Azure VNet Bastion
Categories:
less than a minute
It is generally considered a best practice to avoid accessing a VM directly using RDP or SSH if hosted in the cloud. You certainly should avoid exposing this connection over the Internet. If you have Express Route or a VPN between your own managed network and Azure you could connect directly but in my opinion, offloading RDP and SSH to Azure bastion solves some secuirty problems and could offer your users a better experience.
This pattern shows a simple VNet with two subnets and NSG—one for the Azure Bastion and one for the demo workload Linux VM. The user wants to make an SSH connection to the VM, and they first require access to Azure with a minimum reader role to do this. They can then use the Azure Bastion service to connect to the Linux VM using SSH.
Key details for this design
The Azure Bastion subnet must exist and be configured exactly as described
This Bastion subnet must have an NSG attached, again, exactly as described
The VM subnet NSG must allow the
AzureBastionSubnetCIDR inbound on 22/TCP or 3389/TCP
