Skip to content

Secure Access to your Azure VM using Bastion Host

Introduction to Azure Bastion

Azure Bastion is an fully managed platform PaaS service that allows you to access to a virtual machine using your browser and the Azure portal, or with the native SSH or RDP client already installed on your local computer. When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.

Architecture

Once Bastion host is deployed, it will be deployed in a virtual network that contains the Azure Bastion Subnet with a minimum prefix of /26. The user selects the virtual machine via Azure Portal and click on connect. Without the need of any public IP assigned to the VM.Address

 




Key Benefits

  1. You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience.
  2. Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. As your RDP/SSH session is over TLS on port 443.
  3. No Public IP address required on the Azure VM  Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM.
  4. As Azure Bastion connects to your virtual machines over private IP,  you don’t need to apply any NSGs to the Azure Bastion subnet.
  5. As your VM is  not exposed to internet, your VMs are protected against port scanning by rogue and malicious users.
  6. As Azure Bastion gets deployed at the perimeter of your virtual network, so you don’t need to worry about hardening each of the VMs in your virtual network.
  7. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

Licensing SKU

Azure Bastion has two available SKUs, Basic and Standard.  You can choose the appropriate SKU at the time of deployment of Bastion or Post deployment.

Note : Downgrading from Standard to Basic is not supported 

The following table shows features and corresponding SKUs.

Feature Basic SKU Standard SKU
Connect to target VMs in peered virtual networks Yes Yes
Access Linux VM Private Keys in Azure Key Vault (AKV) Yes Yes
Connect to Linux VM using SSH Yes Yes
Connect to Windows VM using RDP Yes Yes
Kerberos authentication Yes Yes
VM audio output Yes Yes
Shareable link No Yes
Connect to VMs using a native client No Yes
Connect to VMs via IP address No Yes
Host scaling No Yes
Specify custom inbound port No Yes
Connect to Linux VM using RDP No Yes
Connect to Windows VM using SSH No Yes
Upload or download files No Yes
Disable copy/paste (web-based clients) No Yes



Deploying Bastion

You can either create Azure Bastion using default configuration or you can define the configuration at the time of deployment.

Lets login to Azure Portal and select the virtual machine you want to access using Bastion Host. As we don’t have any Bastion host deployed, you seen and option to create Azure Bastion using defaults. 

Click on create Azure Bastion using defaults to deploy Azure Bastion.


Once Azure Bastion is successfully deployed you get an option to enter user-name and password to login to Virtual Machine. Click on connect post entering username and password.

You can also access the Azure Bastion using search bar on Azure Portal.



Upgrade from Basic to Standard SKU

By default using default configuration Azure Bastion is deployed in Basic Tier. In case you want to upgrade Azure Bastion to Standard SKU you can do from the configuration section of the Azure Bastion.

Select the required features like you want to enable and click on Apply

  1. Kerberos Authentication
  2. Copy and Paste
  3. Native Client Support
  4. Sharable Link
  5. IP-Based Connection.



View Details of Connected Sessions

Click on Session to view all the connected sessions

As we have upgraded the Bastion form  Basic to Standard, we get more protocol options to establish the connection.



Creating Sharable Link to access Bastion resources without admin access

Copy the Sharable Link

Now you can access the virtual machine without login into the Azure portal.

Hope this will be informative for you. Please do share if you find worth sharing it.