What is Azure Bastion Service
Most of you might be familiar with RDP and SSH if you manage a remote server or virtual machine. Virtual machines and servers are remotely accessed using RDP and SSH.
We can also use RDP and SSH to access virtual machines in a cloud such as Azure. You can select Connect option in Settings to see the three ways to connect to your Virtual Machine- SSH, BASTION, and RDP.
In this post, you will learn about Azure Bastion and the purpose of using it to connect to your Azure Virtual Machine. Read on.
Table of contents
- What is Azure Bastion Service?
- Why use Azure Bastion Service?
- The architecture of Azure Bastion Service
- Key features of Azure Bastion service
- Enable Azure Bastion Service
What is Azure Bastion Service?
To provide secure connectivity between a remote virtual machine or a remote server and a client machine, Virtual Private Network (VPN) is used. But you need to install a VPN client application on a machine in most VPNs. To connect to the machine, VPN uses a public IP on a remote machine.
Azure Bastion allows you to connect to an Azure virtual machine by using your browser. It provides a seamless and secure SSH or RDP connectivity directly from the Azure portal over Transport Layer Security(TLS). This is because it is a Platform as a Service (PaaS) of Azure. In an RDP connection, a client machine usually uses an IP and login credentials to connect and login to the virtual machine. These are configured by the virtual machine and is a public IP that is exposed to the world. Your virtual machines do not need a public IP address, special client software, or an agent when you connect via Azure Bastion.
SSH and RDP connectivity are provided to all the virtual machines in the virtual network in which Bastion is provisioned (when you connect via Azure Bastion). As a result, your virtual machines are protected from exposing SSH or RDP ports to the outside world in spite of providing access using SSH or RDP.
Why use Azure Bastion Service?
The major reason behind using Azure Bastion is that it makes remote connections more secure. It creates a private virtual network that is safer and restricts giving any access to remote machines. This limits the threats such as port scanning and other types of malware targeting your virtual machine.
The architecture of Azure Bastion Service
The deployment of Azure Bastion is per virtual network and not per account or subscription or virtual machine. The SSH or RDP experience is available to all your virtual machines in the same virtual network, once you provision an Azure Bastion service in it.
By using fundamental means such as SSH or RDP, you can connect to your workloads running in Azure. Exposing SSH or RDP over the internet is seen as a significant threat surface and is completely not desired. This happens often due to protocol vulnerabilities. You can deploy Bastion hosts. These are also known as jump-servers at the public side of your perimeter network to contain this threat surface. Bastion host servers withstand attacks as they are designed and configured as such. RDP and SSH connectivity to the workloads sitting behind the Bastion as well as further inside the network is also provided by Bastion servers.
Image Source: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
The above figure shows the architecture of the deployment of an Azure Bastion. In this diagram you can see:
- In the virtual network, the Bastion Host is deployed.
- Any HTML5 browser can be used by the user to connect to the Azure portal.
- The virtual machine to connect to is selected by the user.
- The SSH or RDP session opens in the browser, with a single click.
- On the Azure virtual machine, no public IP is required.
Key features of Azure bastion Service
Following are the key feature of Azure Bastion Service:
- In the Azure portal, you can directly get to the SSH and RDP session using a single click.
- An HTML5 based web client is used by Azure Bastion which is automatically streamed to your local device so that you get your SSH or RDP session over TLS on port 443. This enables you to traverse the firewalls of corporate securely.
- Using private IP on your virtual machine, Azure Bastion opens the SSH or RDP connection to your Azure virtual machine. A public IP is not needed.
- As you do not have to expose your virtual machine to the public internet, you are protecting your virtual machines against port scanning from the malicious and rogue users present outside your virtual network.
- Azure Bastion sits at the perimeter of your virtual network, hence you do not have to think about hardening every virtual machine in your virtual network. By keeping the Azure Bastion hardened and always up to date, the Azure platform protects you against zero-day exploits.
How to enable Azure Bastion Service
Following are the steps to enable Azure Bastion on a VM from the Azure Portal:
The first step is to create a bastion host. This is necessary to create a secure connection to the virtual machine on the VNet. Following are the sub-steps to create a Bastion host:
- Select the VM on which the Bastion is to be enabled on the Home page.
- Click connect and select Bastion
- Click on Create
- Configure the new Bastion resource on the Create a Bastion page.
To configure the Bastion resource you need to fill in the following details:
Subscription - Enter the Azure subscription that is to be used to create a new Bastion resource.
Resource Group - Bastion resource will be created in the selected Azure resource group. If there is no existing resource group, create a new one.
Name - Provide a name to the new Bastion resource.
Region - Select the Azure public region where the resource will be created.
Virtual Network - Select the virtual network where the Bastion resource will be created. A new virtual network can be created on the run or an existing one can be used. Using an existing virtual network checks for the availability of space in the virtual network and whether it can accommodate the Bastion subnet requirements. In case the existing network is not shown in the dropdown, check if the correct resource group is selected.
Subnet - Once the virtual network is selected or created, a subnet field will appear. The Bastion host will be deployed in this subnet in the selected virtual network. The subnet will be dedicated to the Bastion host. Create the Azure Bastion subnet by selecting the Manage Subnet configuration. Click on +Subnet and follow the guidelines below to create a subnet:
- The subnet must be named AzureBastionSubnet.
- The subnet must be at least /27 or larger.
No further fields are required. Click on OK and select Create a Bastion to return to the Bastion configuration page.
- Public IP address - Must be in the same region and this is the public IP for the Bastion host.
- Public IP address and name - Leave as default
- Public IP address SKU - Leave as default
- Assignment - Leave as default
Click create after filling out all the information.
Azure Bastion Service comes with numerous features like availability of SSH and RDP connectivity, no public IP required, etc. These features make Bastion a good service to connect to the Azure virtual machine using the browser. So go ahead and start using it for your virtual machine.