Azure Bastion ?

When we talk about security in cloud which has overall many aspects.. Any resource we create in cloud should be “Secure”, It should not be publicly accessible. (There are always exceptions and specific requirement in some cases). Virtual Machine is very important compute resource in Microsoft Azure cloud. In this article I am going to explain importance of one new service related to security of Virtual Machine.  

How do you access your VM ? When we create virtual machine into Azure subscription, to access this virtual machine in cloud environment people can use one of the below option :

  1. Expose VM’s Public IP : To access VM by RDP / SSH you add public IP to your virtual machine. This is direct entry to VM.
    • This option is not at all secure.
    • It will increase chances of attack on your virtual machine. You VM , Network , Data everything can get compromise.  
    • Though its not secure, you need to pay additional cost for public IP.
  2. Create Jump box / server :  In some cases  if you are not allowed to expose VM with public IP you create one Jump server as middle tier / bridge between internet and virtual machine. In this case you first login to Jump server and from jump server you will take RDP / SSH of your Virtual Machine.
    • This is like double RDP / SSH from One VM to another VM.
    • Its not efficient way. Not easy going use of it.
    • Need to remember / store multiple credentials.

What is Azure Bastion ?

Azure bastion is fully managed Azure PaaS service. It helps to guard your virtual machine from inside your virtual network. You provision bastion in your own virtual network but separate subnet with name ‘AzureBastionSubnet’. In this case neither you need to create any other jump box nor to maintain this bastion. You also don’t to worry about high availability of bastion.

Here are some key points of Azure Bastion :

  • Internally Azure Bastion is VM scale sets so it has capability to resize according to load / requirement. If there is more load to access this VM it will automatically get managed internally without any prior configuration.
  • It’s get configured in customers Virtual Network which allow customer to RDP / SSH to their Virtual Machine without exposing Public IP.
  • Most important point here is Bastion takes session packets transform it into custom protocol, put into HTTPS and then send it to public via over 443. So you don’t expose remote protocol over public internet.
  • It’s very easy and quick to configure bastion in virtual network. With few clicks you can configure it.
  • Here are the simple steps of “Configure Bastion and connect to Virtual Machine
  • This services is General Available from Microsoft Ignite 2019. But still some limitations are there.
  • For now Bastion is available in selected regions only , it’s still expanding wings.
  • To user Azure Bastion service you should have below minimum RBAC access :
    1. Reader access on NIC
    2. Reader Access on Bastion service
    3. Reader Access on Virtual Machine

There are some more features of this service which are in roadmap. Like Now Bastion support in browser only, Client app support is in roadmap. Also VNet peering is not supported yet it’s also in roadmap. Recently cost of Azure Bastion is per hour $0.19. every region has same cost.

Its Microsoft’s recommendation to use Azure Bastion to SSH / RDP into Azure VM anyone who has virtual machine in virtual network to make it more secure and robust.

This was all about high overview of Bastion , if you want to explore more about bastion you can check MS blogs and in case of any query / blocker on bastion please write to me on my email ID which is there in contact page.

Wish you Happy Learning..