So, your a infrastructure architect and someone is planning to remote desktop from your site to a Windows Azure instance. What does this mean for your firewall?
Based on this scenario I thought I would double back, research and make sure I have the details right . Fortunately there is some fine details on how this works in an MSDN web cast – Cloud Cover Episode 33 to be precise.
In Windows Azure, a role, and therefore all of the configured number of instances, do not expose ports other than those indicated in the service definition file when it was deployed.
Typically the service definition does this by specifying end points within a given role e.g.:
3: <InputEndpoint name="Endpoint1" protocol="http" port="8080" />
So this clarifies that Remote Desktop port 3389 (and any other port for that matter) is not opened publicly unless specifically listed in this file.
This is part of the wider security best practices employed by Windows Azure. Read more in the Whitepaper - Security Best Practices For Developing Windows Azure Applications.
Remote Desktop access is implemented as a role plug-in which are extensions to the service model, provided by Microsoft, for Windows Azure deployment. At runtime the Windows Azure Fabric masks the changes that would otherwise have to be changed in the end points. It also must make changes to the underlying VM instances.
There are two role-plugins. The first “RemoteAccess” must be specified for a given role to allow Remote Desktop for its instances. The second “RemoteForwarder” sets up a TCP socket listener, for a given role, which itself listens of port 3389. It opens a 3389 endpoint only for one role in a hosted service. When the forwarder receives the request it forwards to the appropriate instance (remember a role can have multiple instances).
3: <Import moduleName="RemoteAccess" />
5: <Import moduleName="RemoteForwarder" />
Or indeed the Windows Azure Platform Training Kit (Remote Desktop Lab)