Introduction

When performing an IT admin role, RDP or SSH session is usually used for accessing required target servers. If not, a jumpbox is usually provided for connecting their required target server for an RDP / SSH session. While coming to the public cloud, a jumpbox server is placed in the management Virtual network. In some environments, it will be exposed to the internet with a public IP address.  From a security standpoint, it is not the most secure way to connect. To address this, Azure has a service named “Azure Bastion”. It's a fully managed service that gives you secure and seamless RDP and SSH access to your virtual machines in Azure virtual network.  The access is enabled via the Azure bastion VM and is not exposed to the public internet. This provides secure access to VMs over SSL from the Azure portal without exposing public IP addresses to connect to.

Even though a VM has a public IP address, the bastion service will not access it via this address. It connects only by a private IP address. The access is provided from the Azure portal via a HTML5 compliant browser. Behind the scenes, the Azure bastion runs with an Azure VM scale set and provisions several instances, based on session counts (workloads) as requested. It's fully managed by Azure. It is agentless and no agents/software is required to be installed on any VM. The Azure bastion is additionally hardened and allows traffic only through port 443. 

Architecture:

The below diagram outlines the architecture for Azure Bastion.

Figure 1- Azure Bastion (Pic from Microsoft)

When looking at pricing, the service is charged based on outbound data transferred where the first (1st) 5 GB of data transferred is free every month.

Deploy Azure Bastion:

1.       Logon to the Azure portal and select Create a resource.

2.       On the New page, type Bastion, then click Enter.

3.       From the results, select Bastion and click create.

4.       On the Create a bastion page, configure below settings:

  • Subscription – Select your subscription.
  • Resource group – select your existing resource group or create a new one.
  • Name – Provide a name for bastion and select your azure region.
  • Virtual network - select your existing VNet or create a new one.
  • Subnet – if you select existing VNet, ensure subnet named AzureBastionsubnet is created. While creating a new Virtual network, create this subnet. The subnet size should be /27 or higher.
  • Public IP address – Provide an existing or create a new public IP address for bastion host. By default, the Public IP address will static.

5.       After providing specification, click Review+ create and finally click create.

6.       The deployment should take a few minutes.

Deploy a Virtual machine to test connectivity:

After Azure bastion is successfully deployed. Create a new virtual machine for testing in the same virtual network.

1.       From the home page, select Create a resource.

2.       On the New page, click server 2016 datacentre.

3.       On the Virtual machine create the page, configure the required settings:

  • Subscription – Select your subscription.
  • Resource group – select your existing resource group or create a new one.
  • VM Name – Provide a name for bastion and select your azure region.
  • Provide user name and password for the VM admin account.
  • Public inbound ports to None. We are not exposing any port for the public internet.
  • Leave other options as default.

4.       On the disk section, leave it as default. Since we are creating a test VM.

5.       On the Networking section, choose the network created for Azure bastion. Create a new subnet for VM workloads and name it.

6.       Click Review + create and finally click create.

7.       Wait for few minutes for VM deployment to be completed.

Please note: the created VM does not have any public IP address.

Test connectivity of VM with Azure Bastion:

1.       Select your newly created VM (from above steps) and click connect and select bastion.

2.       Type username and password for the VM and click connect.


Figure 2 - Azure Bastion Connectivity From Portal

3.       The VM RDP session will be opened on your browser.

The points to be noted before choosing this service:

  • UDR is not supported by Azurebastionsubnet. This will be required if you have Azure Firewall and bastion in the same virtual network configuration. For a workaround, please refer https://azure.microsoft.com/en-us/blog/accessing-virtual-machines-behind-azure-firewall-with-azure-bastion/
  • Peering the bastion virtual network with another VNet, will not enable a session of peered VNet VM workloads. This means you will need to deploy the Azure Bastion in each VNet with VM workloads to use it for secure, browser-based access. Hopefully, Microsoft removes this block sooner and this service will be used with Hub and Spoke connectivity models.