Azure Bastion – Jump Server as a Service
Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.
The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.
A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at https://en.wikipedia.org/wiki/Jump_server
The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is
Azure Bastion Preview preparation
For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.
To register the provider run:
Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Then run:
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
The provider takes some time to register. Run the following command to check when it is registered:
Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Once the Provider is Registered, access the Azure Portal using this link: http://aka.ms/BastionHost in order to access the Bastions Preview.
Create the Bastion
From the Azure Portal search for bastions
Hit “Add” to start the Bastion creation wizard
One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.
At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.
Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.
Create using ARM Template
We can also include the Bastion Hosts at our ARM Templates. This is an export from the Azure Portal Export Template.
"apiVersion": "2018-10-01",
"type": "Microsoft.Network/bastionHosts",
"name": "[parameters('bastionHostName')]",
"location": "[parameters('location')]",
"dependsOn": [
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
"[resourceId(parameters('resourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]"
],
"properties": {
"ipConfigurations": [
{
"name": "IpConf",
"properties": {
"subnet": {
"id": "[parameters('subnetId')]"
},
"publicIPAddress": {
"id": "[resourceId(parameters('resourceGroup'), 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]"
}
}
}
]
},
"tags": {}
}
Using the Bastion Host
And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!
Since the topology is Intternet –>Public IP of Bastion –> Bastion –> Virtual Network – NSG – Private IP –> VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.
Enter the VMs username and password and hit connect and we have RDP over HTTPS
Copy Text to / from the VM
There a little icon >> at the right middle of the screen.
Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.
Also any text you copy from the VM will appear at that box, like the image below:
The Remote Desktop experience is excellent! No RDP client needed, just your browser.
Sources:
https://docs.microsoft.com/en-us/azure/bastion/bastion-faq
https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg
https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/
https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal
Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.
