A little late to the party but nevertheless, I wanted to quickly show what is and how to use Azure Bastion. Azure Bastion is still in “public preview” but the solution is mature enough to start implementing now. Azure Bastion reduces the risk significantly in comparison to your traditional jumpbox approach, as it forces users to authenticate over SSL/443.
So what is Azure Bastion? Azure Bastion is a fully managed service by Azure/Microsoft that allows you to RDP and/or SSH into any Azure VM. Azure Bastion allows you to connect to your Azure VMs over HTML5-based browsers and using SSL.
- Protection against 0-Day exploits:
- Because Bastion sits at the perimeter of your VNet, you do not need to worry about hardening each of your VMs (although you should harden everything!!) The Azure platform will protect you keeping Azure Bastion hardened and is always up-to-date.
- No Public IP(s) required for your Azure VMs:
- By using Bastion, you can remove PIPs from your Azure VMs and can force your users to go through the Bastion host to connect to your VMs in your Azure environment.
- Remote Sessions over SSL:
- Since Azure Bastion uses HTML5 modern browsers, users can RDP/SSH over SSL (443) enabling you traverse corporate firewalls securely.
- Simplified Management of NSGs:
- Since Bastion is fully managed PaaS service by Azure, you no longer need to apply Network Security Groups (NSGs) on your Bastion subnet. Since Bastion connects to your VMs over a Private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only.
The architecture diagram above shows use the workflow how Azure Bastion works.
- The Bastion host is deployed within a VNet and with its own dedicated subnet
- Users can connect with any modern HTML5 browser
- No Public IPs on Azure VMs
Before getting setup with Azure Bastion there are some key things to know for example.
- You must have a Virtual Network
- The VNet must have a subnet dedicated for Bastion and its name must be “AzureBastionSubnet”
- It is always recommended to have the subnet with a /27 CIDR. It is easy to grow your subnet as needed, much more difficult to shrink. Always start small and grow as needed.
- No User Defined Routing (UDR) or Network Security Groups (NSG) can be applied to the subnet.
Next step, how to deploy and configure Azure Bastion. If you want to get started with Azure Bastion, you can enroll with the Public Preview here, https://aka.ms/BastionHost.