Azure Bastion architecture from MS docs

Azure Bastion – Secure Access Azure VMs via SSH/RDP without Public IP or Jumphosts

Azure Bastion is a new service to reaches Azure VMs in a secure way without needing a Jump host in the same VNET or to publish an Public IP for a VM.

Azure Bastion is in public preview since end of June 2019. Now the service is General Available (since Microsoft Ignite 2019) and many limitations are gone. This article will short introduce the service, the new features and how easy is it to enroll the service in the environment to reach Azure VMs (Windows or Linux) over a secure way.

Azure Bastion architecture from MS docs
Azure Bastion architecture from MS docs

General

Azure Bastion is a service to reach all Azure VMs (Windows and Linux) in the Azure Tenant over a secure, encrypted way wihtout the need to deploy and manage a Jumphost or a public IP for this VMs.

Azure Bastion is a fully managed Paa-Service by Microsoft. The service enroll an managed jump host VM inside the VNET to reach Azure VMs from the Internet over the Azure portal blade. The Key features for this services are:

Key features

  • RDP and SSH directly inside the portal
  • Remote session over SSL for SSH/RDP
  • No public IP needed on the Azure VM
  • No need for an Agent inside the Azure VM
  • Browser support for Edge and Google Chrome

Minimum priviliges

To connect to a VM via Azure Bastion, you must have the following minimum privileges for the VM and its associated VM services.

  • Reader role on the VM
  • Reader role on the NIC with private IP of the VM
  • Reader role on Azure Bastion resource

This is only for using the Azure Bastion service.

Region availability

The availability of Azure Bastion is now limited to a small number of regions, but Microsoft registers the service in additional regions. I will update the regions list as new regions become available.

  • West US, East US, South Central US
  • New since 01.01.20: East US 2 and West US2
  • West Europe
  • Australia East
  • Japan East

Create a Azure Bastion Host

This chapter leads you to the simple creation process for an Azure Bastion Host. Please note that you need a free subnet area in the selected VNET and note the region availability.

There are two ways to deploy an Azure Bastion Host over the Portal or via the Azure VM Blade. This article goes use the prefered way over the Azure Bastion blade. To reach the Bastion blade use the search bar.

Azure-Bastion-Search-bar-
Azure-Bastion-Search-bar-

Create a Azure Bastion Subnet

For the Azure Bastion service you need a subnet called AzureBastionSubnet in the planned VNET with a prefix of /27. This can be a little challenge, because there is no free space in the selected VNET. I prefer to leave some free space in VNETs for upcoming Azure services when you create new VNETs in Azure.

Assign Public IP

Azure automatically assigns a public IP to the service and generates a name that corresponds to the VNET declaration. I prefer to change the name of the public IP resource to see that it’s assigned to the Bastion service – but that’s up to you.

Tagging

Don´t forget to assgin tags for the service and all other ressources, this helps you really a lot to get a well defined Azure infrastructure 😉

Click “review and create” – that`s it. Now the service will provisioned in your VNET. This takes not more than 5 minutes.

Security

You know Azure Bastion is a fully managed service by Microsoft and Microsoft harden the service itself, but don´t forget the subnet. To secure the Bastion host harden the subnet and use an NSG.

Create a NSG and define the following rules to the NSG. Please be aware, when you not configure the correct roles, you can`t assign the NSG to the Azure Bastion subnet.

Azure-Bastion-Create-and-configure-NSG-for-Azure-Bastion-subnet
Azure-Bastion-Create-and-configure-NSG-for-Azure-Bastion-subnet

Incoming

  • Allow 443 from Service Tag “Internet”
  • Allow Income from Service Tag “Azure Cloud”
  • Allow Income from Serive Tag “Gateway Manager”

Outcoming

  • Allow Outbound Port 22, 3389
  • Allow Outbound Port 443 to Service Tag “Azure Cloud”

Bastion and JIT together

Right now it is not possible to use Just-in-Time access (JIT) and Azure Bastion together on the same Azure VMs. This is not possible by design in the moment. For this there is a feature request added at feedback.azure.com.

Pricing and SLA

The cost of the service are not increased after the GA was announced. The costs are ok, but I missed essential functions like the support of VNET-Peering. The price is for all regions the same.

Azure Bastion 0,081€ per Hour x 730 hours = 59,13€

since 18.01.20 Azure Bastion 0,16€ per Hour x 730 hours = 116,97€

US Pricing: 0,095$ per hour x 730 hours = 69,35$

since 18.01.20 US Pricing: 0,19$ per hour x 730 hours = 138,70$

Missed features

There are some features that I missed in Azure Bastion today. Some of these are on the Roadmap. One of the important missed feature is support of VNET Peering. Today you have to enroll a Azure Bastion in each VNET in that you will arrive your VMs via the Bastion service. That is a challenge from cost and management perspective. The function is on the roadmap and will come, but I thought it would be available with GA release.

Azure Advent Calender Video Session

I created a video session for the Azure Advent Calender about Azure Bastion. All topics that you see in this article are covered in the session. You find the session and the additional blog post here.

Take a look at the Azure Advent Calender for a broad range of Azure topics that are free for using and coming from great Azure experts around the globe.

Update 1

The price for Azure Bastion has changed and has been increased. I have updated the price information. From my point of view the price without VNET peering is too high.

Links

Leave a Reply

Your email address will not be published. Required fields are marked *