If you manage a remote server or virtual machine, I am sure you are familiar with RDP and SSH. RDP and SSH, both are used to remotely access virtual machines and servers. RDP and SSH are also used to access virtual machines in a cloud such as Azure and AWS.
When you login to your Azure account, click on Connect in the Settings, you will see three ways to connect to your virtual machine, RDP, SSH, and BASTION. See below. In this article, let’s learn about what is Azure Bastion and when and why you should use Azure Bastion to connect to your Azure virtual machine.
Azure Bastion
Virtual Private Networks (VPNs) are used to provide a secure connectivity to a remote server or remote VM from a client machines, but most VPNs require you to install a VPN client application on a machine. VPN uses a public IP on a remote machine to connect to the machine.
Azure Bastion is a PaaS service of Azure that allows you connect to an Azure virtual machine using your browser and provides secure and seamless RDP/SSH connectivity directly from the Azure portal over TLS. In a typical RDP connection, a virtual machine needs to configure a public IP that is exposed to the world and a client machine uses that IP and login credentials to connect and login to the virtual machine. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
Role of Virtual Private Network (VPN) in remote connectivity
A Virtual Private Network or VPN allows a client device to connect to a remote server or machine via a private network, The private network ensures that the data transferred over the network is encrypted and a third party will be unable to decrypt it. A VPN also ensures that people connected to the remote machine are authenticated and the data sent over the network is difficult to change and if data is tempered, it can be detected.
Several companies provide VPN clients as their service. Most of these companies are IT security companies.
Some of the common enterprise VPNs are Cisco AnyConnect, FortiClient by Fortinet, GlobalProtect by Palo Alto Networks, CloudVPN by Google, Citrix Gateway, SonicWall Global VPN Client, Zscaler Private Access, Enterprise Application Access by Akamai, IKEv2 by Apple, and many more. There are also some popular VPNs for individuals such as ExpressVPN, NordVPN, and IPVanish.
RDP vs SSH vs Bastian
RDP (Remote Desktop Protocol) is a Windows protocol that is used to access remote Windows virtual machines and Windows servers. RDP requires a port to be opened on the remote machine, VM or physical server. Because RDP ports are often opened to the Internet and available publicly, they are often attacked by the hackers and bots. To protect RDP instances, companies often use a virtual private network (VPN) and a form of multi factor authentication (MFA).
Note
For security reasons, it is highly recommended not to use RDP without VPN connections. Also, make sure RDP sessions are not active when you are done by manually logging off RDP sessions.
SSH (Secure Shell) protocol similar to RDP allows a client machine to communicate to another machine (server) and transfer data. The advantage of SSH is it protects the communications security and integrity with strong encryption.
SSH protocol is used in corporate networks for,
- Providing secure access for users and automated processes
- Interactive and automated file transfers
- Issuing remote commands
- Managing network infrastructure and other mission-critical system components.
The following diagram shows SSH communication between a client and a server (two computers).
Azure Bastion is a new fully platform-managed PaaS service you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your VMs directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.
Why use Azure Bastion?
Azure Bastion makes remote connection more secure by creating a private virtual network that is more secure and restricts access to remove machines and hence limits threats such as port scanning and other types of malware targeting your VMs
How does Azure Bastion work?
Watch Microsoft’s Ashish Jain and Scott Hanselman to show how Azure Bastion gives you secure and seamless RDP and SSH access to your virtual machines. Now you can securely access your VMs over SSL from the Azure portal and without exposing public IP addresses.
Azure Bastion Architecture
Here is how Azure Bastion works according to Azure docs.
Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.
RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.
This figure shows the architecture of an Azure Bastion deployment. In this diagram,
The Bastion host is deployed in the virtual network.
The user connects to the Azure portal using any HTML5 browser.
The user selects the virtual machine to connect to.
With a single click, the RDP/SSH session opens in the browser.
No public IP is required on the Azure VM.
Key features of Azure Bastion
The following features are available,
RDP and SSH directly in Azure portal: You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
Remote Session over TLS and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don't need a public IP on your virtual machine.
No hassle of managing NSGs: Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.
You don't need to apply any NSGs on Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
Protect against zero-day exploits. Hardening in one place only: Azure Bastion is a fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.
Enable Azure Bastion on a VM in Azure
Follow these steps to enable Azure Bastian on a VM from your Azure Portal.
First, we’ll create bastion host. This is required to create a secure connection to a VM in the VNet.
Create a bastion host
- From the Homepage, select VM on which you want to enable bastion.
- Click Connect and select Bastion
![What Is Azure Bastion And How To Enable Azure Bastion On A VM]()
- Select Create.
- On the Create a Bastionpage, configure a new Bastion resource.
![What Is Azure Bastion And How To Enable Azure Bastion On A VM]()
Fill the following information on this page
Subscription
The Azure subscription you want to use to create a new Bastion resource.
Resource Group
The Azure resource group in which the new Bastion resource will be created. If you don't have an existing resource group, you can create a new one.
Name
The name of the new Bastion resource.
Region
The Azure public region that the resource will be created in.
Virtual network
The virtual network in which the Bastion resource will be created. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. If you don't see your virtual network from the dropdown, make sure you have selected the correct Resource Group.
Subnet
Once you create or select a virtual network, the subnet field will appear. The subnet in your virtual network is where the new Bastion host will be deployed. The subnet will be dedicated to the Bastion host. Select Manage subnet configuration and create the Azure Bastion subnet. Select +Subnet and create a subnet using the following guidelines,
- The subnet must be named AzureBastionSubnet.
- The subnet must be at least /27 or larger.
You don't need to fill out additional fields. Select OK and then, at the top of the page, select Create a Bastion to return to the Bastion configuration page.
Public IP address
The public IP of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a new public IP. The public IP address must be in the same region as the Bastion resource you are creating. This is IP address does not have anything to do with any of the VMs that you want to connect to. It's the public IP for the Bastion host resource.
Public IP address name
The name of the public IP address resource. You can leave the default.
Public IP address SKU
This setting is prepopulated by default to Standard. Azure Bastion uses/supports only the Standard Public IP SKU.
Assignment
This setting is prepopulated by default to Static.
After filling all the information, select Create.
It will take 3 to 4 min to configure Bastion host.
If you have configured the JIT then remove that before connecting through bastion.
Connect to a VM
Navigate to a VM tat you want to connect to, Select Connect and select Bastion from the drop down.
Select use bastion
Enter the Username and Password and then click on connect.
The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.
We also need to add some inbound and outbound rule to Network Security Group for better communication. Azure Bastion is deployed specifically to AzureBastionSubnet.
Ingress Traffic
For control plane connectivity, we’ll enable port 443 inbound from GatewayManager service tag. This enables the Gateway Manager to be able to talk to Azure Bastion.
For data plane communication between the underlying components of Azure Bastion, enable ports 8080, 5701 inbound from the VirtualNetwork service tag to the VirtualNetwork service tag. This enables the components of Azure Bastion to talk to each other.
Egress Traffic
For data plane communication between the underlying components of Azure Bastion, enable ports 8080, 5701 outbound from the VirtualNetwork service tag to the VirtualNetwork service tag. This enables the components of Azure Bastion to talk to each other.
Azure Bastion needs to be able to connect to various public endpoints within Azure (for example, for storing diagnostics logs and metering logs). For this reason, Azure Bastion needs outbound to 443 to AzureCloud service tag.
References
https://docs.microsoft.com/en-us/azure/bastion/bastion-overview