A preview I have been waiting on, Azure Bastion – a PaaS service provided by Azure that will allow you to seamlessly and securely RDP/SSH to your virtual machines within a Virtual Network, the connections are completed in the Azure Portal over SSL.
When a Bastion is configured, no additional Public IP addresses are required on the Virtual Machines, minimising the public endpoint? Great, making the environment more secure already!
What is a Bastion?
Numerous environments will have a secure network/vNet for RDP/SSH access to primarily act as a JumpHost before direct access into your Production environment. These can be configured in numerous ways, some ideas to a Bastion environment include the requirements for MFA, hardening the Virtual Machine(s), reverse proxying etc. Using a potential Azure Bastion mitigates these requirements.
Azure Bastion sounds good in theory, what features am I thinking?
What features should the Azure Bastion have?
- Clipboard support (I use this alot when RDP’n between Virtual Machines and to/from my desktop)
- Full-screen support – I don’t want to see my multiple browser tabs
- Security – A bastion is the external endpoint to my environment, I want security, security and security!
I will discuss these wanted-features later in my blog
Lets get deploying
I followed this guide – works fine, although I noticed I had to run both PowerShell commands. It did fail to register preview first time.
PowerShell commands to onboard Azure Bastion Preview
Please note:- You need to access Azure Preview Portal to access Azure Bastion. Click here to access
# Run on subscription that you want to onboard for this preview
Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
#Reregister your subscription once again with the Microsoft.Network provider namespace
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
#Verifies the feature is registered successfully
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network
As its a Public Preview resource, it is currently only available in regions:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
Example before of architecture diagram with Azure Bastion deployment
Before deploying, there is also a Subnet limitation, requirement of at least /27 Subnet called AzureBastionSubnet
Connecting to the Bastion below will be done via RDP, for SSH access have a read of this article
Some details on the architecture
- Bastion deployed into AzureBastionSubnet (requirement to be at least /27)
- HTML5 Browser required to access Azure Bastion RDP/SSH
- Each RDP/SSH session will be a different URL
- User selects which VM to RDP/SSH to
- Notice no public IPs required for access
Azure Bastion Deployed
Azure Bastion deployed resource below, currently there is no available metrics or diagnostic settings to monitor or alert from
Looking at my vNET, I can see two entries of a ScaleSet for the Azure Bastion
How do I RDP to a Windows Virtual Machine using Azure Bastion?
Select the VM you want to RDP to from Azure Portal and select Connect
Select Bastion Tab and enter credentials
You will now have a browser session of your RDP desktop (over HTML5 on port 443) – Pretty cool!
Azure Bastion Features
Mentioned above, three features I wanted the Azure Bastion to have Clipboard support , Full-screen support & Security
Clipboard support & Full-screen support
Both these features are enabled by selecting the arrows within your RDP Bastion Desktop session
Clipboard works with copied/cut text both ways
- From RDP session -> Client device
- From Client device -> RDP session
Fullscreen support is enabled by selecting Fullscreen icon above
Security
Foremost, a Bastion needs to be secure – the primary point of access into your environment!
A good starter is that no Public IPs are required on your Virtual Machines for RDP/SSH access with a Azure Bastion in place
Network Security Groups support, snippet taken below from docs.microsoft
AzureBastionSubnet: Azure Bastion is deployed in the specific AzureBastionSubnet. Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet.
Egress Traffic to Target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets.
Target VM Subnet: This is the subnet that contains the target virtual machine that you want to RDP/SSH to. Ingress Traffic from Azure Bastion: Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389 and 22, respectively) need to be opened on the target VM side over private IP.
docs.microsoft
A blog I wrote about NSG/ASGs within Azure , worth having a read!
Need to allow additional users access to the Virtual Machine via Azure Bastion? They will need additional Azure Portal access with the following permissions:
- Reader role on the virtual machine
- Reader role on the NIC with private IP of the virtual machine
- Reader role on the Azure Bastion resource
Not forgetting, the usual RDP credentials also!
Additional features from the Azure Bastion preview:-
- Protection against Port Scanning – Mitigiates the Public Endpoints available within your environment.
- Protect against zero-day exploits. Hardening in one place only – Azure Bastion is a fully platform-managed PaaS service
Azure Bastion is a great service already, I look forward to its advancements/updates and coming out of Preview!
Thanks for reading!
Thomas Thornton 