Getting Started With Azure Bastion (Preview) Service

Introduction

 
Azure Bastion (Public Preview) is a new service which allows you to have private and fully-managed RDP and SSH access to your Azure Virtual Machines via a Web Browser over SSL. All this is done without adding any public IP address to the VM. Also, it supports both, RDP and SSH connections to Azure VMs within a VNet.
 

Architecture

 
Azure Bastion (Preview) Service
Credit : Microsoft
 

Key Benefits of Azure Bastion

  • RDP and SSH from the Azure portal
    Initiate RDP and SSH sessions directly in the Azure portal with a single-click seamless experience.

  • Remote session over SSL and firewall traversal for RDP/SSH
    HTML5 based web clients are automatically streamed to your local device providing the RDP/SSH session over SSL on port 443. This allows easy and securely traversal of corporate firewalls.

  • No public IP required on Azure Virtual Machines
    Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using a private IP, limiting exposure of your infrastructure to the public Internet.

  • Simplified secure rules management
    Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion.

  • Increased protection against port scanning
    The limited exposure of virtual machines to the public Internet will help protect against threats, such as external port scanning.

Steps to create Azure Bastion service on VMs using Azure Portal

 
There are two ways that you can create a Bastion host resource.
  • Create a Bastion resource using the Azure portal.
  • Create a Bastion resource in the Azure portal by using the existing VM settings.
In this article, will discuss the process of creating brand new resources, such as VNet, Bastion service, and Azure Virtual Machine.
 
Prerequisites
 
Azure Subscription. (In this article, I have used a one-month free trial subscription)
  1. On-board bastion service (preview) to your Azure subscription

    Log in to Azure Preview Portal using this link (https://aka.ms/BastionHost) and then, execute the following PowerShell commands.

    Note
    You must use the Azure preview portal since this Bastion service still is in public preview version.

    Click the CloudShell Azure Bastion (Preview) Service in Azure Portal to execute the following commands.

    1.1 Enrol BastionHost feature: Type the below command and hit Enter.

    Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

    Azure Bastion (Preview) Service

    1.2 Register your subscription with Microsoft.Network provider

    Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

    Azure Bastion (Preview) Service

    1.3 Use the following command to verify that the AllowBastionHost feature is registered with your subscription.

    Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

    Azure Bastion (Preview) Service
  1. Click on “Create Resource” then search the Bastion service, as shown below and choose the same.

    Azure Bastion (Preview) Service

  2. Click on the “Create” button.

    Azure Bastion (Preview) Service

  3. In the "Create" panel.
Create a new resource group as “demorg”.
Provide name for bastion service, here I named as “DemoBastionVM”.
Select the existing VNet/We can create a new Virtual Network (VNet) as well.

Azure Bastion (Preview) Service
 
4.1 Create a new Virtual Network (VNet) by providing the below basic IP Addressing.

Azure Bastion (Preview) Service

4.2 Click the “Review + Create” button after providing all of the required information.

Azure Bastion (Preview) Service

4.3 Ensure that the Validation has been passed. If not, find out the error thrown by the Azure Portal and fix the same.

Azure Bastion (Preview) Service

4.4 After clicking the above shown "Create" button, the deployment will get started. It may take 5 – 8 minutes depending on your internet speed.

Azure Bastion (Preview) Service

4.5 You will get the below shown message after successful creation of Bastion service along with VNet.

Azure Bastion (Preview) Service

Right now, we have created the below listed Azure services.

Azure Bastion (Preview) Service

Let’s start creating a Virtual Machine (VM).
  1. Click on “Virtual Machines” from the left pane, and then click on the “Add” button to get started.
5.1 Provide the required details such as resource group (DemoBastionRG) which we already created, Region, and VM’s username and password.

Azure Bastion (Preview) Service


Azure Bastion (Preview) Service

5.2 On networking tab, choose the VNet which we created at step 4.1 and select the appropriate subnet as well.

Azure Bastion (Preview) Service

5.3 Ensure that the validation has been passed. If not, try to update the correct values on each tab of VM creation.

Azure Bastion (Preview) Service

5.4 After clicking on the “Create” button, the VM deployment gets started by Azure Portal. Please be patient until the completion of deployment.

Azure Bastion (Preview) Service

5.5 You will get the below message after successful deployment of Virtual Machine.

Azure Bastion (Preview) Service
  1. That’s all, we have created a bastion service along with VNet and a VM. Now times time to RDP the VM thru Azure Portal.
6.1 Select the created VM and then Click on “Connect” button, on the right side pane, you will the new tab “BASTION” which prompts VM credentials for logon.

Azure Bastion (Preview) Service

6.2 After providing the VM credentials (which is given at the time of VM creation), the portal let you connect the VM over the browser as shown below,

Azure Bastion (Preview) Service

Azure Bastion (Preview) Service
 
Note
Currently this bastion (preview) service supports only the below regions.
 
Azure Bastion (Preview) Service
 

Conclusion

 
The bastion service lets users to RDP or SSH to Azure VMs directly in the Azure Portal, which is really a cool feature. As the next step was mentioned by Microsoft is to expect AAD, MFA features to RDP/SSH connections to Azure VMs using Azure Bastion.
 
Below are the Azure resources created for this article:
 
Azure Bastion (Preview) Service


Similar Articles