Azure Bastion
Categories:
4 minute read
Azure Bastion is a managed PaaS solution that provides secure, seamless, and private access to Azure Virtual Machines through RDP and SSH connections. It acts as a gateway, allowing users to connect to their VMs directly within the Azure portal without exposing the VMs to the public internet, thereby reducing the attack surface and enhancing security.
Bastion is deployed within an Azure VNet and requires a dedicated subnet named AzureBastionSubnet. This subnet is reserved exclusively for Azure Bastion instances and should not contain any other resources. Placing the Bastion host within the VNet can access VMs in the same VNet or peered VNets, enabling secure and private access to VMs over RDP and SSH.
When a user connects to a VM through Azure Bastion, a secure SSL/TLS session is established, allowing traffic to flow between the user’s device and the Bastion host. The Bastion host then establishes an RDP or SSH session with the target VM over the private IP address, ensuring that the VM’s public IP address remains unexposed. This eliminates the need for traditional methods such as VPNs or public IP addresses with Network Security Groups (NSGs) for remote access, offering a more streamlined and secure connection.
In addition to providing secure connectivity, Azure Bastion offers several useful features, such as MFA integration, which adds an extra layer of security to the login process. It also supports Azure Active Directory (AAD) authentication and conditional access policies, enabling administrators to enforce granular access controls based on user identity and context. Furthermore, Azure Bastion enables session recording, allowing organizations to maintain a comprehensive audit trail for compliance and monitoring purposes.
Tiers
There are two tiers available; basic and standard. The basic tier limits the host scaling instance count to 2 and only allows basic functionality such as copy/paste. The Standard SKU allows you to increase the host scalling instance cound and enables all the features such as file transfer.
Host scaling instance count
An instance, also known as a scale unit, is an optimized Azure VM created when configuring Azure Bastion, which is fully managed by Azure and handles all necessary processes. The Basic SKU creates two instances, while the Standard SKU allows specifying the number of instances, known as host scaling. Each instance supports 20 concurrent RDP and 40 concurrent SSH connections for medium workloads, with the actual capacity depending on the activities performed on the client VM. If the concurrent session limit is exceeded, an additional instance is needed. Instances are created in the AzureBastionSubnet, which should be /26 or larger for proper host scaling, as smaller subnets limit the number of instances that can be created.
Azure Bastion has a public IP address
Azure Bastion requires a public IP address to establish secure SSL/TLS connections between the user’s device and the Bastion host over the internet. While the public IP address is associated with the Azure Bastion service, it does not expose the individual VMs within the VNet to the public internet.
When a user initiates an RDP or SSH session to access a VM through Azure Bastion, the user’s device connects to the public IP address of the Bastion host using an encrypted SSL/TLS connection. The Bastion host then establishes an RDP or SSH session with the target VM using its private IP address within the VNet, ensuring the VM’s public IP address remains unexposed.
Using a public IP address for Azure Bastion, users can securely access their VMs from anywhere with an internet connection without needing a VPN or other remote access solutions. This approach simplifies remote access while maintaining a high level of security for the VMs within the VNet.
Subnet
The Azure Bastion subnet, named “AzureBastionSubnet,” is a dedicated subnet within an Azure Virtual Network (VNet) that is reserved exclusively for Azure Bastion instances, providing secure and private access to virtual machines via RDP and SSH connections without exposing them to the public internet.
- The subnet must be named
AzureBastionSubnet - Only one subnet of this type can exist per VNet
- It must be /26 or larger
- It must be dedicated to Azure Bastion only
Network security group
The NSG attached to the AzureBastionSubnet must have the following rules. This secures inbound and outbound traffic for the bastion host itself. The NSG attached to the target VM requires its NSG to be edited to allow the AzureBastionSubnet CIDR access to the VM on 22/TCP or 3389/TCP.
Inbound
| Priority | Source | Source Port | Destination | Destination Port | Protocol | Action |
|---|---|---|---|---|---|---|
| 100 | Internet | * | * | 443 | Tcp | Allow |
| 200 | GatewayManager | * | * | 443 | Tcp | Allow |
| 300 | AzureLoadBalancer | * | * | 443 | Tcp | Allow |
| 400 | VirtualNetwork | * | * | 8080,5701 | Any | Allow |
| 500 | * | * | * | * | Any | Deny |
Outbound
| Priority | Source | Source Port | Destination | Destination Port | Protocol | Action |
|---|---|---|---|---|---|---|
| 100 | * | * | VirtualNetwork | 22,3389 | Tcp | Allow |
| 200 | * | * | AzureCloud | 443 | Tcp | Allow |
| 300 | VirtualNetwork | * | VirtualNetwork | 8080,5701 | Any | Allow |
| 400 | * | * | Internet | 80,443 | Any | Allow |
| 500 | * | * | * | * | Any | Deny |
Reference
Connect to a VM using a native client