3.1.14 — Route Remote Access via Managed Access Control Points

All remote access must go through managed, monitored chokepoints — no one should be able to connect directly to an internal server from the internet. Think of it like having a guarded front gate instead of an open field.

Example 1: On your perimeter firewall, create rules that block all inbound connections except those destined for your VPN gateway. In Palo Alto, configure Policies → Security → Inbound Rules with an explicit deny-all rule at the bottom and allow rules only for the VPN concentrator's public IP on the specific VPN port (e.g., UDP 4501 for IKEv2).

Example 2: If using Azure, deploy Azure Bastion as the single access point for RDP/SSH to VMs. In the Azure Portal, go to Virtual Network → Bastion → Create and remove all public IPs from individual VMs. This forces all administrative remote access through a managed, logged, and encrypted browser-based session.