Assumptions
- You have already completed Enable Internet Access into a VDC.
- Subnet containing the VM: 192.168.2.0/24
- IP Address of VM: 192.168.2.100
- Edge gateway address: 119.252.74.161
Overview
In this article we will configure a VDC with Edge gateway (Applies to Basic Internet and Advanced NSX Edges) to allow remote RDP access from the internet to a Windows VM on a subnet attached to private subnet.
- In order to configure remote RDP access to the Windows VM you should already have configured internet access for the VM or subnet.
- We will be building upon the internet access rules by adding 1 new firewall rule and 2 new NAT rules to the uplink network.
Configuration
All configuration items will be applied against the uplink network. You must identify both the external IP address of the Edge gateway and internal IP address of the VM for which you wish to provide RDP access. The internal VM IP address will belong to the subnet assigned previously to one of your VNICS.
1. Identify Edge gateway IP address
The gateway address can be found by navigating to your VDC service in MyAccount. The IP can be found under the Networking heading at the top of the page as below:
To configure NAT and Firewall rules, you'll need to log the vCloud portal (Click 'Login into Cloud Director' from the manage dropdown) then access Networking - Edge Gateways from the top menu.
2. NAT Rules
We are adding 2 x DNAT rules to the uplink network, click on Services - NAT and click 'New'. You will be configuring the following rules:
DNAT #1 (TCP)
- Name: RDP - Inbound
- Interface Type: DNAT (Destination NAT)
- External IP: 119.252.X.X
- External Port: 3389 (Target port for external connections)
- Internal IP: 192.168.2.100
- Application (Internal Port): 3389
3. IP Set
In order to configure the firewall rule with IP of our uplink network, we'll need to create an IP set or Static group. Navigate to Security - IP Sets and click 'New'. We'll be naming this IP Set 'RDP Server' and setting the IP as 192.168.2.100
3. Firewall Rule
Add a Firewall Rule to the uplink network, navigate to Services - Firewall and click the Edit Rules button. The rule we are about to configure will allow incoming TCP and UDP traffic on port 3389 from the internet into your VDC network. The NAT rules configured in the previous step will then direct this traffic to the desired VM.
Firewall rules are applied to traffic according to the listing order on the page. Once traffic has matched a rule, the packet will be processed and no further rules will be examined, thus the order of rules is important, and in general your most specific rules should apply first, with the most general rules last.
Click 'New on Top' to start editing the new Firewall rule.
Rule
- Name: RDP - Inbound
- Applications: Blank (Use this to specify when port the connection is expected to come from.)
- Source IP: Any
- Source Port: Any (Or you can create an IP Set for where you want connections to come from)
- Destination IP: RDP Server
- IP Protocol: IPv4
4. Complete
You should now be able to RDP to the external IP of the VDC and get to your Windows VM. To access multiple VMs, some options include:
- Create a Jumpbox in your virtual environment which is used to RDP into and then RDP to other machines from there; OR
- Enable RDP of different ports on each of your VMs in your private network and NAT those through the firewall;