Azure Rdp Pricing

admin



Oct 14, 2020 Once Remote Desktop is enabled on the roles, you can initiate a connection directly from the Azure portal: Click Instances to open the Instances settings. Select a role instance that has Remote Desktop configured. Click Connect to download an RDP file for the role instance. Click Open and then Connect to start the Remote Desktop connection. The free edition of Azure AD is included with a subscription of a commercial online service such as Azure, Dynamics 365, Intune, Power Platform, and others in countries where they are available for sale. Additional Azure AD features are included with Office 365 E1, E3, E5, F1, and F3 subscriptions in countries where they are available for. Remote Desktop Services (RDS) is the platform of choice to cost-effectively host Windows desktops and applications. This offering is designed to help you quickly create a RDS on IaaS deployment for testing and proof-of-concept purposes. Purchase the license as part of your Azure subscription. This is pay-as-you-go and more expensive. Purchase Azure Hybrid Benefits for Windows Server Core. This includes Software Assurance and is a cheaper option. When using Windows Server, you also need to license Remote Desktop Services. You can obtain this licensing through. $2,123.35 – Total Azure Costs $2,798.35 – Total estimated costs If you scale only the Azure costs in scenario 1 by 5 you get $1,433. As you can see, adding in zone and geo-redundancy adds roughly an extra $700/mo to the price of WVD.

-->

Lock down inbound traffic to your Azure Virtual Machines with Azure Security Center's just-in-time (JIT) virtual machine (VM) access feature. This reduces exposure to attacks while providing easy access when you need to connect to a VM.

For a full explanation about how JIT works and the underlying logic, see Just-in-time explained.

This page teaches you how to include JIT in your security program. You'll learn how to:

  • Enable JIT on your VMs - You can enable JIT with your own custom options for one or more VMs using Security Center, PowerShell, or the REST API. Alternatively, you can enable JIT with default, hard-coded parameters, from Azure virtual machines. When enabled, JIT locks down inbound traffic to your Azure VMs by creating a rule in your network security group.
  • Request access to a VM that has JIT enabled - The goal of JIT is to ensure that even though your inbound traffic is locked down, Security Center still provides easy access to connect to VMs when needed. You can request access to a JIT-enabled VM from Security Center, Azure virtual machines, PowerShell, or the REST API.
  • Audit the activity - To ensure your VMs are secured appropriately, review the accesses to your JIT-enabled VMs as part of your regular security checks.

Availability

AspectDetails
Release state:General Availability (GA)
Pricing:Requires Azure Defender for servers
Supported VMs: VMs deployed through Azure Resource Manager.
VMs deployed with classic deployment models. Learn more about these deployment models.
VMs protected by Azure Firewalls controlled by Azure Firewall Manager
Required roles and permissions:Reader and SecurityReader roles can both view the JIT status and parameters.
To create custom roles that can work with JIT, see What permissions are needed to configure and use JIT?.
To create a least-privileged role for users that need to request JIT access to a VM, and perform no other JIT operations, use the Set-JitLeastPrivilegedRole script from the Security Center GitHub community pages.
Clouds: Commercial clouds
National/Sovereign (US Gov, China Gov, Other Gov)

Enable JIT VM access

You can enable JIT VM access with your own custom options for one or more VMs using Security Center or programmatically.

Alternatively, you can enable JIT with default, hard-coded parameters, from Azure Virtual machines.

Each of these options is explained in a separate tab below.

Enable JIT on your VMs from Azure Security Center

From Security Center, you can enable and configure the JIT VM access.

  1. Open the Azure Defender dashboard and from the advanced protection area, select Just-in-time VM access.

    The Just-in-time VM access page opens with your VMs grouped into the following tabs:

    • Configured - VMs that have been already been configured to support just-in-time VM access. For each VM, the configured tab shows:
      • the number of approved JIT requests in the last seven days
      • the last access date and time
      • the connection details configured
      • the last user
    • Not configured - VMs without JIT enabled, but that can support JIT. We recommend that you enable JIT for these VMs.
    • Unsupported - VMs without JIT enabled and which don't support the feature. Your VM might be in this tab for the following reasons:
      • Missing network security group (NSG) - JIT requires an NSG to be configured
      • Classic VM - JIT supports VMs that are deployed through Azure Resource Manager, not 'classic deployment'. Learn more about classic vs Azure Resource Manager deployment models.
      • Other - Your VM might be in this tab if the JIT solution is disabled in the security policy of the subscription or the resource group.

  2. From the Not configured tab, mark the VMs to protect with JIT and select Enable JIT on VMs.

    The JIT VM access page opens listing the ports that Security Center recommends protecting:

    • 22 - SSH
    • 3389 - RDP
    • 5985 - WinRM
    • 5986 - WinRM

    To accept the default settings, select Save.

  3. To customize the JIT options:

    • Add custom ports with the Add button.
    • Modify one of the default ports, by selecting it from the list.

    For each port (custom and default) the Add port configuration pane offers the following options:

    • Protocol- The protocol that is allowed on this port when a request is approved
    • Allowed source IPs- The IP ranges that are allowed on this port when a request is approved
    • Maximum request time- The maximum time window during which a specific port can be opened

    1. Set the port security to your needs.

    2. Select OK.

  4. Select Save.

Edit the JIT configuration on a JIT-enabled VM using Security Center

You can modify a VM's just-in-time configuration by adding and configuring a new port to protect for that VM, or by changing any other setting related to an already protected port.

To edit the existing JIT rules for a VM:

  1. Open the Azure Defender dashboard and from the advanced protection area, select Adaptive application controls.

  2. From the Configured tab, right-click on the VM to which you want to add a port, and select edit.

  3. Under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port.

  4. When you've finished editing the ports, select Save.

Enable JIT on your VMs from Azure virtual machines

You can enable JIT on a VM from the Azure virtual machines pages of the Azure portal.

Tip

If a VM already has just-in-time enabled, when you go to its configuration page you'll see that just-in-time is enabled and you can use the link to open the just-in-time VM access page in Security Center, and view and change the settings.

  1. From the Azure portal, search for and select Virtual machines.

  2. Select the virtual machine you want to protect with JIT.

  3. In the menu, select Configuration.

  4. Under Just-in-time access, select Enable just-in-time.

    This enables just-in-time access for the VM using the following default settings:

    • Windows machines:
      • RDP port 3389
      • Three hours of maximum allowed access
      • Allowed source IP addresses is set to Any
    • Linux machines:
      • SSH port 22
      • Three hours of maximum allowed access
      • Allowed source IP addresses is set to Any

  5. To edit any of these values, or add more ports to your JIT configuration, use Azure Security Center's just-in-time page:

    1. From Security Center's menu, select Just-in-time VM access.

    2. From the Configured tab, right-click on the VM to which you want to add a port, and select edit.

    3. Under JIT VM access configuration, you can either edit the existing settings of an already protected port or add a new custom port.

    4. When you've finished editing the ports, select Save.

Enable JIT on your VMs using PowerShell

To enable just-in-time VM access from PowerShell, use the official Azure Security Center PowerShell cmdlet Set-AzJitNetworkAccessPolicy.

Example - Enable just-in-time VM access on a specific VM with the following rules:

  • Close ports 22 and 3389
  • Set a maximum time window of 3 hours for each so they can be opened per approved request
  • Allow the user who is requesting access to control the source IP addresses
  • Allow the user who is requesting access to establish a successful session upon an approved just-in-time access request

The following PowerShell commands create this JIT configuration:

  1. Assign a variable that holds the just-in-time VM access rules for a VM:

  2. Insert the VM just-in-time VM access rules into an array:

  3. Configure the just-in-time VM access rules on the selected VM:

    Use the -Name parameter to specify a VM. For example, to establish the JIT configuration for two different VMs, VM1 and VM2, use: Set-AzJitNetworkAccessPolicy -Name VM1 and Set-AzJitNetworkAccessPolicy -Name VM2.

Enable JIT on your VMs using the REST API

The just-in-time VM access feature can be used via the Azure Security Center API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.

Learn more at JIT network access policies.

Request access to a JIT-enabled VM

You can request access to a JIT-enabled VM from the Azure portal (in Security Center or Azure Virtual machines) or programmatically.

Each of these options is explained in a separate tab below.

Request access to a JIT-enabled VM from Azure Security Center

When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.

  1. From the Just-in-time VM access page, select the Configured tab.

  2. Mark the VMs you want to access.

    • The icon in the Connection Details column indicates whether JIT is enabled on the network security group or firewall. If it's enabled on both, only the firewall icon appears.

    • The Connection Details column provides the information required to connect the VM, and its open ports.

  3. Select Request access. The Request access window opens.

  4. Under Request access, for each VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. It will only be possible to request access to the configured ports. Each port has a maximum allowed time derived from the JIT configuration you've created.

  5. Select Open ports.

Note

If a user who is requesting access is behind a proxy, the option My IP may not work. You may need to define the full IP address range of the organization.

Request access to a JIT-enabled VM from the Azure virtual machine's connect page

When a VM has a JIT enabled, you have to request access to connect to it. You can request access in any of the supported ways, regardless of how you enabled JIT.

To request access from Azure virtual machines:

  1. In the Azure portal, open the virtual machines pages.

  2. Select the VM to which you want to connect, and open the Connect page.

    Azure checks to see if JIT is enabled on that VM.

    • If JIT isn't enabled for the VM, you'll be prompted to enable it.

    • If JIT's enabled, select Request access to pass an access request with the requesting IP, time range, and ports that were configured for that VM.

Note

After a request is approved for a VM protected by Azure Firewall, Security Center provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.

Azure Remote Desktop Pricing

Request access to a JIT-enabled VM using PowerShell

In the following example, you can see a just-in-time VM access request to a specific VM in which port 22 is requested to be opened for a specific IP address and for a specific amount of time:

Run the following in PowerShell:

  1. Configure the VM request access properties:

  2. Insert the VM access request parameters in an array:

  3. Send the request access (use the resource ID from step 1)

Learn more in the PowerShell cmdlet documentation.

Request access to a JIT-enabled VMs using the REST API

The just-in-time VM access feature can be used via the Azure Security Center API. Use this API to get information about configured VMs, add new ones, request access to a VM, and more.

Learn more at JIT network access policies.

Audit JIT access activity in Security Center

You can gain insights into VM activities using log search. To view the logs:

  1. From Just-in-time VM access, select the Configured tab.

  2. For the VM that you want to audit, open the ellipsis menu at the end of the row.

  3. Select Activity Log from the menu.

    The activity log provides a filtered view of previous operations for that VM along with time, date, and subscription.

  4. To download the log information, select Download as CSV.

Azure Rdp Pricing Plan

Next steps

In this article, you learned how to set up and use just-in-time VM access. To learn why JIT should be used, read the concept article explaining the threats it's defending against:

Hello Everyone,

In First article of this series, we discussed the general concept of Azure Multifactor Authentication, and how MFA participate in securing your on premise environment and Hybrid one if exist.

In this article we will go in more technical details about how to use Azure Multifactor Authentication using a real example.

One of my customers have a server which contains a highly secure data and only around 6 users have a remote desktop access to that server, the customer need to add more security layer for accessing this server.

I suggest the customer to use Azure MFA, since it will add a highly secure layer to the remote desktop access to the server in addition to the low cost of this service.

so let’s start the technical steps to do that, remember that we need to integrate remote desktop protocol access (RDP) with Azure MFA.

in this part we will prepare the Azure MFA provider and download the MFA server setup files, In next part we will deploy and configure the MFA server to secure the RDP.

First of all let’s summarize the requirements to implement this scenario:

1- we need an azure account (Azure Tenant) to configure and install the Azure setup, if you don’t have account you can sign up for one month as trial, for more info follow this link : https://azure.microsoft.com/en-us/pricing/free-trial/

2- integrate RPD protocol with Azure MFA is not supported in windows 2012 R2 (until the date of this article), which means if you need to integrate RPD with Azure MFA you need to install windows 2012 and earlier such as windows 2008 R2.

3- To secure the remote desktop protocol (RDP) with Azure Multifactor, you must install the Azure MFA server in the same RDP server, in other word assume you have a server called “SRV1”, then you should install the MFA setup in the “SRV1” server, if you look back to point #2 you can conclude that you cannot secure the RDP for windows 2012 R2 (until the date of this article).

This deployment called MFA stand alone server since all deployment will be on premise and no integration will be done between local AD and Azure AD.

Now, log in to your azure tenant using https://manage.windowsazure.com, go to active directory tab from left pane:

Now choose MULTI-FACTOR AUTH PROVIDERS option from the top options,

Click New:

MULTI-FACTOR AUTH PROVIDERS used to install the MFA server setup files, also the provider will be responsible for the usage calculations and you can customize your setup from the provide such as fraud alerts.

Now choose App Services -> Active Directory -> MULTI-FACTOR AUTH PROVIDERS – Quick Create.

Name: choose any meaning full name for your provider.
Usage Model: you have two options here, per user enabled and per authentication, this option cannot be changed later, if you need to change it later you must create new provider, the difference between the two model is how Microsoft will charge you, if you choose per enabled user then you will be charged for how many users using MFA regardless of how many actual authentication occurs, if you choose per authentication you will be charged every time the users try to authenticate using Azure MFA.
Directory: choose Don’t link a directory since we will install the stand alone MFA server without integration with Azure AD.

After you fill the required information, click create:

Azure rds cal pricing

after less than minute a new provider will be available in your tenant as shown below:

Click in the provider just created, then click in the MANAGE button in the bottom of the portal page:

Azure Rdp PricingAzure

The MFA Management page will appear, click in Downloads button as below:


in the download server page, it’s list the supported OS versions for MFA server including windows 2012 R2 and this is not what I said before, be smart I mentioned that the RPD feature is not supported in windows 2012 R2 but there is a lot of features that work in windows 2012 R2, Now click in Generate Activation Credentials button to generate the credential which will be used to register your server in MFA provider during the setup.

Email and password credential will be generated, these credential valid to be used within 10 minutes, if you take more than 10 min to start the setup you can re generate a new credentials.

Now click the download text to start the downloading of the MFA setup:

After the download complete, copy the setup file to the server you need to secure the RDP on it and double click on the setup to start the installation.

In Next Part we will continue our demo by installing the multifactor server and configuring it to secure remote desktop access.

So keep tuned 🙂

About Blogger …

Azure Rdp Pricing System

Smultron. Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).

Azure Rdp Pricing System

Find Ahmad at Facebook and LinkedIn