Kaloian – Kallo

In this article we will explore the most common issues related to RDP(Remote Desktop Protocol) connectivity on Windows Virtual machines on Azure.
For that purpose I have created a VM and did something to prevent me from connecting to it from my physical machine. In order to RDP to a virtual machine in Azure you typically have two ways. Using the public IP or the private IP of the VM depends if you are using VPN or not.

In order to RDP to a VM you have to open Remote Desktop Connection from Windows -> Start menu

Then type the public IP address of the Virtual machine if you are not connecting with P2S VPN:

The error message we are getting is the following:

There are generally few common causes for this error message.

Access related causes:
Network security groups blocking the IP/protocol/port.
Windows firewall rules
on-prem firewall rules
Azure Firewall rules

Other networking and node related possible causes:

Unplanned Health events on the Azure VM. In this case Redeploy feature should definitely resolve the issue.
Incorrect NAT port forwarding.
Sometimes the RDP port 3389 is used by other service on the VM, so you have to check if the machine is listening for that port.

I would personally start the troubleshooting process with ping/psping/tcpdump on port 3389 to check if we can reach the VM. I don’t recommend normal ping as in most Azure VNETs you have to explicitly allow ICMP in the NSG rules. It is better to test using tcpping-type tool. In this case we don’t have reachability on that port. You can also test for other ports such as 80 or 443 if it is a web server and check if there is a response.

Next we will check the Window firewall rules:

We see that in this scenario we have a rule that blocks outbound remote port 3389, which means the on-prem machine cannot connect to the Aure VM. Removing the rule by right click delete/disable will open the remote port.

Next we will check the NSG rules in Azure portal.

A Network Security Group can be defined on subnet and VM’s NIC.

It is not recommended to define NSGs on VM’s NIC as if there are inconsistencies with the subnet NSG rules, you will lose access, not to mention if you have company security policies which are automatically added on the NSGs you will probably have some headaches.

In this example the RDP rule is with lower priority than the above rule, which has a deny on port 3389.

So we need to reduce the number of the RDP rule so that we can increase its priority above the Deny rule 104. You can give the RDP rule number 104 and the Deny rule 105.

Now we will see a response:

If there are many rules defined it would be probably better to disable all rules for the sake of testing and if there is still no connectivity then it is safe to say that the issue is not in the access, but something else.

Reset Remote Desktop configuration

Review VM console

Refer to the following article: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/serial-console-windows

Reset the NIC of VM

Refer the following article: https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/reset-network-interface

VM Resource Health

If there are issues with the instance of the VM, it wil be shown as error and unplanned event.

Reset VM password

Restart VM

Redeploy VM

This will copy your existing configuration of the VM and redploy it to a new node in Azure infrastructure.

Author: Kaloian

Troubleshooting RDP to Azure VM