it is worth noting that Azure Bastion provides a more secure way to access Azure VMs without the need to assign public IP addresses directly to the VMs. it uses a browser in the Azure portal to connect, eliminating the need to open up RDP ports on VMs or configure complicated network settings.

Best regards

Neuvi

Accepted answer

KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee

2024-09-06T06:48:37.58+00:00
@Riza Marhaban ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

As per your observation, there is no out of the box service available in Azure as of today, to support this.

The possible solution is that you can use a NVA (Such as Azure Firewall) and NAT the traffic to your OnPrem server

Deploy an Azure Firewall on the Azure VNET which contains the VPN Gateway

Note that Azure Firewall comes with it's own Public IP

Azure Firewall also supports DNAT

See : Filter inbound Internet or intranet traffic with Azure Firewall DNAT

Let's say the Azure Firewall's Public IP is A.A.A.A and OnPrem server's private IP is B.B.B.B

Then you should create a DNAT Rule such that

Protocol : TCP

Source type : IP address

Source : *

Destination Addresses : A.A.A.A (Azure Firewall's Public IP)

Destination ports : 3389

Translated Address : B.B.B.B (OnPrem server's private IP)

Translated port : 3389 (OnPrem server's RDP Port)

This way, Azure Firewall is practically acting as Cloud NAT Device to your OnPrem server for RDP.

You can also use other 3rd party NVAs after validating whether they support a similar NAT feature.

Also see : Rule processing Logic in Firewall Policy

P.S : I did a lab and I can confirm this is working. From the logs, you can see the traffic is allowed

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Please sign in to rate this answer.

1 person found this answer helpful.
Riza Marhaban 20 Reputation points

2024-09-09T03:43:03.4333333+00:00

Thank you. It works. 👏

KapilAnanth-MSFT 44,311 Reputation points Microsoft Employee

2024-09-09T04:23:15.15+00:00

@Riza Marhaban ,

Glad we could be of service.

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Associate Azure Public IP to VM on-prem for RDP

0 additional answers

Your answer