Last week, Microsoft Azure Team has calmly announced the preview release of one of the exciting features known as Azure Bastion. The concept of using an Bastion Host is nothing new, where one would configure one of the Virtual Machines as Bastion or HopBox and then connect to other private virtual machines configured in the virtual network. This would help providing some security as instead of securely managing all of the virtual machines in an given network, you would need to securely connect and manage only Bastion Host, which is having Public IP address assigned for the connections. However, the onus of configuring all the required networking setup, installing and configuring ssh and rdp protocols, timely patching and hardening of the Bastion Host still lies with the Azure/AWS Administrator.

About Azure Bastion

The Azure Bastion service is a fully platform-managed PaaS service that you can provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL Protocol. When you connect via Azure Bastion, your virtual machines do not need a public IP address. Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network in which it is provisioned. Since it works on the SSL protocol, one does not need any additional software than a regular browser.

Azure Bastion Architecture

Below diagram shows the architecture of a typical Azure Bastion deployment:

As you can see, the Bastion host is deployed in the Virtual network and is part of the same. The user connects to Azure Portal using any HTML5 browser and identifies the virtual machine it needs to connect to. Then using a simple link, he is able to open the RDH/SSH session in the browser itself.

Create a Azure Bastion Host

From the home page in the Azure Preview Portal, click ‘Create a resource’. Make sure you use the link provided to access the portal for this preview, not the regular Azure portal. On the New page, in the Search the Marketplace field, type Bastion, then click Enter to get to the search results:

From the results, click Bastions. Make sure the publisher is Microsoft and the category is Networking. On the Bastion (preview) page, click Create to open the Create a bastion page. On the Create a bastion page, configure a new Bastion resource. Specify the configuration settings for your Bastion resource:

Do note that Azure Bastion Host needs to be deployed in an special subnet with name AzureBastionSubnet. This value lets Azure know which subnet to deploy the Bastion resources to. This is different than a Gateway subnet.

After this, click ‘Review + Create’ to review and then proceed to deploy. It may take a few minutes to get deployed:

Connect Virtual Machine using Bastion Host

We can use Bastion Host to connect to Azure Virtual Machine using both RDP and SSH over SSL Protocol. One key thing is that Virtual Machine needs to be in the same subnet as the Azure Bastion Host.

Since our machine is Linux Operating system, we have the choice to connect using password or SSH key pair. For this, we first need to identify the Virtual Machine that we want to connect to using Azure Portal itself, and then click on the Connect. This will open up a window, where we can enter the required details and click Connect:

If you have provided correct details, a new tab will be opened and you would be able to login:

Working with Network Security Groups or NSGs

1. AzureBastionSubnet: Azure Bastion is deployed in the specific AzureBastionSubnet.
   1. Ingress Traffic from public internet: The Azure Bastion will create a public IP that needs port 443 enabled on the public IP for ingress traffic. Port 3389/22 are NOT required to be opened on the AzureBastionSubnet.
   2. Egress Traffic to Target VMs: Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets.
2. Target VM Subnet: This is the subnet that contains the target virtual machine that you want to RDP/SSH to.
   1. Ingress Traffic from Azure Bastion: Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389 and 22, respectively) need to be opened on the target VM side over private IP.

If you apply NSGs to the AzureBastionSubnet, allow the following two service tags for Azure Control plane and Infrastructure:

1. GatewayManager (Resource Manager only): This tag denotes the address prefixes of the Azure Gateway Manager service. If you specify GatewayManager for the value, traffic is allowed or denied to GatewayManager.
2. AzureCloud (Resource Manager only): This tag denotes the IP address space for Azure including all datacenter public IP addresses. If you specify AzureCloud for the value, traffic is allowed or denied to Azure public IP addresses. If you only want to allow access to AzureCloud in a specific region, you can specify the region. For example, if you want to allow access only to Azure AzureCloud in the East US region, you could specify AzureCloud.EastUS as a service tag.

Summary and Notes

Azure Bastion being managed by Microsoft removes the onus from Cloud Administrators and removes the associated burden clearly. Also this removes the associated security risks associated with self-managing.