Securing Remote IT Support in Azure: A Practical Hub and Spoke Implementation

The shift to remote work has created challenges for IT support teams managing private cloud resources. Secure remote access is crucial. Azure's hub and spoke network topology, combined with its security tools, offers an effective solution. This article outlines a hands-on implementation of this approach to enable secure remote IT support.

The Remote Work Challenge

Our organization hosts many private virtual-networked resources in Azure. Previously managed from the head office via ExpressRoute, the IT help desk team now requires remote access due to work-from-home policies. A new jump server (management VM) was deployed in a separate Azure VNet to facilitate this, equipped with necessary support tools. The task was to configure secure connectivity to this jump server and then to the organization's private resources.

Our Azure Solution: Hub and Spoke for Secure Access

We implemented a hub and spoke topology. The jump server resides in a spoke VNet, while the organization's resources are in the hub VNet. We configured a Public IP address and Network Security Groups (NSGs) for secure public access to the jump server. VNet peering established private connectivity between the spoke and hub. Finally, an NSG rule in the hub network controls access from the jump server to the private resources.

Secure Public Access to the Jump Server

We created a Public IP address (jumpserver-pubip) and associated it with the jump server's network interface (jumpserver-nic1). An inbound NSG rule on the spoke network's NSG (spoke1-vnet-nsg) was configured to allow RDP traffic (port 3389) from any source to the jump server's private IP address, with a priority of 100. For enhanced security in a production environment, the source should be restricted to known IP addresses of the IT support team.1

Private Connectivity with VNet Peering

We established VNet peering between hub-vnet and spoke1-vnet. This creates a private, high-bandwidth connection over the Azure backbone, allowing secure communication between the jump server and the private resources without exposing the latter to the public internet.2

Secure Access to the Hub Network

An inbound NSG rule was added to the hub network's NSG (hub-vnet-nsg) to allow RDP traffic (port 3389) specifically from the private IP address of the jump server to any resource within the hub network. This rule, with a priority of 100, ensures that only the jump server can initiate RDP connections to the hub network's resources.4

Implementation Highlights

1. Created jumpserver-pubip.
2. Associated it with jumpserver-nic1.
3. Configured spoke1-vnet-nsg to allow RDP to the jump server's private IP.
4. Established VNet peering between hub-vnet and spoke1-vnet.
5. Configured hub-vnet-nsg to allow RDP from the jump server's private IP.
6. Tested RDP connectivity to the jump server via its public IP.
7. Tested RDP connectivity from the jump server to a resource in the hub network via its private IP.

Security Implications

This solution provides a layered security approach. Public exposure is limited to the jump server, with controlled access via NSG. Communication between networks is private through VNet peering. Access to hub resources is restricted to the jump server via another NSG rule. This significantly reduces the attack surface.6

Broader Applications and Considerations

This model can be adapted for multiple IT support members by adding specific NSG rules for their IP addresses. For enhanced security, multi-factor authentication on the jump server is recommended. For larger deployments, Azure Bastion offers a more secure alternative to public IPs for accessing VMs 9, and Azure Virtual Network Manager simplifies management of hub and spoke topologies at scale.9

Conclusion

Implementing a hub and spoke topology with Azure's networking and security services provides a robust solution for secure remote IT support. This approach ensures secure access to private resources while maintaining a strong security posture, and it can be further enhanced with advanced Azure services for scalability and simplified management.

Table: Configured Network Security Group Rules

Network	Direction	Source	Destination	Port(s)	Protocol	Action	Priority	Name	Purpose
spoke1-vnet-nsg	Inbound	Any	Jumpserver Private IP	3389	TCP	Allow	100	allow-inbound-rdp-jumpserver	Allows RDP access to the jump server from the internet.
hub-vnet-nsg	Inbound	Jumpserver Private IP	Any	3389	TCP	Allow	100	allow-rdp-inbound-jumpserver	Allows RDP access to resources in the hub network from the jump server.

Listen to podcast on the project 📻