Skip to Content

AZ-900: How Can Business Restrict SSH and RDP Access to Azure VMs Without Exposing Public IPs?

By: Author Alex Lim

Posted on

Categories Exam

Which Azure service enables secure remote access to virtual machines without exposing public IPs or open RDP/SSH ports? Learn how Azure Bastion protects VMs, reduces attack surfaces, and simplifies management.

Table of Contents

Question

A company wants to improve the security of its Azure virtual machines by restricting SSH and RDP access without exposing public IPs. Which service should they use?

A. Azure Security Center
B. Azure Firewall
C. Azure Bastion
D. Azure Sentinel
E. Azure Monitor

Answer

C. Azure Bastion

Explanation

Azure Bastion provides secure remote access to Azure VMs without exposing them to the public internet.

The most effective Azure service for restricting SSH and RDP access to virtual machines without exposing public IP addresses is Azure Bastion.

  • Secure Remote Access: Azure Bastion provides secure RDP and SSH connectivity to Azure VMs directly through the Azure portal, using an encrypted connection over SSL. This eliminates the need to assign public IP addresses to VMs or open RDP/SSH ports to the internet, significantly reducing the attack surface and exposure to threats such as port scanning and brute-force attacks.
  • No Public IP Required: With Azure Bastion, VMs remain on private IP addresses within the virtual network. All management traffic passes through the Bastion host, which is the only component with a public endpoint, and can be tightly controlled and monitored.
  • Integrated and Managed: Azure Bastion is a fully managed platform-as-a-service (PaaS) that automatically handles patching, scaling, and availability, so there is no need to maintain jump servers or VPNs.
  • Ease of Use: Users connect to VMs through the Azure portal using their browser, requiring no additional client software. Access can be further protected with Azure Active Directory integration and multi-factor authentication.
  • Network Security: Network Security Groups (NSGs) can be configured to allow RDP/SSH only from the Bastion subnet, blocking all other sources. This ensures that only authorized connections from the Bastion host reach the VMs.

Azure Bastion enables secure, seamless remote access to Azure VMs without exposing them to the public internet, eliminating the need for public IPs and open RDP/SSH ports, and providing a managed, scalable, and cost-effective solution for VM access.

Microsoft Azure Fundamentals AZ-900 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft Azure Fundamentals AZ-900 exam and earn Microsoft Azure Fundamentals AZ-900 certification.