Reading Time: 4 minutes
Follow by Email

In this article, I am going to walk through how to setup an Azure Load Balancer to allow you to connect to multiple VM’s using just one public IP address. The benefits of this, are not only the small cost saving but it also gives us better security due to the default RDP port 3389 not being opened to the internet.

The below steps are only achievable if you already have an availability group with some VM’s already setup and have RDP setup ready for connections.

Create the Load Balancer

Log in to your Azure Subscription by going to

Click the green + and then Search for Load Balancer

Click Load Balancer

Click Create

Enter a Name for the Load Balancer.

Click on Choose a public IP Address

Click Create New

Enter a name for the public IP address. Select either dynamic or static for the assignment and then click OK

Select the Subscription you would like to use, select the resource group that the VM’s are in, and select a location. Once this has been filled in click Create

Configure The Load Balancer

Navigate to the Load Balancer we have just created.

Click the load balancer and then click Inbound NAT Rules

Click Add

Enter a Name, select the Frontend IP address if needed. Under Service select RDP. Under Port change it to a port you want to use to connect to a VM. I am going to use 55001.

Under Associated to select Availability set. Then a new box will appear called Availability set. In here select the availability set that has your VM’s in.

Under Target virtual machine select the VM you want to be able to RDP to. A new box will appear called Network IP configuration select the IP address you have RDP listening on.

Enter Port mapping select Custom two new items will appear. The first one Floating IP (direct server return) leave as disabled. The second one Target port enter the RDP port 3389

Click OK

The Inbound NAT rule will then be created.

To allow RDP to other VM’s in your availability set just repeat the above steps but change the Name and Port.

You should now see all of your NAT rules.

Test The Load Balancer

Open Remote Desktop on a computer that has internet access.

In the Computer box enter the Public IP address of the load balancer. Under Destination in the above picture. Followed by a : and the Port of the VM you want to connect to. So in this blog it would be to connect to PIXEL-TEST01.

Click Connect

A box will appear asking for your password. Enter that and then click OK

Accept the certificate warning box. You can put a tick in the Don’t ask me again box if you like.

You now have access to your VM in a secure way.

And that’s it you have now created your new Load Balancer and tested your inbound NAT rules.

I hope you found this article helpful. If you have any questions please leave a comment.

Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.


Sundaram Ramakrishnan · December 5, 2017 at 5:07 pm

Thanks for this helpful article.
My scenario is, my VMs are within a Virtual Network and Load Balancer.
I have white listed my machine’s IP in the Nework Security Group.
But still I’m not able to RDP my VMs from my machine.
Please help

Sundaram Ramakrishnan · December 5, 2017 at 5:08 pm

Thanks for this helpful article. My scenario is, my VMs are within a Virtual Network and Load Balancer. I have white listed my machine’s IP in the Nework Security Group. But still I’m not able to RDP my VMs from my machine, by FOLLOWING THE ABOVE STEPS. Please help

    Pixel Robots. · December 5, 2017 at 5:50 pm

    How have you set your inbound ports on the NSG? Feel free to email me for further help.

Pavan Muppidi · February 28, 2018 at 2:09 am

I’m able to connect to VM1. (PublicIP:VM1Port)
I am unable to connect to VM2. (PublicIP:VM2Port).
If I stop the VM1 the public IP is not available.
Please advise.
Note: Able to RDP VM2 with its direct IP from VM1.

    Pixel Robots. · February 28, 2018 at 9:03 pm

    If you send me an email with a screenshot of your load balancer setup I will happily help you.

Lee Gratton · March 10, 2018 at 1:13 pm

I’m confused by this. When creating the LB and then creating the NAT rules, you are specifying particular ports per VM. So when connecting to the LB via RDP, and specifying the port, you are still only connecting to that one VM. Surely the purpose of the LB is to select either VM via the LB IP address?

    Pixel Robots. · March 10, 2018 at 1:26 pm


    The use of the Load Balancer is to use one IP address (the Load Balancer) instead of one IP address per VM. The way the Load Balancer works you need to map one port to per VM. So, in essence, you can connect to multiple VM’s via one IP address, you just need to change the port of the VM you like.

    I hope that makes more sense. Please reply if you need any more help.


    Pixel Robots.

Rob Burns · July 30, 2019 at 1:57 pm

I agree with Lee Gratton that the load balancer should be able to load balance between multiple backend VM’s using a connection to the public IP and a single port#. You should not need to use other port numbers, unless you specifically need to connect to a specific backend server for maintenance etc. The reason I believe this is the case is that the Microsoft examples of load balancing in Azure use web traffic as the application- you can go to a single public IP on port 80, and the traffic is balanced across multiple backend servers. If it works for port 80, why not for RDP?

Dude · October 20, 2019 at 7:09 am

Why would I not use a load balancing rule with a public FE-IP that listens to RDP-338p and fwds is to 3389 on a specific VM (backend pool)

Trying to understand the difference in using the NAT to translate publc ip 3389 to private ip 3389, vs using a Load balancer rule.

Initially I thought the rule will only work with fe-pub to BE-pub and not FE-pub to BE-private.. but it can work like that by accepting the rule in the config with public to private.

Dhawal Baranwal · April 23, 2021 at 8:43 am

Just curious to know what can is the need of such scenario, If we have to just RDP to the VMs can’t we use bastion service ? which is more reliable and secure?

Pixel Robots. · April 30, 2021 at 12:28 pm

Hey, this blog post was created way back in 2017. Azure bastion was not a thing then. But you are right go with Bastion if you can.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *