A bastion host is a secured, purpose-built server that sits between a public and private network. It manages incoming requests from a public network to the internal, private network. Bastion hosts have served for years to allow incoming traffic such as email, FTP, and web traffic. Incoming firewall rules provide the same service as a bastion host.

Travis Roberts

Travis Roberts is a Cloud Infrastructure Architect at a Minnesota based consulting firm. Travis has 20 years of IT experience in the legal, pharmaceutical and marketing industries, and has worked with IT hardware manufacturers and managed service providers. Travis has held numerous technical certifications over the span of his career from Microsoft, VMware, Citrix and Cisco.

Microsoft recently announced the public preview of Azure Bastion. Azure Bastion is a platform-as-a-service (PaaS) offering that provides connectivity to servers in Azure. It acts as a jumpbox to access Windows servers with the Remote Desktop Protocol (RDP) or Linux servers with Secure Shell (SSH). Azure Bastion provides remote access with any HTML5-compliant browser.

Azure Bastion has several advantages over other methods of accessing Azure servers remotely. Servers are accessible without the need to add public IPs. Only Azure Bastion requires a public IP. As a PaaS offering, there is no need to patch or manage Azure Bastion. Also, there are no client requirements—only an HTML5 browser and access to the internet.

Azure Bastion resides on the same virtual network (VNet) as the servers accessed and only connects to one VNet. Azure Bastion and the VNet must be in the same region and require a dedicated /27 or larger subnet mask. This subnet cannot have any network security groups (NSGs) or user routes applied.

Users access Azure Bastion through the Azure portal using an HTML5 client. Azure Bastion manages the public NSG, allowing inbound connections over SSL port 443. The Bastion service forwards the RDP traffic to port 3389 for Windows servers and port 22 for Linux. You can apply NSGs to the server subnets, limiting RDP and SSL traffic if required.

Azure Bastion network overview

Azure Bastion network overview

Prerequisites ^

Azure Bastion has some prerequisites as well as limitations while it's in public preview. First, Azure Bastion requires a dedicated subnet on the VNet it's connecting to. You must use the link https://aka.ms/BastionHost to access the preview portal. At the time of writing, Azure Bastion is not available through the regular portal or the preview portal. The preview is also limited to the following regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

Configure Azure Bastion ^

The following steps will configure Azure Bastion on a VNet in West US. You must configure a subnet before adding the Bastion service. This subnet has to be /27 or larger with no NSGs or routes attached to it. It also must have the name AzureBastionSubnet per the Microsoft documentation. The image below shows a /24 subnet created for this demo.

Add a VNet subnet

Add a VNet subnet

After creating that, move over to the preview portal at https://aka.ms/BastionHost to create the Azure Bastion service. Create a service and search for Bastion, which will return the Bastion (preview) service.

Bastion (preview)

Bastion (preview)

Click Create to create the Bastion service. Fill out the information in the form. Be sure to deploy the Azure Bastion service to the same region as the VNet with AzureBastionSubnet. Notice the only subnet option available is the one labeled AzureBastionSubnet.

Create the Azure Bastion service

Create the Azure Bastion service

The service will create a new static IP address, or you can select an existing one. Click Review + Create and then Create to deploy the service.

Create a bastion

Create a bastion

The Azure Bastion service is ready once the "Your deployment is complete" message appears.

Your deployment is complete

Your deployment is complete

Connect with Azure Bastion ^

The next steps will use Azure Bastion to connect to a Windows and Linux server. Use the portal at https://aka.ms/BastionHost to connect to servers with Azure Bastion.

Start by logging into the portal and go to the virtual machine (VM) you will connect to. The first example will connect to a Windows VM. Click on Connect at the top of the screen.

Connect to a VM

Connect to a VM

Notice that BASTION is included along with RDP and SSL in the Connect to virtual machine window. Select BASTION and enter the username and password. Click Connect to connect to the server.

Connect to a Windows VM

Connect to a Windows VM

Once you've logged in, a full desktop will display in the browser.

Windows desktop

Windows desktop

Notice the handle on the left side of the screen. Opening it shows options for copying data between the local and remote clipboard as well as an option to switch to full screen.

Bastion session options

Bastion session options

Sign out to close the session and the window.

The next steps will log into a Linux VM. Just like in the previous example, go to the VM in the portal and click Connect. Linux servers have the option for username and password as well as options to paste in an SSH private key or browse to a file containing an SSH key. Select the option that fits your environment and click Connect.

Connect to a Linux VM

Connect to a Linux VM

Once you've connected, a session to the Linux VM will appear. The browser session has the same options on the left for clipboard and full screen.

Linux desktop

Linux desktop

Log out to close the session.

Conclusion ^

Azure Bastion has the potential to simplify access to infrastructure-as-a-service (IaaS) VMs in Azure. Connectivity is currently limited to an HTML5 browser. This is useful at times, but it would be convenient to connect to on-premises and Azure servers from the same client. Microsoft has indicated they intend to add support for native RDP/SSH clients.

Price is another factor to consider. During the preview, Azure Bastion costs US$0.095/hour for time implemented plus data transfer cost. They've reduced the price by 50% for the preview. This puts Azure Bastion at $0.19/hour retail once generally available. In a PaaS offering, I would prefer a consumption-based pricing model over an hourly fee.

Azure Bastion has only recently entered public preview, and some aspects are likely to change before it is generally available. Ultimately, it's a nice option for accessing IaaS servers without VPNs, ExpressRoute, or exposing VMs to the internet with public IPs.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+

Users who have LIKED this post:

  • avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account