Deploying an Azure jumpbox (jump server)

Have you seen my previous article on the Azure virtual network (VNet) architecture? No? Then go and check it out. You already have an existing Azure network? Great! This article will explain the need for an Azure jumpbox (sometimes also called jump server) and how to deploy and configure it.
Latest posts by David O´Brien (see all)

What is a jumpbox? ^

A jumpbox is usually a controlled entry point into your environment. Let's assume your environment consists of a lot of virtual machines (VMs), and you want to be able to Remote Desktop Protocol (RDP) or Secure Shell (SSH) into them in case you had to. You could open up ports 3389 and 22 to your entire network so everybody can just remote in from your on-premises network. Or, better, you only allow remoting to one specific VM (your jumpbox) that sits inside a very controlled subnet and has a lot of monitoring and alerting configured. You then have to jump on from that VM to your other VMs; you can't go directly.

Jumpboxes are very common patterns—like Remote Desktop Gateways, for example, or sometimes they're just Windows VMs that have tools and scripts installed to execute maintenance tasks.

I propose the following pattern: a very small Linux VM that you tunnel your RDP connection through via SSH. Did I just say Linux, SSH, and RDP in one sentence? Yes. Yes, I did. Bear with me.

Deploying your Linux jump server ^

I am making the following assumptions here:

  • you have an existing Azure VNet
  • you have a subnet called jumpbox
  • you have a local OS with an SSH client installed (Windows 10, for example)

Logged in to Azure and the Azure Cloud Shell, we will execute a few lines of Bash this time to deploy a small Ubuntu Server 16.04 VM. This will have an Azure VM extension installed that will help us log in to the VM securely using our Azure Active Directory (AD) credentials.

This line will do a few things for us at the same time. It will deploy an Ubuntu server (image parameter), and it'll create SSH keys and a local admin user named 4soadmin, though we won't use either. The VM size will be Standard_D3_v2, and it will deploy the VM into the VNet 4soNetwork into its jumpbox subnet. The empty nsg parameter means the VM is supposed to inherit the network security group from the subnet. This process will take around three to four minutes. The result will be a few more resources in our resource group, including a running VM with a public IP we should be able to SSH to.

Successfully created Linux VM

Successfully created Linux VM

You can confirm the SSH connectivity with the following command (SSH is available in every Azure Cloud Shell)—just replace the public IP with your specific IP: ssh 4soadmin@<publicIP>

SSH connectivity test

SSH connectivity test

Cancel out of this for now by typing no.

The next step is to install the Azure AD (AAD) login extension for Linux to this VM, and this nice one-liner will do that for us:

This will again take a few minutes to complete.

Install AAD extension for Linux

Install AAD extension for Linux

Keys to the castle ^

Now instead of using SSH keys to log in to the jumpbox, we will use our AAD user. For this to work, our user requires special permissions. We can assign these permissions just like any other Azure permissions on the subscription, resource group, or even resource level. In this example, I will do it on the resource group.

Assign user permissions

Assign user permissions

Browse to the Access Control (IAM) tab and select Add role assignment. The role you are after is either Virtual Machine Administrator Login or Virtual Machine User Login. I am going to select the admin permission, but both work. Now select your AAD user, likely the one you are currently logged in as. Click Save and then head back to the Cloud Shell or any SSH client you have access to. Remember the public IP? Good.

Log in to the Linux VM with AAD credentials

Log in to the Linux VM with AAD credentials

In my case this is a multi-step process because I have multi-factor authentication (MFA) enabled on my AAD user (if you don't, go away, enable it, and then come back). I just follow the prompts, which eventually log me in to my Linux jumpbox with my AAD user credentials. This is a huge step when it comes to security. You can now control access to your VMs just like you control access to your Azure environment or even your Office 365. If you have MFA enforced, then this just works without you doing anything to deploy or configure MFA settings on that VM.

Windows to Linux to Windows ^

I promised you some OS jumping though. So here it comes. I have a Windows Server 2019 deployed in the same network without a public IP, and as I said, we don't want to open up RDP to the whole wide world, so we only allow it from our jumpboxes. The following SSH command will now enable an RDP tunnel through the AAD "secured" SSH connection to our jumpbox:

Connect RDP via SSH jumpbox

Connect RDP via SSH jumpbox

This now again prompts me to follow the MFA process. Once that's done, the SSH tunnel will not show us the local Linux prompt but will just stay open. We can now launch our RDP client (for example, mstsc.exe) and open up a connection to localhost:3388. This will now start the authentication process to our Windows VM. We successfully launched an RDP session to a private IP on Azure via a Linux jump server using an SSH tunnel authenticated with our AAD credentials.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

1+
Share
9 Comments
  1. gavin belson 1 year ago

    can someone explain to me why you would want to do this rather than using SSL VPN? seems it is not worth the risk and most UTMs or NGFW offer a pretty easy solution out of box.

    1+

    • Hi David,

      Jumpbox/Bastion host is an architectural practice followed for many decades for reducing the attack surface area. You could use either Jumpbox or NGW or you could also use Jumpbox with NGFW. Comparison between these 3 approaches is a debatable topic. However, traditionally auditing & compliance world has always weighed for the use of Jumpbox since it provides a single point of control for IT management and security. 

      0

    • Costas 1 year ago

      I use both. VPN into a VN that has the jump server in and from that jump server ssh / rdp to another (vn peered) VN that holds the sanitized data / infra

      2+
      avatar
  2. Mister Xiao 11 months ago

    Hello David, 

     

    Thank you for this post very complete cons I have reproduced the different steps in my azure environment and when I want to connect to my windows server from my jumpbox linux I have an error. What needs to be installed on the linux jumpbox to establish a remote RDP connection?

    thank you

    1+

  3. David O'Brien 11 months ago

    Hi Mister Xiao,

    You don't have to install anything on the Linux VM apart from the AAD Login extension mentioned in the article.
    You don't RDP to the Linux VM but rather use SSH to open a tunnel via the Linux VM and then use that tunnel to RDP through it.

    What error are you getting?

    David

    0

  4. Author

    Hi Mister Xiao,

    You don't have to install anything on the Linux VM apart from the AAD Login extension mentioned in the article.
    You don't RDP to the Linux VM but rather use SSH to open a tunnel via the Linux VM and then use that tunnel to RDP through it.

    What error are you getting?

    David

    0

  5. Mister Xiao 11 months ago

    Hi David, 

    Indeed, I followed the installation steps and configured my environment according to your article. I then try to connect to a Windows 10 VM from my jumpbox without success. No RDP windows appeared. So I thought of 2 problems : the port forwarding 3388 or the installation of GUI on the jumpbox server. If it’s the port forwarding that blocks what configuration did you make to establish the RDP connection through the SSH tunnel ? Thank you for your help ! 👍

    0

  6. Mister Xiao 11 months ago

    Hello David,

    Indeed, I followed the installation steps and configured my environment according to your article.  I then tried to connect to a Windows 10 VM from my jumpbox without success.  No RDP windows appeared.  So I thought of 2 problems: the port forwarding 3388 or the installation of a GUI on the jumpbox.  If it is the port forwarding that blocks what configuration did you make to establish the RDP connection through the SSH tunnel?  Thanks for your help.

    Mister Xiao

    0

Leave a reply to David O'Brien Click here to cancel the reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account