Introduction to Azure Bastion
Azure Bastion is an fully managed platform PaaS service that allows you to access to a virtual machine using your browser and the Azure portal, or with the native SSH or RDP client already installed on your local computer. When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.
Architecture
Once Bastion host is deployed, it will be deployed in a virtual network that contains the Azure Bastion Subnet with a minimum prefix of /26. The user selects the virtual machine via Azure Portal and click on connect. Without the need of any public IP assigned to the VM.Address
Key Benefits
- You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience.
- Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. As your RDP/SSH session is over TLS on port 443.
- No Public IP address required on the Azure VM Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM.
- As Azure Bastion connects to your virtual machines over private IP, you don’t need to apply any NSGs to the Azure Bastion subnet.
- As your VM is not exposed to internet, your VMs are protected against port scanning by rogue and malicious users.
- As Azure Bastion gets deployed at the perimeter of your virtual network, so you don’t need to worry about hardening each of the VMs in your virtual network.
- The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.
Licensing SKU
Azure Bastion has two available SKUs, Basic and Standard. You can choose the appropriate SKU at the time of deployment of Bastion or Post deployment.
Note : Downgrading from Standard to Basic is not supported
The following table shows features and corresponding SKUs.
Feature | Basic SKU | Standard SKU |
---|---|---|
Connect to target VMs in peered virtual networks | Yes | Yes |
Access Linux VM Private Keys in Azure Key Vault (AKV) | Yes | Yes |
Connect to Linux VM using SSH | Yes | Yes |
Connect to Windows VM using RDP | Yes | Yes |
Kerberos authentication | Yes | Yes |
VM audio output | Yes | Yes |
Shareable link | No | Yes |
Connect to VMs using a native client | No | Yes |
Connect to VMs via IP address | No | Yes |
Host scaling | No | Yes |
Specify custom inbound port | No | Yes |
Connect to Linux VM using RDP | No | Yes |
Connect to Windows VM using SSH | No | Yes |
Upload or download files | No | Yes |
Disable copy/paste (web-based clients) | No | Yes |
Deploying Bastion
You can either create Azure Bastion using default configuration or you can define the configuration at the time of deployment.
Lets login to Azure Portal and select the virtual machine you want to access using Bastion Host. As we don’t have any Bastion host deployed, you seen and option to create Azure Bastion using defaults.
Click on create Azure Bastion using defaults to deploy Azure Bastion.
Once Azure Bastion is successfully deployed you get an option to enter user-name and password to login to Virtual Machine. Click on connect post entering username and password.
You can also access the Azure Bastion using search bar on Azure Portal.
Upgrade from Basic to Standard SKU
By default using default configuration Azure Bastion is deployed in Basic Tier. In case you want to upgrade Azure Bastion to Standard SKU you can do from the configuration section of the Azure Bastion.
Select the required features like you want to enable and click on Apply
- Kerberos Authentication
- Copy and Paste
- Native Client Support
- Sharable Link
- IP-Based Connection.
View Details of Connected Sessions
Click on Session to view all the connected sessions
As we have upgraded the Bastion form Basic to Standard, we get more protocol options to establish the connection.
Creating Sharable Link to access Bastion resources without admin access
Copy the Sharable Link
Now you can access the virtual machine without login into the Azure portal.
Hope this will be informative for you. Please do share if you find worth sharing it.