I'm looking for a way to secure the Azure portal so that only users connected to our company's VPN can access it. Specifically, I want to implement a firewall that allows access only from certain IP address ranges (CIDR). Are there any best practices or alternative solutions to achieve this?
5 Answers
One way to do this is by building jump servers that users can log onto via RDP. You can then restrict access to the Azure portal from those jump servers and block other connections directly from client machines or different networks.
You might want to look into using conditional access policies. They can help limit access effectively and could be the easiest way to restrict portal access to VPN connections.
If you're managing your Role-Based Access Control (RBAC) properly, I don't really see the necessity for this restriction. Logging into the portal on its own shouldn't be a security risk if everything's set up right.
Are you trying to protect access to 'portal.azure.com/tenantid'? If so, just blocking access with a VPN won't suffice. You could use conditional access for admin portals and CLIs, but prepare a plan for emergency access too!
Great point! It's crucial to have a backup plan in case of emergencies.
As a concept, you could create one jump server with access to Azure, so you'd only need to whitelist your company IPs. But just a heads up, this might not be cost-effective at scale and doesn’t really offer advantages over conditional access strategies.
Absolutely! Just make sure to exclude your 'break glass' account from the policy to retain emergency access.