Azure Bastion is a managed service in Azure that allow you to secure and seamless RDP ans SSH access to your virtual machines using zero trust .
How it works ?
You can use RDP/SSH connection to your virtual machines or virtual machines scale sets using an HTML5 standards based web-browser directly in Azure portal . You can also use the native client . By doing so you can easily remove the need of the public ips and reduce the attack surface on you virtual machines.
To put the service in place you don’t need agent but you should have some configurations in place .
How to deploy and configure ?
To have the service up and running you don’t need agent but you should have some configurations in place .
One thing to know is that the smallest subnet AzureBastionSubnet size which can be created is /26.
The best practice is to create a /26 or larger size to accommodate host scaling.
For our demo we will use some powershell commnands to deploy all resource needed .
Command could be found on my Github repo : https://github.com/ibnmbodji/blog/blob/main/AzureBastion/Demos/
The file is named : DeployBastion
In the first part of the script we define some variables :
- The name of the resource group used for the bastion host and the overall demo resources (to make it easy)
- The name of the virtual nework where our AzureBastionSubnet will belong
- The Location where the resources will be deployed
- The name of the public IP which will be associated to the Azure Bastion Host
- The Sku of this public IP
In the second part
- Line 1 we create the resource group.
- Line 2 we create the subnet configuration and put the result in a variable called subnet
- Line 3 we create the virtual network with the subnet config define previously
- Line 4 We create a public IP address for Azure Bastion
- Line 5 we create the bastion Host
The public IP is the one the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you are creating. Since we define the same location for all our resources in this demo i’ts fine.
It might take about 5-10 minutes for the Bastion resource to be ready for use.
The result should be something like this :
At this stage the Bastion is ready for use and if you try to connect to a VM in the same virtual network it should works like shown below :
However you may know that at the beginning Azure Bastion was limited to the resources connected to the same vnet.Therefore people used to deploy one bastion per vnet which was not a bad idea but had somehow impact on costs.
This limitation no longer exist but if you want to connect a VM which is connected to another vnet you need to add a peering .If the peering doesn’t exist the connection blade will not be displayed, you will have options to deploy bastion or configure it manually instead.
To Add a peering :
- Go to the virtual network then settings on your left hand side and click on Add
- Give a name for each peering link and select the peered virtual network which could be in another subcription. If it’s the case you need to select the relevant subscription first .
The peering connection might take some minutes to be in a connected status.
Once the status is connected you can go back to the virtual machine select Connect then Bastion You should notice that the existing Bastion is used and you just need at this stage to provide the credentials .
For this demo i used a windows virtual machine but if it was a linux you would have this :
Finally after providing the right credentials you should be able to log into the virtual machine as shown below :
Native Client Support (Preview)
We are at the end of this article but i would like to mention that the native client is now supported for Azure Bastion Standard Tier even if it’s still in preview . It means you can use the remote desktop connection app instead of the web but also managing file transfer . At the time of this writing upload and download is supported for rdp and download for SSH.
To use the native client you should go to the bastion host configuration blade change the tier from basic to standard if it’s not already the case then check the Native client support box.
Alright Folks i hope you enjoyed this post and are now ready to secure your vms and vmss management ports .I will appreciate your feedback and you could reach me at firstname.lastname@example.org . Feel freeto ask questions give suggestions or even advice .
Thanks for visiting.