bastion

Azure Bastion – Jump Server as a Service

Azure Bastion – Jump Server as a Service

Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.

The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.

A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at https://en.wikipedia.org/wiki/Jump_server

The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is

Azure Bastion Preview preparation

For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.

To register the provider run:

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

register provider

Then run:

Register-AzResourceProvider -ProviderNamespace Microsoft.Network

azure bastion register

The provider takes some time to register. Run the following command to check when it is registered:

Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

register check

Once the Provider is Registered, access the Azure Portal using this link: http://aka.ms/BastionHost in order to access the Bastions Preview.

Create the Bastion

From the Azure Portal search for bastions

portal azure bastion

Hit “Add” to start the Bastion creation wizard

azure bastion

One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.

azure bastion

At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.

azure bastion

Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.

azure bastion

Create using ARM Template

We can also include the Bastion Hosts at our ARM Templates. This is an export from the Azure Portal Export Template.

"apiVersion": "2018-10-01",
"type": "Microsoft.Network/bastionHosts",
"name": "[parameters('bastionHostName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "IpConf",
"properties": {
"subnet": {
"id": "[parameters('subnetId')]"
},
"publicIPAddress": {
"id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]"
}
}
}
]
},
"tags": {}
}

Using the Bastion Host

And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!

azure bastion

Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.

Enter the VMs username and password and hit connect and we have RDP over HTTPS

azure bastion

Copy Text to / from the VM

There a little icon >> at the right middle of the screen.

Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.

Also any text you copy from the VM will appear at that box, like the image below:

The Remote Desktop experience is excellent! No RDP client needed, just your browser.

Sources:

https://docs.microsoft.com/en-us/azure/bastion/bastion-faq

https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg

https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/

https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

ten + 14 =