Create NSG rule to allow Remote Desktop port 3389 using Azure CLI

How to create an NSG rule to only allow RDP port 3389 from a trusted source IP address using Azure CLI

By default, when you create a new VM, Azure will attach a public IP address, create an NSG and allow Remote Desktop port 3389 from any IP address.

Having RDP open to the Internet will expose your VM to password spray attacks. You should configure the NSG to only allow RDP connections from trusted source IP addresses.

NSG rule priorities

NSG rule priorities determine which rules are processed first; they must be unique for each NSG and can range from 100 (highest priority) to 4096 (lowest priority)

Create NSG rule using az network nsg rule create

• This example will create an NSG rule to allow RDP port 3389 from a trusted source IP address.
  
• Setting a priority of 200 will add the NSG rule to the top of the inbound rules list, which means it will be processed first.
• The description should be wrapped in quotes " "
• Replace TRUSTED-IP-ADDRESS with your office external IP address

# define variables for nsg rule
name=AllowRDP
nsgName=prod-ukw-core-vnet-nsg
priority=200
rgroup=prod-ukw-core-rg
access=Allow
description="Allow RDP from office IP address"
destPort=3389
direction=Inbound
protocol=TCP
sourceAddress=TRUSTED-IP-ADDRESS/32

az network nsg rule create \
--name $name \
--nsg-name $nsgName \
--priority $priority \
--resource-group $rgroup \
--access $access \
--description "$description" \
--destination-port-ranges $destPort \
--direction $direction \
--protocol $protocol \
--source-address-prefixes $sourceAddress