Azure Bastion Service: Strengthening Security and Simplifying Remote Connectivity in the Cloud

Azure Bastion Service: Strengthening Security and Simplifying Remote Connectivity in the Cloud

Overview

As organizations move their workloads to the cloud, securing remote access to virtual machines becomes crucial. Microsoft Azure, a leading cloud platform, offers Azure Bastion Service to address these concerns and provide a secure and seamless way to connect to virtual machines (VMs) in the Azure environment. In this blog, we will delve into the core aspects of Azure Bastion Service.

Understanding

Azure Bastion is a fully managed Platform as a Service (PaaS) offering by Microsoft Azure. It acts as a secure gateway that provides RDP and SSH connectivity to Azure VMs over the internet without requiring a public IP address on the VM itself. By eliminating the need for direct public exposure of VMs, Azure Bastion enhances security by reducing the attack surface and mitigating the risk of unauthorized access.

Key Features

The followings are the key features of Azure Bastion service.

FeatureDescription
RDP and SSH through the Azure portalDirectly get to the RDP and SSH session directly in the Azure portal.
Remote Session over TLS and firewall traversal for RDP/SSHAzure Bastion employs an HTML5 web client to facilitate RDP/SSH sessions over Transport Layer Security (TLS) via port 443. This setup ensures that the traffic can traverse firewalls in a highly secure manner.
No Public IP is required on the Azure VMAzure Bastion opens the RDP/SSH connection to Azure VM by using a private IP on your VM.
No hassle of managing Network Security Groups (NSGs)Because Azure Bastion connects to VMs over private IP, configure NSGs to allow RDP/SSH from Azure Bastion only. Don’t need to apply any NSGs on the Azure Bastion subnet.
Protection against port scanningVMs are protected against port scanning by rogue and malicious users because they don’t need to expose them to the internet.
Hardening in one place onlyAzure Bastion sits at the perimeter of your virtual network, so don’t need to worry about hardening each of the VMs in the Azure virtual network.
No need to manage a separate bastion host on a VMAzure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you with secure RDP/SSH connectivity.
Protection against zero-day exploitsThe Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up-to-date.
Azure Bastion Service – Key Features

Overall Architecture

The diagram illustrates the typical architecture of an Azure Bastion deployment and outlines the end-to-end connection process. The connection process within Azure Bastion follows these steps:

  1. An administrator securely accesses the Azure portal using any HTML5 browser, utilizing a TLS-encrypted connection. They then choose the desired VM for connection.
  2. The portal establishes a secure connection to Azure Bastion through an NSG guarding the virtual network that hosts the targeted VM.
  3. Azure Bastion initiates a connection to the specified VM.
  4. The RDP or SSH session opens directly in the administrator’s browser console. Azure Bastion transmits session information through custom packages, which are safeguarded by TLS encryption.
Azure Bastion Service: Strengthening Security and Simplifying Remote Connectivity in the Cloud
Azure Bastion Service – Architecture

By leveraging Azure Bastion, the requirement to expose RDP/SSH directly to the internet on a public IP is eliminated. Instead, connections are made securely to Azure Bastion via Secure Sockets Layer (SSL), and Azure Bastion itself connects to the target VMs using private IPs, ensuring enhanced security throughout the process.

Service Offerings

Azure Bastion provides two available SKUs, namely Basic and Standard. The following table outlines the features and their corresponding SKUs:

FeatureBasic SKUStandard SKU
Connect to target VMs in peered virtual networksYesYes
Access Linux VM Private Keys in Azure Key Vault (AKV)YesYes
Connect to Linux VM using SSHYesYes
Connect to Windows VM using RDPYesYes
Kerberos authenticationYesYes
VM audio outputYesYes
Shareable linkNoYes
Connect to VMs using a native clientNoYes
Connect to VMs via IP addressNoYes
Host scalingNoYes
Specify the custom inbound portNoYes
Connect to Linux VM using RDPNoYes
Connect to Windows VM using SSHNoYes
Upload or download filesNoYes
Disable copy/paste (web-based clients)NoYes
Azure Bastion Service – Available SKUs

Use Case

The following table shows the typical use case of Azure Bastion Service.

Use CaseDescription
Enterprises with Strict Security RequirementsAzure Bastion provides a secure and convenient way to manage VMs for organizations with strict security policies and compliance mandates. By avoiding direct exposure to the public internet and eliminating public IPs on VMs, it effectively minimizes the risk of unauthorized access and cyber-attacks. This makes Azure Bastion an excellent choice for businesses with critical workloads.
Development and Test EnvironmentsAzure Bastion’s browser-based access simplifies the frequent access developers and testers need for VMs in development and testing environments. This streamlined approach allows them to securely connect to VMs without the hassle of configuring VPNs or handling public IPs.
Remote AdministrationAzure Bastion enables remote VM administration from anywhere. System administrators can effortlessly connect to VMs via the Azure portal, eliminating the requirement for a direct corporate network connection and ensuring secure access to resources.
Partner CollaborationAzure Bastion allows secure temporary access to specific VMs for partners or vendors without providing direct access to the internal network. This controlled access model enhances security and promotes streamlined collaboration.
Azure Bastion Service – User Case

Getting Started with Azure Bastion

Here are the quick start steps to set up Azure Bastion:

  1. Prerequisites: Have an active Azure subscription and Virtual Machines deployed in Azure.
  2. Create a Virtual Network: Set up a Virtual Network in the Azure portal.
  3. Enable Azure Bastion: Enable Azure Bastion for the Virtual Network and configure settings.
  4. Configure Network Security Group (NSG) Rules (if necessary): Set up inbound rules to allow RDP (port 3389) or SSH (port 22) traffic from Azure Bastion’s IP ranges to your VMs.
  5. Connect to VMs through Azure Bastion: Go to the Azure portal, navigate to your Virtual Machine, click on “Connect,” select “Bastion” as the connection method, and use Bastion for a secure browser-based RDP/SSH session.

That’s it! You can now securely access your Azure VMs through Azure Bastion without the need for public IP addresses or VPNs. Please note that after enabling Azure Bastion, it may take a few minutes for the service to become fully available.

Conclusion

Azure Bastion Service in Microsoft Azure provides secure and user-friendly access to virtual machines without public internet exposure. Its browser-based interface, no reliance on public IPs, and integration with Network Security Groups offer a robust solution for secure remote connectivity. Organizations can leverage Azure Bastion for various use cases, enhancing cloud security posture and enabling secure remote access to Azure resources, boosting productivity and collaboration.

I hope you guys enjoyed the article and found it helpful. Please leave your feedback in the comment section. Thanks.,


P.S. Modern AI tool has been used for creating some of the content. Technical validation and proofing are done by the author.

Leave a Reply

Your email address will not be published. Required fields are marked *