RDP over Port 80, Load Balancer NAT Rules, Backup Snapshots, and Basic Hardening – Step-by-Step
When you’re deploying a Windows Server in Microsoft Azure for remote access, the typical approach involves using RDP over the default port 3389. But what if you want to map RDP to port 80, the most commonly open port on firewalls? And how do you ensure that the system is hardened properly without relying on IP restrictions?
This guide walks you through a full scenario:
- Creating a Windows Server VM with 2 vCPUs and 8 GB RAM
- Mapping port 80 → 3389 using an Azure Load Balancer NAT rule
- Creating a daily backup script using snapshots
- Hardening the system with practical Windows Server settings
Let’s walk through it step by step.
☁️ Step 1: Create the Windows Server VM
We’ll use the Azure CLI for a fast and repeatable setup. You can run this either:
- In your local terminal (after running
az login) - Or in the Azure Cloud Shell inside the Azure Portal (recommended for speed)
➤ Configure and Deploy
# Variables
RESOURCE_GROUP="quick-vm-rg"
LOCATION="westeurope"
VM_NAME="quickvm"
USERNAME="azureuser"
PASSWORD="yourSecureP@ssword123" # Use a strong one!
PUBLIC_IP="quickvm-ip"
LB_NAME="quickvm-lb"
BACKEND_POOL="quickvm-bepool"
NAT_RULE="rdp-port80"
NSG_NAME="quickvm-nsg"
NIC_NAME="quickvm-nic"
VNET_NAME="vnet-quickvm"
SUBNET_NAME="subnet-quickvm"
➤ Create Resources
# Resource Group
az group create --name $RESOURCE_GROUP --location $LOCATION
# Public IP Address
az network public-ip create \
--resource-group $RESOURCE_GROUP \
--name $PUBLIC_IP \
--sku Basic \
--allocation-method Static
# Virtual Network and Subnet
az network vnet create \
--resource-group $RESOURCE_GROUP \
--name $VNET_NAME \
--subnet-name $SUBNET_NAME
# Network Security Group + Allow Port 80
az network nsg create --resource-group $RESOURCE_GROUP --name $NSG_NAME
az network nsg rule create \
--resource-group $RESOURCE_GROUP \
--nsg-name $NSG_NAME \
--name allow-port-80 \
--priority 1001 \
--direction Inbound \
--access Allow \
--protocol Tcp \
--destination-port-range 80 \
--source-address-prefixes '*' \
--destination-address-prefixes '*'
# NIC
az network nic create \
--resource-group $RESOURCE_GROUP \
--name $NIC_NAME \
--vnet-name $VNET_NAME \
--subnet $SUBNET_NAME \
--network-security-group $NSG_NAME
# Load Balancer
az network lb create \
--resource-group $RESOURCE_GROUP \
--name $LB_NAME \
--sku Basic \
--frontend-ip-name frontend \
--backend-pool-name $BACKEND_POOL \
--public-ip-address $PUBLIC_IP
# Inbound NAT Rule: External Port 80 → Internal Port 3389
az network lb inbound-nat-rule create \
--resource-group $RESOURCE_GROUP \
--lb-name $LB_NAME \
--name $NAT_RULE \
--protocol Tcp \
--frontend-port 80 \
--backend-port 3389 \
--frontend-ip-name frontend
# Attach NAT Rule to NIC
az network nic ip-config inbound-nat-rule add \
--resource-group $RESOURCE_GROUP \
--nic-name $NIC_NAME \
--ip-config-name ipconfig1 \
--lb-name $LB_NAME \
--inbound-nat-rule $NAT_RULE
➤ Create the VM
az vm create \
--resource-group $RESOURCE_GROUP \
--name $VM_NAME \
--image Win2022Datacenter \
--size Standard_D2s_v3 \
--admin-username $USERNAME \
--admin-password $PASSWORD \
--nics $NIC_NAME \
--license-type Windows_Server
💻 Step 2: Connect via RDP on Port 80
After deployment completes, get your IP:
az network public-ip show \
--resource-group $RESOURCE_GROUP \
--name $PUBLIC_IP \
--query ipAddress \
--output tsv
You can now connect via RDP using your Remote Desktop client:
mstsc /v:YOUR_PUBLIC_IP:80
You’ll be prompted for the username (azureuser) and the password you defined earlier.
💾 Step 3: Backup with Snapshot Script
Creating a daily snapshot is an excellent way to safeguard your system before major updates or configuration changes. Here’s a ready-to-go script.
📄 snapshot.sh
#!/bin/bash
SNAPNAME="quickvm-snapshot-$(date +%Y-%m-%d)"
DISK=$(az vm show \
--resource-group quick-vm-rg \
--name quickvm \
--query "storageProfile.osDisk.name" \
--output tsv)
az snapshot create \
--resource-group quick-vm-rg \
--name $SNAPNAME \
--source $DISK
echo "✅ Snapshot created: $SNAPNAME"
➤ Usage
chmod +x snapshot.sh
./snapshot.sh
This will create a snapshot named like quickvm-snapshot-2025-05-11, which you can later restore or convert into a disk.
🔐 Step 4: Hardening the Server
Even without IP-based filtering, you can reduce attack surface dramatically by hardening the system from within.
➤ Enable Windows Defender Real-Time Protection
Set-MpPreference -DisableRealtimeMonitoring $false
➤ Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart
➤ Disable Built-in Administrator
net user administrator /active:no
➤ Enable Login Auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
➤ Force Idle Session Timeout (30 min)
New-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" `
-Name "MaxIdleTime" -Value 1800000 -PropertyType DWord
➤ Apply All Windows Updates
Use the built-in config tool:
sconfig
Choose Option 5 and install all recommended updates.
✅ Recap
You now have:
- A minimal and functional Windows Server VM in Azure
- RDP over Port 80, via Load Balancer NAT rule
- Snapshot-based backups you control
- Hardening steps that don’t rely on IP filtering
This setup is ideal for:
- Temporary test environments
- External demos
- Emergency remote servers
- Quick & controlled infrastructure experiments