The Azure Bastion service is a great new fully platform managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address! So, you can basically connect to your virtual servers from the portal securely and internal to Azure. What a cool feature from Microsoft. The feature does require some pre-work before it can be used, such as an AzureBastionSubnet
At the time of writing this blog post, this feature was only available at the below regions:
- West US
- East US
- East US 2
- West Europe
- South Central US
- Australia East
- Japan East
Below is a diagram demonstrating how Bastion works:
To try out this feature, I deployed a test VM in the East US 2 region
How to configure Azure Bastion:
1) Login to your Azure Portal
2) Click Bastions
3) Configure your Bastion service. As you can see from the screenshot below, the service is not available at all regions but Microsoft are working to push out this feature to all regions
4) If you have not created a AzureBastionSubnet with a prefix of at least /27, you will receive the below error. Ensure you have created a Subnet within your VNET.
5) Click create. It took approx. 5 minutes to deploy this service after clicking create
If you attempt to connect to your virtual server using Bastion whilst the service is still deploying, you will receive the below error
6) Now that we have deployed the service, lets connect to a VM located in the same VNET as the BastionSubnet. Because the Bastion service was not available within the UK region, I created a test VM in the East US 2 region.
7) Locate your VM, click Connect and select Bastion. Login with your credentials
Information: You may see a prompt to enable just-in-time access on this VM. This is a useful feature which is currently available as part of Security Center standard. If you have VM’s which are open to RDP, you can configure Just in Time so that RDP is always denied but opened for a small amount of time if an admin needs to logon to perform management tasks. Just In Time will automatically create an allow rule within your NSG/Azure Firewall when access is required. The rule will be removed when Just In Time access expires. A good feature you may want to look into at a later date.
8) Let’s continue with the demo. So once you have inputted your credentials, the VM will connect to the Bastion service
7) and we’re logged on securely!