Using Resource Manager model:
When I create an Azure VM, access to the RDP port to the public internet is enabled by default. There is no Network Security Group is assigned to the VM.
I am trying to understand where and how is the RDP port 3389 access rule is defined?
Update 1 @Jack Zeng: Per below screenshot, when an ARM VM is created, there is no "Network Security Group" is assigned to it. That is why RDP availability to the public internet seems to be a "Magic" and I am asking this question.
For ARM mode VM, there is always a NSG assigned to it, otherwise you will not be able to SSH or RDP the VM. You can find it with the following.
Login to the new portal.
Click <your VM> -> Settings -> Network interfaces.
Select the NIC (There is usually only one NIC) -> Settings -> Network security group
you will find you NSG there.
Update: Sorry for the mistake. I have done some digging, and found out that "The VM is directly exposed to you unless you have a firewall or an NSG". That means if you create a ARM Virtual Machine without an NSG assigned to it, you have access to all ports of the VM except the one that are blocked by the firewall. Check this blog post
