After reviewing more Azure setups this quarter than I care to admit, I keep spotting the same tired anti-pattern: organizations still exposing VMs with public IP addresses just to RDP in.
Let’s be blunt: it’s lazy, it’s risky, and in 2025, it’s downright embarrassing.
The Old RDP Model — A Security Horror Show
Traditional RDP over the internet comes with a bag of problems no sane architect should want:
-
Public IP exposure on port 3389 → attackers scan for this like it’s free candy.
-
Firewall rule juggling → a constant headache of allow/deny lists that never age well.
-
VPN dependency → users hate it, admins hate it, and breaches still happen.
-
Breach risk → internet-facing services = jackpot for ransomware gangs.
This isn’t “modern remote access.” It’s Russian roulette with a slightly shinier revolver.
Enter Azure Bastion — Secure by Design
Microsoft gave us Azure Bastion to kill this nonsense:
-
No public IPs → VMs stay tucked safely away in private subnets.
-
Browser-based access → connect straight from the Azure portal.
-
Port 443 only → HTTPS tunnels, no weird firewall gymnastics.
-
Azure AD integration → your existing identity stack does the heavy lifting.
No RDP files, no random endpoints hanging off your infrastructure. Just controlled, auditable access.
For the Enterprise Crowd — Azure Virtual Desktop
If you’re big-league, Azure Virtual Desktop (AVD) takes it further:
-
Reverse connect transport → outbound HTTPS connections only. No inbound listeners, no open doors.
-
Scalable & centralised → host pools, multi-session Windows, user management all integrated.
-
Security baked in → RDP brute force attacks become someone else’s problem.
This isn’t just RDP with a new name. It’s a fundamental shift in architecture.
The Business Impact
Real talk: this isn’t just a nerdy security detail. The business benefits are massive:
-
Companies using Bastion see ~60% fewer security incidents tied to remote access.
-
No more jump boxes or DIY bastion hosts to manage (or forget to patch).
-
Reduced operational overhead, fewer tickets, less late-night firefighting.
Or in CFO-speak: lower risk + lower costs.
Self-Check: Are You Still Doing RDP Wrong?
| Question | If “Yes” → You’re in Trouble |
|---|---|
| Do your Azure VMs have public IPs with RDP enabled? | Attackers are already scanning them. |
| Are you still managing inbound firewall rules for 3389? | Welcome to admin overhead hell. |
| Do you rely on VPN-only access for remote workers? | You’ve swapped one bottleneck for another. |
| Do you run jump boxes/bastion hosts you have to patch? | Outdated, risky, unnecessary with Bastion. |
| Have you tried Bastion/AVD in production? | If no, you’re stuck in 2010. |
Closing Thought
Remote access is no longer about convenience; it’s about resilience and trust. Bastion and AVD aren’t “nice-to-haves” — they’re the minimum standard in 2025.
So, what’s your move? Are you still babysitting firewall rules for port 3389, or have you modernized your Azure access game?
rgds,
Alex