- Azure AD without on-prem Windows Active Directory? - Mon, Oct 25 2021
- An overview of Azure security - Mon, Mar 29 2021
- An introduction to Azure AD administrative units - Wed, Jan 6 2021
Microsoft recently announced the public preview of Azure Bastion. Azure Bastion is a platform-as-a-service (PaaS) offering that provides connectivity to servers in Azure. It acts as a jumpbox to access Windows servers with the Remote Desktop Protocol (RDP) or Linux servers with Secure Shell (SSH). Azure Bastion provides remote access with any HTML5-compliant browser.
Azure Bastion has several advantages over other methods of accessing Azure servers remotely. Servers are accessible without the need to add public IPs. Only Azure Bastion requires a public IP. As a PaaS offering, there is no need to patch or manage Azure Bastion. Also, there are no client requirements—only an HTML5 browser and access to the internet.
Azure Bastion resides on the same virtual network (VNet) as the servers accessed and only connects to one VNet. Azure Bastion and the VNet must be in the same region and require a dedicated /27 or larger subnet mask. This subnet cannot have any network security groups (NSGs) or user routes applied.
Users access Azure Bastion through the Azure portal using an HTML5 client. Azure Bastion manages the public NSG, allowing inbound connections over SSL port 443. The Bastion service forwards the RDP traffic to port 3389 for Windows servers and port 22 for Linux. You can apply NSGs to the server subnets, limiting RDP and SSL traffic if required.
Azure Bastion has some prerequisites as well as limitations while it's in public preview. First, Azure Bastion requires a dedicated subnet on the VNet it's connecting to. You must use the link https://aka.ms/BastionHost to access the preview portal. At the time of writing, Azure Bastion is not available through the regular portal or the preview portal. The preview is also limited to the following regions:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
Configure Azure Bastion ^
The following steps will configure Azure Bastion on a VNet in West US. You must configure a subnet before adding the Bastion service. This subnet has to be /27 or larger with no NSGs or routes attached to it. It also must have the name AzureBastionSubnet per the Microsoft documentation. The image below shows a /24 subnet created for this demo.
After creating that, move over to the preview portal at https://aka.ms/BastionHost to create the Azure Bastion service. Create a service and search for Bastion, which will return the Bastion (preview) service.
Click Create to create the Bastion service. Fill out the information in the form. Be sure to deploy the Azure Bastion service to the same region as the VNet with AzureBastionSubnet. Notice the only subnet option available is the one labeled AzureBastionSubnet.
The service will create a new static IP address, or you can select an existing one. Click Review + Create and then Create to deploy the service.
The Azure Bastion service is ready once the "Your deployment is complete" message appears.
Connect with Azure Bastion ^
The next steps will use Azure Bastion to connect to a Windows and Linux server. Use the portal at https://aka.ms/BastionHost to connect to servers with Azure Bastion.
Start by logging into the portal and go to the virtual machine (VM) you will connect to. The first example will connect to a Windows VM. Click on Connect at the top of the screen.
Notice that BASTION is included along with RDP and SSL in the Connect to virtual machine window. Select BASTION and enter the username and password. Click Connect to connect to the server.
Once you've logged in, a full desktop will display in the browser.
Notice the handle on the left side of the screen. Opening it shows options for copying data between the local and remote clipboard as well as an option to switch to full screen.
Sign out to close the session and the window.
The next steps will log into a Linux VM. Just like in the previous example, go to the VM in the portal and click Connect. Linux servers have the option for username and password as well as options to paste in an SSH private key or browse to a file containing an SSH key. Select the option that fits your environment and click Connect.
Once you've connected, a session to the Linux VM will appear. The browser session has the same options on the left for clipboard and full screen.
Log out to close the session.
Azure Bastion has the potential to simplify access to infrastructure-as-a-service (IaaS) VMs in Azure. Connectivity is currently limited to an HTML5 browser. This is useful at times, but it would be convenient to connect to on-premises and Azure servers from the same client. Microsoft has indicated they intend to add support for native RDP/SSH clients.
Price is another factor to consider. During the preview, Azure Bastion costs US$0.095/hour for time implemented plus data transfer cost. They've reduced the price by 50% for the preview. This puts Azure Bastion at $0.19/hour retail once generally available. In a PaaS offering, I would prefer a consumption-based pricing model over an hourly fee.
Subscribe to 4sysops newsletter!
Azure Bastion has only recently entered public preview, and some aspects are likely to change before it is generally available. Ultimately, it's a nice option for accessing IaaS servers without VPNs, ExpressRoute, or exposing VMs to the internet with public IPs.