Azure Bastion architecture from MS docs

Azure Bastion – Secure Access Azure VMs via SSH/RDP without Public IP or Jumphosts

Update 5 on 01/12/2021

Microsoft has changed the #AzureBastion minimum subnet size from /27 to /26. Installed #Azure Bastion are unaffected, but new deployments require the new subnet size. Please remember this. https://docs.microsoft.com/en-us/azure/bastion/bastion-faq#subnet

Update 4 on 14/07/2021

Microsoft has announced a new Azure Bastion Standard SKU as part of the ongoing Microsoft Inspire 2021. The difference between Basic and Standard SKU and the deployment process are summarized in this article.

Update 3 on 16/05/2021

VNET peering support for Azure Bastion is now GA

Update 2 on 26/04/2021

I updated the article based on the latest information around Azure Bastion. One big announcement is the support for peered VNETs for Azure Bastion – this is also integrated in this article. Please feel free to share and comment 🙂

Azure Bastion is a new service to reaches Azure VMs in a secure way without needing a Jump host in the same VNET or to publish an Public IP for a VM. Many customers using Public IPs to reach VMs (Windows and Linux) in Test and Dev environment. Please avoid managing Azure VMs over a Public IP, this is unsecure – use Azure Bastion.

Azure Bastion is in public preview since end of June 2019. Azure Bastion is General Available (since Microsoft Ignite 2019) and many limitations are gone. This article will short introduce the service, the new features and how easy is it to enroll the service in the environment to reach Azure VMs (Windows or Linux) over a secure way.

Azure Bastion architecture from MS docs
Azure Bastion architecture from MS docs

General

Azure Bastion is a service to reach all Azure VMs (Windows and Linux) in the Azure Tenant over a secure, encrypted way wihtout the need to deploy and manage a Jumphost or a public IP for VMs.

Azure Bastion is a fully managed Paa-Service by Microsoft. The service enroll an managed jump host VM inside the VNET to reach Azure VMs from the Internet over the Azure portal blade. The Key features for this services are:

Key features

  • RDP and SSH directly inside the portal
  • Remote session over SSL for SSH/RDP
  • No public IP needed on the Azure VM
  • No need for an Agent inside the Azure VM
  • Browser support for Edge and Google Chrome

Minimum priviliges

To connect to a VM via Azure Bastion, you must have the following minimum privileges for the VM and its associated VM services.

  • Reader role on the VM
  • Reader role on the NIC with private IP of the VM
  • Reader role on Azure Bastion resource

This is only for using the Azure Bastion service.

Region availability

The availability of Azure Bastion is now limited to a small number of regions, but Microsoft registers the service in additional regions. I will update the regions list as new regions become available.

Azure Bastion is available in almost all regions. For new regions, check the Azure Region Availability by Service website.

Create a Azure Bastion Host

This chapter leads you to the simple creation process for an Azure Bastion Host. Please note that you need a free subnet area in the selected VNET.

There are two ways to deploy an Azure Bastion Host over the Portal or via the Azure VM Blade. This article use the prefered way over the Azure Bastion blade, because here is the central blade to manage all enrolled Bastions services. To reach the Bastion blade use the search bar.

Azure-Bastion-Search-bar-
Azure-Bastion-Search-bar-

Create a Azure Bastion Subnet

For the Azure Bastion service you need a subnet called AzureBastionSubnet in the planned VNET with a minimum prefix of /27 /26. This can be a little challenge, because sometimes there is no free space in the selected VNET. Azure Bastion supports since mid of December 2020 VNET Peering. I prefer to create a AzureBastionSubnet in the Hub VNET and enroll Azure Bastion into this Subnet. From there you can reach all VMs in the peered spoke VNETs.

From design reasons, I prefer to leave some free adress/subnet space for upcoming Azure services when creating new Azure VNETs.

Assign Public IP

Azure automatically assigns a public IP to the service and generates a name that corresponds to the VNET declaration. I prefer to change the name of the public IP resource to see that it’s assigned to the Bastion service – but that’s up to you.

Tagging

Do not forget to assign tags for the service and all other ressources, this helps you really a lot to get a well defined Azure infrastructure 😉

Click “review and create” – that’s it. Now the service will provisioned into your VNET. This takes not more than 5 minutes.

Security (Hardening Azure Bastion)

You know Azure Bastion is a fully managed service by Microsoft and Microsoft harden the service itself, but don´t forget the subnet. To secure the Bastion host, harden the subnet and use an NSG.

Create a NSG and define the following rules to the NSG. Please be aware, when you not configure the correct roles, you can`t assign the NSG to the Azure Bastion subnet.

Azure-Bastion-Create-and-configure-NSG-for-Azure-Bastion-subnet
Azure-Bastion-Create-and-configure-NSG-for-Azure-Bastion-subnet

Incoming

  • Allow 443 from Service Tag “Internet”
  • Allow Income from Service Tag “Azure Cloud”
  • Allow Income from Serive Tag “Gateway Manager”

Outcoming

  • Allow Outbound Port 22, 3389
  • Allow Outbound Port 443 to Service Tag “Azure Cloud”

Bastion and JIT together

Right now it is not possible to use Just-in-Time access (JIT) and Azure Bastion on the same Azure VMs together. This is not possible by design in the moment. For this there is a feature request added at feedback.azure.com.

Pricing and SLA

The cost of the service are not increased after the GA was announced. The costs are ok, but I missed essential functions like the support of VNET-Peering. The price is for all regions the same.

Azure Bastion 0,081€ per Hour x 730 hours = 59,13€

US Pricing: 0,095$ per hour x 730 hours = 69,35$

Since 18.01.20 Azure Bastion 0,16€ per Hour x 730 hours = 116,97€ per Month in US Pricing: 0,19$ per hour x 730 hours = 138,70$

Microsoft guarantess an SLA for Azure Bastion of 99,95%.

Please note: Azure Bastion price is based on an hourly basis. If you do not need Azure Bastion, delete the service to avoid costs. Re-regestration is done within minutes, there is no need for leave unused Bastion host available.

Missed features

Some really missed feature since GA was support for VNET peering. Since mid of December 2020 Azure Bastion supports VNET peering. This makes the service more useful and avoid complexity for your infrastructure.

There are some features that I missed in Azure Bastion today. Some of these are on the Roadmap. One of the important missed feature is support of VNET Peering. Today you have to enroll a Azure Bastion in each VNET in that you will arrive your VMs via the Bastion service. That is a challenge from cost and management perspective. The function is on the roadmap and will come, but I thought it would be available with GA release.

Azure Advent Calender Video Session

I created a video session for the Azure Advent Calender about Azure Bastion. All topics that you see in this article are covered in the session. You find the session and the additional blog post here.

Take a look at the Azure Advent Calender for a broad range of Azure topics that are free for using and coming from great Azure experts around the globe.

Update 1

The price for Azure Bastion has changed and has been increased. I have updated the price information. From my point of view the price without VNET peering is too high.

Links

3 thoughts on “Azure Bastion – Secure Access Azure VMs via SSH/RDP without Public IP or Jumphosts”

Leave a Reply

Your email address will not be published. Required fields are marked *