Azure Bastion Step-by Step Guide

In this blog post, I am going to introduce you to Azure Bastion in Microsoft Azure and teach you how to create your first Azure bastion host, connect to a virtual machine and work a virtual machine session.

The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. The good thing about this, is that When you connect via Azure Bastion, your virtual machines do not need a public IP address.

How Azure Bastion Works?

Before explaining how Azure Bastion works, I like to first talk about how things works before and why you might want to use this service. I always like to explain the Why before going to the How part of the story.

Usually you have a VNET inside Azure, and you have your resources in one or more subnets. You may have a management subnet with one or more jumpboxes or bastion hosts that you use to do your administrative tasks and it contains all your remote administration tools.

You might also have some sort of hybrid connectivity with your on-premises network and when you are outside the office, you use point to site VPN to securely access your VNET, which is the ideal situation.

But you might for some reasons have your jumbox host configured with a public IP that is exposed to the internet and you connect to the jumbox using RDP and SSH. Once you connect to the jumbox host, you then use it to connect internally to other resources.

Now this mean, a malicious user can use port scanning to discover this public IP and use brute force attack to compromise your jumbox. As a best practice, you should have a network security group to restrict what ports and source IP addresses are allowed to connect or even better, you are using Azure Just-in Time Access (JIT).

But you still have this public IP address exposed. A better solution would be to remove this public IP address so that you don’t expose both RDP and SSH into your VNET, and reduce the attack surface in your VNET.

Now your jumbox host does not have any public IP addresses, and you implement Azure bastion solution, which sits in its own managed subnet and expose a public IP address. This IP address however does not accept RDP or SSH connections. It only accept SSL connections.

So here is how the connectivity works:

You connect to the Azure management portal over https using any browser, then you select a virtual machine to connect to.
Now the Azure portal connects to the Azure Bastion service using the public IP on port 443.
You get a new session in your browser and you can browse the desktop of the virtual machine and any other VMs inside your network using RDP or SSH.

Think about the Azure bastion as a proxy, it receives connections from the internet using SSL and connects you back to your VMs using RDP and SSH. It also looks like Remote Desktop Gateway solution or the RDP Web Access. You connect from a browser to a gateway that gives you back your RDP session in the browser.

Now keep in mind that the bastion host is attached to a virtual network, so for each VNET, you need a bastion host. If you have multiple VNETs that you want to RDP or SSH into from the Azure management portal, then you should deploy Azure bastion for each of those VNETs,

Create Azure Bastion Host

Here is a step-by-step guide to create your first Azure Bastion host:

Step 1: Register for the preview

You need first to register for the preview by running the following PowerShell commands. The best way to run these commands if you receive any errors, is to deploy a new Windows 10 Machine (Clean installation), open PowerShell ISE as an administrator, and run the commands in order.

#------------------------------
#Connect your subscription using PowerShell
#-----------------------------

Install-Module AzureRM - AllowClobber

Set-ExecutionPolicy Unrestricted

Import-Module AzureRM

Connect-AzureRmAccount

#------------------------------
#Register for the preview
#-----------------------------
#Enrollment
Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

#Register your subscription with the Microsoft.Network provider namespace
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

#Verify that the AllowBastionHost feature is registered with your subscription
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

#----------------------------------------
#----------THE END------------
#----------------------------------------

Step 2: Create Azure Bastion resource

Now go to this URL http://aka.ms/BastionHost which will redirect you to the Azure portal with preview features enabled. It looks something like the below picture.

Now add a new resource and search for Bastion. Click Create to start the deployment wizard.

Now choose a resource group to host the bastion resource, give it a name and pick a region. Now keep in mind that the Azure Bastion is deployed in a VNET, so there is one-to-one relation between your VNETs and your Azure bastion resources.

I already have a VNET called vnet-production that is hosted my production workloads. I am going to choose it. Now the wizard is telling me I have to create a subnet in that VNET with an exact name of AzureBastionSubnet and with an IP prefix of at least /27. Now this is the same as when you deploy the managed VPN gateway in Azure as it is host in its own gateway subnet.

Now I will go to my vnet-production VNET and create a new subnet. Keep in mind that the name of this subnet MUST be AzureBastionSubnet. Now for the IP address range, I will choose 10.0.200.0/27

Now go back to the Azure Bastion deployment wizard, and now you can see we don’t have errors when we picky our virtual network, and the wizard detects the subnet we’ve just created.

Next, you can see that the Azure bastion host requires creating a public IP address that will be used for SSL connectivity only from the internet. This means you are paying for the public IP resource. Now this IP is not going to be attached to your VMs in anyway.

Now we are done. It takes couple of minutes for the deployment to complete and now you have an Azure Bastion resource as you see in the below figure. You can see that this resources has:

Public DNS Name
Public IP Address
Attached to a VNET

Step 3: Connect to a virtual machine

Now let me browse to my jumbox device inside my vnet-producion VNET and this can be any of your virtual machines inside your VNET. I already have a virtual machine called ManagementVM (my jumbox vm).

Now notice that this VM does not have a public IP address, which means I can’t connect to it from the internet.

Now if I click Connect, you can see I have a new option called Bastion. I will then type the admin credentials for my ManagementVM virtual machine and click Connect.

Now a new browser Window opens and I am getting my profile loading

Now I can access my ManagementVM desktop directly from my browser, without having a Public IP on my ManagementVM.

Now this is not a normal RDP session, so I cannot (as per today) copy files from my local machine to the desktop of my management VM, but I can however copy text.

I will open Notepad on my machine, copy a text, and then you can see here two small arrows, I will click here and it will show me the text I just copied from my local machine.

I can also go to a full screen mode.

Step 4: Create Network Security Group for the AzureBastionSubnet

Now the final thing I want to show you is how to apply a network security group to the Azurebastionsubnet if you want to harden it.

I already configured a network security group called nsg-bastion at this subnet and here is the three inbound security rules you need to configure:

Allow https from internet
Allow any traffic from a service tag called AzureCloud
Allow any traffic from a service tag called Gateway manager.

The rest of the rules are the default ones.

To better understand the network security group requirement for the AzureBastionSubnet, the Azure portal and the AzureBastionSubnet use the Azure GatewayManager to facilitate such connectivity.

So for your AzureBastionSubnet NSG, you need to allow ingress or inbound traffic from the GatewayManager, and also from AzureCloud, which are both available as service tags in the network security group interface, and also you need to allow inbound https from the internet for this to work.

References

You can learn more about Azure Bastion by going to Microsoft documentation here, and watch my YouTube video about this topic. You can also view the PowerPoint presentation slides I used by going to my SlideShare here.

Watch My Video About Azure Bastion

Featured Posts

You Can Also Become Microsoft MVP

How To Start Your Own Blog – Microsoft MVP Story

Cloud Reference Architecture CRA P1 – Foundation

Azure Bastion Step-by Step Guide

Azure advanced threat protection lateral movement

Get my latest book about Cloud Migration

This book covers a practical approach for adopting and migrating on premises systems and applications to the Public Cloud. Based on a clear migration master plan, it helps companies and enterprises to be prepared for Cloud computing, what and how to successfully migrate or deploy systems on Cloud, preparing your IT organization with a sound Cloud Governance model, Security in the Cloud and how to reach the benefits of Cloud computing by automation and optimizing your cost and workloads..

Get the book here and learn more.

Subscribe to my YouTube Channel

In my YouTube channel, I post videos about cloud security and Microsoft MVPs story to help people understand cloud and cybersecurity in simplified and professional way.

About The Author

Ammar Hasayen

CISSP, CISM, Microsoft MVP, Book Author, International Speaker, Pluralsight Author. Ammar has been working in information technology for over 15 years. Ammar is a cloud architect specializing in Azure platform, Microsoft 365, and cloud security. As a Microsoft MVP, tech community founder, and international speaker. Ammar has helped big organizations digitally transform, migrate workloads to the cloud, and implement threat protection and security solutions across the globe. Ammar shares his knowledge in his professional blog and he often speaks at local community events and international conferences like Microsoft Ignite and SharePoint Saturday. His passion for technology and cloud computing makes him a reference for both cloud architecture and security best practices.

22 Comments

Rami Sohail on June 20, 2019 at 1:46 pm

really great and informative article , thanks

one question though , if i am using Azure Bastion to securely connect to my vms , theoretically do i need to deploy a jump box from a security prospective as per your example or should i go ahead and connect to all the machines directly.

i think the concept of jump box doesn’t have a use anymore, right?
Reply
- Ammar Hasayen on June 20, 2019 at 2:58 pm
  
  Hi Rami. The Azure Bastion eliminates the need for public IP to access your resources from the internet. That’s it. Now having a jumbox has nothing to do with this feature. A Jumbox VM is a virtual machine you have all your administrative tools and scripts on, so that you don’t need to log on to your production VMs to remotely manage them. Also, as a best practice, you can restrict your production servers so that the only IP that can connect to using RDP or SSH is your jumbox server that is deployed in a separate management subnet.
  
  Now, if you don’t have already a Jumbox server, then you can still use Azure Bastion to connect directly to your VMs without any problem.
  Reply
ak on June 20, 2019 at 7:51 pm

I just tried the steps as you mentioned. But, i did not get the option of bastion under VM Connect – Am i missing something ?
Reply
- Ammar Hasayen on June 20, 2019 at 7:58 pm
  
  Hi, I am sorry to hear that. Did you successfully do the PowerShell commands and register for the preview? Did you use the http://aka.ms/BastionHost link to open the Azure management portal? and finally, did the Azure Bastion host successfully get deployed?
  Reply
Dinesh M on August 27, 2019 at 4:12 pm

Hi Ammar,

Thanks for the wonder information on Azure Bastion. I tried to replicate the instruction on my free subscription environment, however, I’m getting the below error. Could you please help me understand the issue?

“The selected subnet is not supported”

I have following subnets attached to different resource groups.

10.0.0.0/24
10.0.1.0/24
10.0.2.0/24

I have created a new subnet “10.0.200.0/27”, but I’m unable to configure it.

Is there a way, I can configure a single Bastion and use it to connect the VM in all the three different resource groups/subnets.

Please assist.

Regards,
Dinesh M.
Reply
Shrawan Kumar on October 26, 2019 at 5:01 pm

can we give a domain\username and connect to VM? or only a local user of VM is needed to connect?
Reply
Guenther Sebastian on October 28, 2019 at 5:47 pm

Great Post – Thanks for the Information.

Is it rigth, that there is a need of the Bastion Host per Network?
Reply
- Ammar Hasayen on April 2, 2020 at 11:22 pm
  
  Per VNET
  Reply
Syed zoheb on October 29, 2019 at 7:43 pm

Really great article about azure bastion. I was able to create bastion host and connected to VMs using bastion.
Reply
- Ammar Hasayen on April 2, 2020 at 11:22 pm
  
  great work !
  Reply
Eihab on December 24, 2019 at 9:26 am

Hi Ammar
I tried to install Kali linux and Debian linux and I was successful with both through Bastion but my problem was that I can’t get the GUI to work whats so ever could you please point me to a detailed steps on where I can accomplish that and I can’t find lots of details on the internet either.
Thank you
Reply
- Ammar Hasayen on April 2, 2020 at 11:15 pm
  
  Well, I never tried Linux and GUI before. Perhaps someone from the readers can answer 🙂 also try to post on Microsoft Tech Community. I am sure they will answer you quickly
  Reply
- Vicky on April 20, 2020 at 11:41 am
  
  maybe you can try SSH tunnel
  Reply
Sean on March 21, 2020 at 1:10 pm

This was awesome thanks!
Reply
- Ammar Hasayen on April 2, 2020 at 10:58 pm
  
  Glad you liked it 🙂
  Reply
Thomas.XC on May 19, 2020 at 5:16 pm

Hi Ammar,

So I have tried to attach a NSG to my Bastion VNET with the same 3 rules as in your post but I am getting this error:

Failed to save subnet ‘AzureBastionSubnet’. Error: ‘Network security group NSG-BASTION-A-PROJECT does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet.’
Reply
- Ammar Hasayen on May 19, 2020 at 5:24 pm
  
  Strange, they work from me. I posted this while in preview, perhaps things changed? Could you post this at Microsoft TechCommunity and reply here if you got an update?
  Reply
  - Burt on September 10, 2020 at 1:59 am
    
    Rules have changed.
    
    See https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg for current requirements.
    Reply
    - Tom on September 15, 2020 at 9:58 am
      
      Thanks Burt. The new rules published by Microsoft work. Cheers.
      Reply
Thomas.XC on May 19, 2020 at 10:21 pm

Got help on Reddit.
These are the rules that worked for me: https://imgur.com/a/BL2vh1G
Reply
smallena on June 15, 2020 at 4:05 pm

Very Clear Explanation..Thanks @Ammar Hasayen
Reply
Teeju on September 24, 2020 at 9:22 am

Hi,

How do i configure the Bastion to be accessed by administrators from other Azure subscription to manage my widnows/linux machines?

Thanks.
Reply