In case you may missed this Azure has released a new service called Bastion. So what is the fuzz about this new service and why should you use this ?
Bastion can Manage RDP/SSH to VMs over SSL using private IP on the VM.
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.
So basically it is the old Jump server that you already used to get into the Azure VM’s if needed. It can access all virtual machines within a virtual network through a single hardened access point. Exposing the bastion host as primary exposed public access helps lockdown of public Internet exposure and limit threats such as port scanning and other types of malware targeting your VMs.
A jump server as PaaS services.
This seems nice but as always is it free or is it costly ? Well in the Azure Calculator you can see the Costs.
Ho do we start with Bastion.
First we need to register the new resource in Azure this is always needed to get to work with the new Azure components.
Keep in mind this can take some time to register
Get-AzProviderFeature -ProviderNamespace Microsoft.Network
With the Powershell command below we are registering the Bastion service into our subscription and network.
Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Now that we triggered to register the Bastion services we need to wait
Check if it is done
Then register the network again. with your subscription and the Microsoft.Network provider namespace
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Now that this is done we can start with the Configuration, and there a multiple ways on how to get there. by the market place or directly in the VM
In the VM almost all the items are pre defined and ready to go if you want to go with the defaults.
In the marketplace you need to find the bastion and select the new resource.
Select and create the resource. Configure this accordantly and select the proper network.
The starting point is almost the same the first one is already in the VM network and the one from the market place is just a blank one , where you need to select your network.
In this LAB I’ll go for connection directly from the VM.
As I want to move forward quickly I already see some red lines. I need a /27 Subnet. This is currently not in my network so I need to create a new subnet in the used Azure network.
As shown below the extra subnet is created to connect to the AzureBastion
The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name AzureBastionSubnet. This lets Azure know which subnet to deploy the Bastion resource to. This is different than a Gateway subnet. Click Manage subnet configuration to create the Azure Bastion Subnet. We highly recommend that you use at least a /27 or larger subnet (/27, /26, etc.). Create the AzureBastionSubnet without any Network Security Groups, route tables, or delegations. Click Create to create the subnet, then proceed with the next settings.
Now that the Subnet is added we can creating the Bastion service.
The validation started a it is created.
Now that it is created we can connect to the VM with HTML5 the connection is similar with WVD RDP connection to the VM.
You can see the created subnet.
Connecting With chrome or with Microsoft Edge is no problem you do need to configure the popup blocker
Web based RDP connection keep in mind the background is filtered out.
For connection with the browser you will need to allow the popup showing
now that the portal has access the connection will proceed. Unless your VM is in the Wrong region
Currently only the following regions are supported :
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
This is a nice feature but if you running already a hybrid site why not using the Windows admin center here you can also connect with the HTML5 browser to the Azure VM. the only thing here is you will need to connect to an external IP with proper NSG or to the internal IP with a S2S VPN connection.
About the Author:
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile
Smit, R. (2019). How to start with Microsoft #Azure #Bastion Service, secure VM access #AzureBastion #jumpserver #PaaS #WAC. Available at: https://robertsmit.wordpress.com/2019/06/20/how-to-start-with-microsoft-azure-bastion-service-secure-vm-access-azurebastion-jumpserver-paas-wac/ [Accessed: 2nd January 2020].