Replica DCs on Azure – Removing the Azure Endpoints

June 21, 2016 at 10:04 am in Azure, Azure Endpoints, Cloud, DC, hybrid cloud, IaaS, PowerShell, RDP, Replica DC, W2K12R2 by Wim Matthyssen

This blog post is part of the step-by-step to deploy replica DCs on Microsoft Azure which can be found here: http://scug.be/wim/2015/09/28/deploying-replica-dcs-in-windows-azure/

All VMs that you create in Azure can automatically communicate using a private network channel with other VMs in the same cloud service or VNet. However, other resources on the Internet or resources from other VNets require endpoints to handle the inbound network traffic to those VMs. That’s why when you create a new Azure  IaaS v1 VM (Azure Service Manager deployment model), Azure automatically creates two endpoints: Remote Desktop and Windows PowerShell Remoting. Both endpoints consist of a protocol (TCP or UDP) and have a public (for example 54036) and a private (for example 3389) port. The public port is used by the Azure load balancer to listen for incoming traffic to the IaaS VM from the Internet. The private port on the other hand is used by the IaaS VM itself to listen for incoming traffic to an application or service running on the VM.

After the creation of this new VM it’s possible to create additional endpoints if needed. The VM deployment wizard provides pre-defined endpoint configurations not only for Remote Desktop and PowerShell, but also for SSH, FTP, SMTP, DNS, HTTP, POP3, IMAP, LDAP, HTTPS, SMTPS, IMAPS, POP3S, MSSQL and MySQL. If the needed service isn’t in this list,  you can also  also create your own service endpoint and define the protocols and ports needed.

You can manage and isolate the incoming traffic to the public ports of these endpoints by configuring access control list (ACL) rules. By using ACLs, you can for example, only permit access to a specific service from a set of trusted hosts or networks.

However, for security best practices, it’s always advisable when an IaaS VM is configured and a Site-to-site VPN (S2S) exists, to remove all endpoints you don’t need (like RDP) and only to use them when their really needed (for example to access a IIS hosted website from the Internet on port 443). When the S2S is in place, you can connect to the VM through the use of the standard local RDP port (3389) via the secure IPsec VPN tunnel instead of connecting over the public Internet.

In this blog post I will show you how you can delete the RDP and PowerShell endpoint manually by making use of the Azure Classic Portal (AZGR-DC-01) and how to do it with the use of Azure PowerShell (AZGR-DC-02). So, let’s get started.

Manually remove the Azure Endpoints through the Azure Classic Portal

1) Logon to the Azure Classic Portal as a Service administrator or Co-administrator

2) In the navigation pane, click VIRTUAL MACHINES and then click the name of the VM where the endpoint needs to be deleted (AZGR-DC-01)

clip_image002

3) Select ENDPOINTS

clip_image004

4) Select the Remote Desktop endpoint and click DELETE

clip_image006

5) Select YES when asked Are You sure that you want to delete endpoint Remote Desktop? This will start the deletion process

clip_image008

clip_image010

clip_image012

6) When the Remote Desktop endpoint is successfully deleted, you can test or you’re still able to RDP to the VM over the Internet. First of all, like you can see the CONNECT button is disabled

clip_image014

7) If we try to connect through the previously downloaded RDP file, no connection is possible

clip_image016

clip_image017

clip_image018

clip_image019

8) However, when we logon to GR-DC-01 and open mstsc via Run, we are still able to RDP to AZGR-DC-01 like it should, because we connect over the internal network

clip_image021

clip_image022

clip_image024

9) You can also repeat the above steps, to delete the Remote PowerShell endpoint

 

Remove the Azure Endpoints through the use of Azure PowerShell

1) Open Windows PowerShell ISE, logon with your Azure account and select the correct Azure Subscription

2) Run following Azure PowerShell cmdlet:

clip_image026

3) Run following cmdlet to check the existing endpoints for the VM

clip_image028

4) Like you can see only the Remote PowerShell endpoint still exists, which we also can verify in the Azure Classic Portal

clip_image030

5) To delete the PowerShell endpoint run following cmdlet:

clip_image032

6) After running this cmdlet no endpoint longer exist for the AZGR-DC-02 VM

clip_image034

clip_image036

That ends the final part of this series. If had a lot of fun while writing these series and I really hope, it’s useful for some people. If someone has any questions about the series or a specific part of it, you can always contact me through my Twitter handle.

Till next time!

Wim Matthyssen (@wmatthyssen)

Share on LinkedInTweet about this on TwitterShare on Google+Share on Facebook