As organizations move their workloads to the cloud, securing remote access to virtual machines becomes crucial. Microsoft Azure, a leading cloud platform, offers Azure Bastion Service to address these concerns and provide a secure and seamless way to connect to virtual machines (VMs) in the Azure environment. In this blog, we will delve into the core aspects of Azure Bastion Service.
Azure Bastion is a fully managed Platform as a Service (PaaS) offering by Microsoft Azure. It acts as a secure gateway that provides RDP and SSH connectivity to Azure VMs over the internet without requiring a public IP address on the VM itself. By eliminating the need for direct public exposure of VMs, Azure Bastion enhances security by reducing the attack surface and mitigating the risk of unauthorized access.
The followings are the key features of Azure Bastion service.
|RDP and SSH through the Azure portal||Directly get to the RDP and SSH session directly in the Azure portal.|
|Remote Session over TLS and firewall traversal for RDP/SSH||Azure Bastion employs an HTML5 web client to facilitate RDP/SSH sessions over Transport Layer Security (TLS) via port 443. This setup ensures that the traffic can traverse firewalls in a highly secure manner.|
|No Public IP is required on the Azure VM||Azure Bastion opens the RDP/SSH connection to Azure VM by using a private IP on your VM.|
|No hassle of managing Network Security Groups (NSGs)||Because Azure Bastion connects to VMs over private IP, configure NSGs to allow RDP/SSH from Azure Bastion only. Don’t need to apply any NSGs on the Azure Bastion subnet.|
|Protection against port scanning||VMs are protected against port scanning by rogue and malicious users because they don’t need to expose them to the internet.|
|Hardening in one place only||Azure Bastion sits at the perimeter of your virtual network, so don’t need to worry about hardening each of the VMs in the Azure virtual network.|
|No need to manage a separate bastion host on a VM||Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you with secure RDP/SSH connectivity.|
|Protection against zero-day exploits||The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up-to-date.|
The diagram illustrates the typical architecture of an Azure Bastion deployment and outlines the end-to-end connection process. The connection process within Azure Bastion follows these steps:
- An administrator securely accesses the Azure portal using any HTML5 browser, utilizing a TLS-encrypted connection. They then choose the desired VM for connection.
- The portal establishes a secure connection to Azure Bastion through an NSG guarding the virtual network that hosts the targeted VM.
- Azure Bastion initiates a connection to the specified VM.
- The RDP or SSH session opens directly in the administrator’s browser console. Azure Bastion transmits session information through custom packages, which are safeguarded by TLS encryption.
By leveraging Azure Bastion, the requirement to expose RDP/SSH directly to the internet on a public IP is eliminated. Instead, connections are made securely to Azure Bastion via Secure Sockets Layer (SSL), and Azure Bastion itself connects to the target VMs using private IPs, ensuring enhanced security throughout the process.
Azure Bastion provides two available SKUs, namely Basic and Standard. The following table outlines the features and their corresponding SKUs:
|Feature||Basic SKU||Standard SKU|
|Connect to target VMs in peered virtual networks||Yes||Yes|
|Access Linux VM Private Keys in Azure Key Vault (AKV)||Yes||Yes|
|Connect to Linux VM using SSH||Yes||Yes|
|Connect to Windows VM using RDP||Yes||Yes|
|VM audio output||Yes||Yes|
|Connect to VMs using a native client||No||Yes|
|Connect to VMs via IP address||No||Yes|
|Specify the custom inbound port||No||Yes|
|Connect to Linux VM using RDP||No||Yes|
|Connect to Windows VM using SSH||No||Yes|
|Upload or download files||No||Yes|
|Disable copy/paste (web-based clients)||No||Yes|
The following table shows the typical use case of Azure Bastion Service.
|Enterprises with Strict Security Requirements||Azure Bastion provides a secure and convenient way to manage VMs for organizations with strict security policies and compliance mandates. By avoiding direct exposure to the public internet and eliminating public IPs on VMs, it effectively minimizes the risk of unauthorized access and cyber-attacks. This makes Azure Bastion an excellent choice for businesses with critical workloads.|
|Development and Test Environments||Azure Bastion’s browser-based access simplifies the frequent access developers and testers need for VMs in development and testing environments. This streamlined approach allows them to securely connect to VMs without the hassle of configuring VPNs or handling public IPs.|
|Remote Administration||Azure Bastion enables remote VM administration from anywhere. System administrators can effortlessly connect to VMs via the Azure portal, eliminating the requirement for a direct corporate network connection and ensuring secure access to resources.|
|Partner Collaboration||Azure Bastion allows secure temporary access to specific VMs for partners or vendors without providing direct access to the internal network. This controlled access model enhances security and promotes streamlined collaboration.|
Getting Started with Azure Bastion
Here are the quick start steps to set up Azure Bastion:
- Prerequisites: Have an active Azure subscription and Virtual Machines deployed in Azure.
- Create a Virtual Network: Set up a Virtual Network in the Azure portal.
- Enable Azure Bastion: Enable Azure Bastion for the Virtual Network and configure settings.
- Configure Network Security Group (NSG) Rules (if necessary): Set up inbound rules to allow RDP (port 3389) or SSH (port 22) traffic from Azure Bastion’s IP ranges to your VMs.
- Connect to VMs through Azure Bastion: Go to the Azure portal, navigate to your Virtual Machine, click on “Connect,” select “Bastion” as the connection method, and use Bastion for a secure browser-based RDP/SSH session.
That’s it! You can now securely access your Azure VMs through Azure Bastion without the need for public IP addresses or VPNs. Please note that after enabling Azure Bastion, it may take a few minutes for the service to become fully available.
Azure Bastion Service in Microsoft Azure provides secure and user-friendly access to virtual machines without public internet exposure. Its browser-based interface, no reliance on public IPs, and integration with Network Security Groups offer a robust solution for secure remote connectivity. Organizations can leverage Azure Bastion for various use cases, enhancing cloud security posture and enabling secure remote access to Azure resources, boosting productivity and collaboration.
I hope you guys enjoyed the article and found it helpful. Please leave your feedback in the comment section. Thanks.,
P.S. Modern AI tool has been used for creating some of the content. Technical validation and proofing are done by the author.