Q. Why do some people recommend using a jump box in Azure for RDP?
A. Connectivity to your Azure IaaS VMs will either be via PowerShell using WS-Management or Remote Desktop Protocol (RDP). Ideally your VMs are on a virtual network in Azure and that virtual network is connected to your on-premises network using site-to-site VPN or ExpressRoute. This means to access the Azure VMs you RDP to their Dynamic IP (DIP, which is the internal IP used in the virtual network) from your on-premises network and not ports need to be exposed to the Internet. If you do not have connectivity to your virtual network from on-premises and don't use point-to-site VPN then you need to create endpoints/NAT Rules/PIP to the VMs to enable connectivity from the Internet however this exposes a lot of different VMs directly to the Internet. Another approach is to create a single VM in Azure which has RDP connectivity to the Internet and then from this box you connect to your other Azure VMs from the DIPs on the virtual network. You could also use a Network Security Group to restrict the IP addresses that can communicate to the jump box. What is nice about the jump box approach is you can focus all the monitoring and logging on that one box and also easily turn it off to stop all RDP to everything when you know its not needed.