Please provide a way for grouping the endpoints and assign as a group name to the Azure VMs
We are adding endpoints for each virtual machine once created. Normally the RDP endpoint will be created by default, and can be added more if required by specifying the port #. I feel there are additional features needed to make this feature more flexible and to secure them in a centralized place. Some are -
The endpoints are configured by defining the ports, but it is not accepting whether the ports are inbound or outbound. So, there should be an option to include the port to open for inbound or outbound instead of configuring in the VM.
There should also be an option to choose the destination IP address on which the port needs to open. Because some enterprises are not willing to open ports to all destination (including 3389). So if there is an option to include the IP address of the machine on which the service can be consumable will reduce the un-authorized resource access. (For Ex: From which IP address, or range of address or subnet, the Azure VMs can able to access using RDP port).
It would be better if we have a concept called Endpoint Group (like Security Groups in AWS) which will allow us to group one or more endpoint configurations and name it as a single group. This allows us to define the endpoint group to any VM and can be controlled in a centralized place. This also allows auditing and restricting ports to VMs in a centralized place and making it as enterprise standard.
There should be a configuration setup which accepts a flag to make sure whether only endpoint group can be assigned to VMs or individual ports also. This will make sure opening individual ports to any VMs without the knowledge of Administrator.
There should be a dedicated user group for managing the securities on the Azure services such as firewall configuration on SQL Azure, endpoint configuration on VMs etc.,
Hi there, this is a lot of good feedback. Thanks for taking the time to send it over to us, we really appreciate that here at Microsoft.
1. Could you elaborate on the need for this?
2. This is possible today via NSGs you can specify the source IP.
3. Have you looked at ASGs?
4 (both of them) We are looking into making management easier and will take this feedback into consideration.
- Anavi N [MSFT]
Laughing John commented
Given this has been "under review" since 2013 makes you wonder what the point of having suggestions is. At very least some further feedback would be nice...
Laughing John commented
This is a very good idea!
The "new" VM experience is even worse than the old one because you have to enter a list and can't even give the ip range a name...
It would also be nice if we could apply lockdown groups by country (based on known IP ranges for each country). This would allow us to only expose Azure services to a known set of IP ranges.
For example, if clients only connect for the US then only those IP addresses should be allowed to connect to it. This would shrink the exposure.