Azure Bastion connection to VM

What is the Azure Bastion?

Azure Bastion is a managed service in Microsoft Azure that provides secure RDP and SSH access to virtual machines without needing public IP addresses. It allows connections directly through the Azure portal using SSL, reducing the attack surface. The service ensures secure, browser-based access while eliminating the need for public exposure of your VMs. Azure Bastion is fully managed by Microsoft, simplifying secure connectivity.

Azure Bastion offers several advantages

  1. Enhanced Security: It eliminates the need for public IP addresses on VMs, reducing exposure to threats from the internet.
  2. Simplified Access: Provides seamless RDP and SSH access directly through the Azure portal using SSL without additional client software.
  3. Platform Managed: Microsoft manages the Bastion service, ensuring high availability and scalability and reducing administrative overhead.
  4. Consistent Connectivity: Ensures secure, reliable, and consistent connections to VMs from anywhere without needing to configure VPNs or firewalls

Step 1. Create the VNet

In the Azure portal, first, create a resource group named "C2Snetwork-RG." After successfully creating the resource group, proceed to create a virtual network within it. This sets up the foundational network infrastructure for your environment.

VNet

Starting a basic configuration. Selecting the correct resource group in the Azure portal; choosing the wrong one will prevent successful completion of your setup. After selecting the right resource group, create the virtual machine. Once the VM setup is initiated, proceed to the next page to configure additional settings.

Security

After creating the virtual machine, select the security options menu and enable Azure Bastion. This action reveals two additional options: the first is the "Bastion-VNET" option, which automatically assigns the Azure Bastion to your virtual network. The second option allows you to customize the Bastion public IP name, giving you control over its naming. Once configured, proceed to the IP address option to continue setting up your virtual machine.

Azure

Create your IP address, then add the subnet to your virtual network. Once the subnet is successfully added, select the "Review + Create" option to finalize the setup.

Review

Then click the Create button. Once everything is configured correctly, you'll reach the final wizard. You can now successfully deploy the VNet.

Virtual network

After creating the virtual network (VNet), navigate to the VNet option and check your subnets. You will see two subnets: one for your virtual machine and another for the Bastion host. The Bastion subnet uses a /26 CIDR blocks. It's a default subnet, and you cannot change it.

Subnets

Step 2. Create the virtual machine

After successfully creating the VNet, go to the search bar and type "Virtual Machine" to proceed with creating a VM.

Virtual Machine

After selecting the Virtual Machine option, proceed to the wizard, where you choose the appropriate resource group and select the VM type. In this scenario, we’ll create a Windows Server 2019. Set up the username and password, ensuring they are secure. It's important to turn off public inbound ports since the connection will be secured without using a public IP. This helps maintain a secure environment.

VM type

After completing the basic configuration, move on to the Disks section. There’s no need to change any options here, so proceed directly to the network section. Select the correct VNet, and the VM will automatically receive an IP address. Verify the subnet associated with your VNet. Then, turn off the public IP address by selecting the "None" option, and ensure that public inbound ports are also set to "None." Finally, click on "Review + Create" to complete the setup.

None

Once the setup is complete, finalize the wizard to successfully create the virtual machine.

Create

Once the virtual machine is successfully created, note that without a public IP address, you won’t be able to download the RDP file or access the VM remotely.

RDP file

Finally, connect to your virtual machine using Azure Bastion, as it’s the only way to access the VM. Go to the Bastion option on your VM, enter your username and password, and then connect to the VM.

Boom! If you've followed the steps correctly, you can access the VM directly in your default browser tab. Enjoy your secure connection to the virtual machine!

 Browser Tab

Conclusion

To securely connect to your Azure VMs, use Azure Bastion. It provides seamless RDP/SSH access directly through your browser without exposing public IP addresses. This ensures a secure and efficient connection to your VMs.