You need to configure public IP addressing for four infrastructure virtual machines (VMs) that reside on an Azure virtual network (VNet).
Your solution must meet the following technical and business requirements:
* Minimize the VMs' attack surface
* Minimize administrative/maintenance complexity
* Minimize cost
What should you do?
You should assign a public IP address to a public load balancer and use NAT to reach the VMs. This configuration accomplishes all the scenario goals and adds some additional ones:
* Minimizes the number of Azure public IP addresses required
* Obfuscates any management ports on the VMs
* Load balances traffic across the VMs if they are identically configured
You should not assign a public IP address to an Azure VPN Gateway and use a public load balancer to reach the VMs. Doing so requires far more infrastructure, cost, and management overhead than what is required to satisfy the requirements.
You should not assign a public IP address to each VM vNIC and use JIT VM Access to reach the VMs. JIT VM Access is a paid Azure Security Center feature that protects VM management ports. However, assigning a public IP address to the VMs potentially exposes other ports to the public Internet.
You should not assign a public IP address to each VM and use NSGs to reach the VMs. Deploying public IP addresses needlessly exposes the VMs to the Internet. Moreover, NSG configuration grows complex quickly when you bind them at the vNIC level.