0

I've been following the Microsoft Quick Start templates to create a VM ScaleSet with Windows VMs, as described here: https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/tutorial-create-and-manage-powershell.

I'm able to figure out the Public IP of the Scale Set's Load Balancer, as well as the inbound-Ports to use for RDP /3389, and to thus run mstsc /v:a.b.c.d:nnnn.

I get the Initiating remote connection pop-up. However, instead of the identity challenge dialog that should follow, I instead get the (normal, but not desired here) error popup Remote Desktop can't connect to the remote computer for one of these reasons:. That's as if the VM is down, the network is blocking me, or RDP is turned off on the VM.

Can I assume that RDP is turned ON for the VM and that the Azure-side network route (as created in the PS pasted blow) is correct? Do others face the same difficulty? If so, how do we RDP into these VMs?

Powershell from sample doc (I use different names but it's the same command otherwise):

$cred=Get-Credential
New-AzureRmVmss `
  -ResourceGroupName "myResourceGroup3" `
  -Location "EastUS" `
  -VMScaleSetName "myScaleSet3" `
  -VirtualNetworkName "myVnet3" `
  -SubnetName "mySubnet3" `
  -PublicIpAddressName "myPublicIPAddress3" `
  -LoadBalancerName "myLoadBalancer3" `
  -UpgradePolicyMode "Automatic" `
  -VmSize "Standard_F1" `
  -Credential $cred

Note that I'm using version 6.13.0 of the AzureRm cmdlets.

Howard Hoffman
  • 897
  • 1
  • 9
  • 22

1 Answers1

0

The PowerShell commands should work as you have created a VMSS successfully. This script also works well on my side. I suggest verifying the followings about RDP connectivity on your side:

  • Verify the outbound port 3389 is not blocking in the firewall on the local machine or locally installed client proxy software or network monitoring software that is preventing Remote Desktop connections. You could try to RDP to another machine in the same local network. Or verify if your corp network is blocking outbound port 3389. You could try to RDP to another Azure VM.
  • By default, Azure VM is allowed to connect to RDP port 3389. You could check if you type the correct mapping port when you run mstsc /v:a.b.c.d:nnnn. The specific port you could find via inbound NAT rules for each instance. You will see the specific port 5000 and target port 3389 as my picture.

enter image description here

For more details, you could refer to troubleshoot Remote Desktop connections to an Azure virtual machine and Detailed troubleshooting steps for remote desktop connection issues to Windows VMs in Azure.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Something else is happening; still no worky. To verify I wasn't fat-fingering anything, I ran these PS commands: `$ip=Get-AzureRmPublicIpAddress -Name myIpName -ResourceGroupName myRg` `$lb=Get-AzureRmLoadBalancer -Name myLb -ResourceGroupName myRg` `$rdp=$ip.IpAddress+':'+$lb.InboundNatPools[0].FrontendPortRangeStart` `mstsc /v:$rdp` I still don't get the Certificate challenge; just the same `Remote Desktop can't connect to the remote computer for one of these reasons` popup. I've also tried this from my home computer, on regular home network (not work VPN). Same result. – Howard Hoffman Mar 27 '19 at 13:28
  • The above output a wrong port for 3389 mapping on my side. It's not `InboundNatPools` You could use `$rdp=$ip.IpAddress+':'+$lb.InboundNatRules[0].FrontendPort`. You could also use `Get-AzLoadBalancerInboundNatRuleConfig -LoadBalancer $lb | Select-Object Name,Protocol,FrontEndPort,BackEndPort` to check all inbound nat port map. – Nancy Mar 28 '19 at 03:14
  • It looks like the above commands do not create a NetworkSecurityGroup and that is what’s needed. I will post back when I have confirmed. – Howard Hoffman Mar 29 '19 at 02:01
  • In your original question, you have not mentioned you want to create an NSG, also about the RDP error, it is the wrong nat port you try to connect with. You may consider accepting this answer? If you want to add an NSG associating with VMSS subnet, you need to open port 3389 in the inbound rule. – Nancy Apr 01 '19 at 06:06
  • It does turn out that you _need_ a NetworkSecurityGroup (NSG) in order to RDP. I did not _want_ necessarily to create an NSG, but found that it was required in order to enable RDP into the created VMs. Thanks for your help. The Cmdlet in the doc won't work as described -- for RDP access. Even though the documentation states an NSG is created, that is not the case. You have to create one yourself. When you do create the NSG, RDP works as expected. – Howard Hoffman Apr 16 '19 at 21:30
  • I don't think you need an NSG to enable RDP. NSG is just like a firewall, you can add it or not. it's not necessary. I have verified that cmdlets in the doc are correct. The problem is the wrong script in your first comment. You just refer to a wrong NAT rule mapping port for 3389. Do you really use the scripts as your first comment to work? like, to use `InboundNatPools` instead of `InboundNatRules`? You should use `$lb.InboundNatRules[0].FrontendPort` as my reply. – Nancy Apr 17 '19 at 05:52