Microsoft Certified: Azure Fundamentals (AZ-900) 2026 – 400 Free Practice Questions to Pass the Exam

Your selection is indeed aligned with the correct approach to controlling access for Remote Desktop Protocol (RDP) to virtual machines using Network Security Groups (NSGs).

Network Security Groups (NSGs) function as a set of security rules that permit or deny inbound and outbound traffic to resources in Azure. When it comes to RDP, which typically uses TCP port 3389, you can enhance security by restricting access solely to specific IP addresses. This means that only users accessing the virtual machine from those approved IP addresses will be able to establish an RDP session. This method significantly reduces the attack surface and improves the security posture of the VM by minimizing the chances of unauthorized access from unspecified or potentially malicious sources.

While blocking all public traffic might seem like a security measure, it would prevent legitimate access via RDP entirely, making it infeasible for any remote management of the virtual machine. Allowing RDP on a different port does not effectively secure RDP access since if an attacker knows the port, they can still attempt unauthorized access. Finally, creating a separate management network could enhance overall network security but does not directly control RDP access; it complicates the network architecture without solving the specific problem of RDP access control.