I have a hub and spoke topologogy made up of a central vnet and then peered VNETs. Inside each peered VNET is a VM.
I want to allow RDP access to the VM (which is AAD joined) via AAD authentication. AAD auth needs to be restricted via CAP.
This, it turns out, may be tricky.
Option 1: I had hoped to place an Azure load balancer inside the hub and assign a single IP address to it. In my AAD I would the add a CAP for this IP. This would then allow me to RDP (via a jump box in the hub) onto each spoke VM.
Alas Azure load balancer doesnt support peered VNETs.
Option 2: I considered using Bastion to access the VNets... but bastion doesnt support AAD or peered networks. So thats useless.
Option 3: I could stick a public IP on each VM (and allow only outbound traffic via an NSG) with all public IPs using a prefix to simplify CAP. Although this rather confusing article https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=/azure/virtual-network/toc.json#networking-limits seems to imply that the number of public ips is restricted per subscription (to 10 for basic!?!) Here I'd use IP prefixes to simplify CAP to a known range.
Option 4: I could introduce a virtual appliance. This sounds horrid and requires management etc
Are there other options Ive missed (I almost certainly have)?
