← Back to Blog

Securing Internal RDP Access: Routing & VPC Isolation

Published: November 2025 | Category: Networking & Security

The most dangerous configuration in cloud networking is placing a Windows or Linux server that requires RDP or SSH access directly into a public subnet. Doing so essentially places your server on the front porch of the internet, waiting for the first automated bot to brute-force its credentials. In this post, we will dissect the 3-Tier VPC Architecture—the industry-standard blueprint for isolating compute resources while maintaining administrative access.

The Anatomy of a 3-Tier VPC

A secure VPC should be segmented into three distinct layers, each with its own route table and security posture:

  1. Public Subnet: Contains only the resources that must be reachable from the internet, such as Application Load Balancers (ALBs) and NAT Gateways.
  2. Private Application Subnet: Contains your application servers (web servers, background workers). These have no public IP addresses and cannot receive traffic from the internet.
  3. Private Database Subnet: Contains your data stores. This layer should have no egress to the internet, even through a NAT Gateway.

Solving the RDP Connectivity Paradox

When you move an RDP-enabled Windows server into a Private Application Subnet, you immediately face a connectivity problem: You cannot RDP into a server that doesn't have a public IP or a path to the internet. This is where the Bastion Host (or Jump Box) or Identity-Aware Proxy (IAP) enters the picture.

The Bastion Host Strategy

A Bastion host is a highly-hardened, minimal instance placed in the Public Subnet. It acts as the gatekeeper. The workflow for an administrator looks like this:

Debugging Route Tables: Why Connections Fail

When you are debugging RDP connectivity, 90% of the time, the issue lies in the Route Table or Network ACL (NACL) configuration. Even if your Security Group allows port 3389, if the Route Table does not know how to return the traffic, the packet will simply drop into the void.

Common troubleshooting steps:

# Conceptual Terraform Logic for SG Chaining
resource "aws_security_group" "private_app_server" {
  ingress {
    from_port       = 3389
    to_port         = 3389
    protocol        = "tcp"
    security_groups = [aws_security_group.bastion_sg.id] # Only Bastion can reach me
  }
}

Moving Beyond Bastion: Identity-Aware Proxies

Bastion hosts are effective, but they add management overhead—you have to patch the Bastion host, monitor it, and rotate its keys. Cloud-native alternatives like GCP Identity-Aware Proxy (IAP) or AWS Systems Manager (SSM) Session Manager eliminate the need for bastion hosts entirely.

With SSM Session Manager, you don't even need to open port 3389 or 22 on your instances. The connection is tunneled through the cloud provider's internal API control plane. This is the gold standard for secure, zero-exposure remote management. It eliminates the public surface area completely—there is no RDP port to scan, and therefore, nothing to brute force.

Conclusion

Never prioritize convenience over network isolation. If you find yourself placing a database or a management interface in a public subnet, pause and re-evaluate your architecture. By utilizing Bastion hosts with Security Group chaining, or modern tunnel-based tools like SSM Session Manager, you can maintain full administrative control while keeping your compute resources shielded from the chaotic nature of the public internet.

References

Author: Agu Chiedozie | Cloud Systems Architect