Azure Local RDP

Hello Handian Sudianto,

You cannot restrict RDP to only WAC using firewall/IP rules. The correct approach is to disable direct RDP and use Azure Arc (RDP over SSH) for secure access.

Here's a bit more detailed explanation on why:

**How WAC connects :
**WAC does not use fixed IP addresses. It connects either via:

Azure Arc (secure, tunneled access), or

Regular RDP (if enabled)

Because there are no fixed IPs, you cannot allow “only WAC” via firewall rules.

**
Why your approach won’t work**

• Firewall rules work with IPs or ranges.
• WAC traffic doesn’t come from a known/static range.
• So you can’t allow WAC and block everything else using RDP rules.

Recommended solution: Use Azure Arc RDP over SSH

• RDP is tunneled securely via Azure Arc
• Port 3389 is not exposed to LAN or internet
• No inbound RDP firewall rules needed
• Access is controlled via Azure identity (secure)

This gives you remote access without opening RDP at all.

Best practices:

• Disable direct RDP (port 3389)
• Use Azure Arc for access
• Optionally use identity controls like Just-In-Time (JIT)

References:

• https://learn.microsoft.com/azure/azure-local/deploy/deploy-via-portal?view=azloc-2604#post-deployment-tasks
• https://learn.microsoft.com/azure/azure-local/multi-rack/multi-rack-connect-arc-vm-using-ssh?view=azloc-2604#use-rdp-over-ssh-to-connect-to-an-azure-local-vm

On Azure Local nodes, RDP is disabled by default for security and can be enabled or disabled centrally, but the platform guidance is to keep RDP closed to general network access and use more secure remote-management paths (WAC, SSH over Arc, VPN) instead of exposing RDP.

For Azure Local specifically:

1. Enable RDP on the node only when needed
   1. From a management PC, run PowerShell as administrator.
   2. Start a remote PowerShell session to the Azure Local node:

            $ip = "<IP address of the Azure Local machine>"
            Enter-PSSession -ComputerName $ip -Credential Get-Credential
      

   3. Enable RDP on the node:

            Enable-ASRemoteDesktop
      

   4. When finished with troubleshooting or configuration, disable RDP again:

            Disable-ASRemoteDesktop
      

   This follows the security recommendation to keep RDP disabled when not needed.
2. Restrict RDP exposure instead of leaving it open The documentation does not provide a built-in mode where RDP is enabled but only reachable from WAC in Azure while blocked from LAN. Instead, the recommended pattern is:
   • Keep direct RDP/SSH from the internet disabled.
   • Use secure management channels (for example, Windows Admin Center via Azure Arc connectivity, SSH over Azure Arc, or VPN) rather than exposing RDP.
   For Azure VMs in general, the guidance is to avoid direct RDP/SSH exposure and use a point-to-site VPN or similar so that only authenticated management clients can reach the VM. The same principle applies to Azure Local nodes: do not open RDP broadly on the LAN; instead, use WAC/Arc connectivity and only temporarily enable RDP for specific maintenance, then disable it again.

Because the platform does not document a configuration where RDP is permanently enabled but reachable only from WAC and blocked from all LAN sources, the supported and recommended approach is:

• Use WAC in Azure portal (via Azure Arc connectivity) for normal management.
• When interactive desktop access is required, temporarily enable RDP with Enable-ASRemoteDesktop, perform the task, then disable it with Disable-ASRemoteDesktop.

References:

• Deploy Azure Local using the Azure portal
• Deploy Azure Local using the Azure portal for disaggregated deployments
• Azure best practices for network security
• Configuration and remote access