Azure IAAS : Enable RDP to Load balanced VMs in a cloud service
I faced a confusing situation recently, where I had to enable RDP to two VMs in the same cloud service using endpoints included in a load balanced set.
A load balanced set was created for the RDP port 3389 and both VMs were included in the set. However, if we select the invidual VMs from the management portal-> click connect, you will get the following error message
"An external endpoint to the Remote Desktop port(3389) must first be added to the role"
That was pretty confusing, since the port is already defined in the load balanced set !! .
After playing around for a bit, I found out that I was doing it all wrong !!.. The load balancer set works from a cloud service perspective. So the RDP load balanced set along with the other load balanced ports are defined for the cloud service. That means I can actually RDP by providing the cloud service name, and it will land me on one of the VMs in the cloud service. From the VM, you can rdp to any other VM in the cloud service by simply providing the VM name, not even the cloudapp.net suffix is required!! So that is how you RDP to your VMs in a cloud service, though there is a chance of multiple hops if you have multiple VMs.
But, is this the only option? What if you dont want to 'multi hop ' to the VMs. Of course, there is a straight forward way of adding RDP endpoints individually to the VMs rather than creating a load balanced set. However the catch here is that you need to use multiple public ports. If you wish to use default port '3389', you can very well do so..but only for one VM in a cloud service. Azure wouldnt allow you to use the same public port twice within VMs in the same cloud service. Hence you will have to go for a different/random port. Problem comes when you try an RDP to these random ports from within a firewalled network. You would need this port to be opened in your perimeter firewall to the Azure IP address to enable the RDP. Not a bright idea, I would say , since the Azure IP ranges keep changing. Even Microsoft doesn't recommend hardcoding their IP ranges to create firewall rules in your organization network. Hence better go the 'multi hop' way .