All Windows Azure Role can have any type of internal endpoints. Internal endpoints are limited to 5 per role. Internal endpoints are used for internal role communication, for example, role-to-role communication. So based on it, Web role can support up to five internal endpoints, like the other roles. Depending upon what your service looks like, if this is your front-end role (or your only role), RDP may actually be taking an input endpoint, not an internal endpoint. You are allocated 25 input endpoints throughout your entire service.

 

Due to the limit of input endpoint 5 per role and 25 total, it is possible that you will need to adjust RDP access in your role to reclaim one input Endpoint in specific role.

 

IF you have RDP enabled in your Windows Azure Application, for one of your roles RemoteForwarder will consume an input endpoint, and on all of your roles RemoteAccess will consume an internal endpoint.  You can choose which role will use the input endpoint by modifying your csdef to put the RemoteForwarder import into the role you want to expose the 3389 RDP port.