In this blog post, I am going to introduce you to Azure Bastion in Microsoft Azure and teach you how to create your first Azure bastion host, connect to a virtual machine and work a virtual machine session.
The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. The good thing about this, is that When you connect via Azure Bastion, your virtual machines do not need a public IP address.
How Azure Bastion Works?
Before explaining how Azure Bastion works, I like to first talk about how things works before and why you might want to use this service. I always like to explain the Why before going to the How part of the story.
Usually you have a VNET inside Azure, and you have your resources in one or more subnets. You may have a management subnet with one or more jumpboxes or bastion hosts that you use to do your administrative tasks and it contains all your remote administration tools.
You might also have some sort of hybrid connectivity with your on-premises network and when you are outside the office, you use point to site VPN to securely access your VNET, which is the ideal situation.
But you might for some reasons have your jumbox host configured with a public IP that is exposed to the internet and you connect to the jumbox using RDP and SSH. Once you connect to the jumbox host, you then use it to connect internally to other resources.
Now this mean, a malicious user can use port scanning to discover this public IP and use brute force attack to compromise your jumbox. As a best practice, you should have a network security group to restrict what ports and source IP addresses are allowed to connect or even better, you are using Azure Just-in Time Access (JIT).
But you still have this public IP address exposed. A better solution would be to remove this public IP address so that you don’t expose both RDP and SSH into your VNET, and reduce the attack surface in your VNET.
Now your jumbox host does not have any public IP addresses, and you implement Azure bastion solution, which sits in its own managed subnet and expose a public IP address. This IP address however does not accept RDP or SSH connections. It only accept SSL connections.
So here is how the connectivity works:
- You connect to the Azure management portal over https using any browser, then you select a virtual machine to connect to.
- Now the Azure portal connects to the Azure Bastion service using the public IP on port 443.
- You get a new session in your browser and you can browse the desktop of the virtual machine and any other VMs inside your network using RDP or SSH.
Think about the Azure bastion as a proxy, it receives connections from the internet using SSL and connects you back to your VMs using RDP and SSH. It also looks like Remote Desktop Gateway solution or the RDP Web Access. You connect from a browser to a gateway that gives you back your RDP session in the browser.
Now keep in mind that the bastion host is attached to a virtual network, so for each VNET, you need a bastion host. If you have multiple VNETs that you want to RDP or SSH into from the Azure management portal, then you should deploy Azure bastion for each of those VNETs,
Create Azure Bastion Host
Here is a step-by-step guide to create your first Azure Bastion host:
Step 1: Register for the preview
You need first to register for the preview by running the following PowerShell commands. The best way to run these commands if you receive any errors, is to deploy a new Windows 10 Machine (Clean installation), open PowerShell ISE as an administrator, and run the commands in order.
#------------------------------ #Connect your subscription using PowerShell #----------------------------- Install-Module AzureRM - AllowClobber Set-ExecutionPolicy Unrestricted Import-Module AzureRM Connect-AzureRmAccount #------------------------------ #Register for the preview #----------------------------- #Enrollment Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network #Register your subscription with the Microsoft.Network provider namespace Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network #Verify that the AllowBastionHost feature is registered with your subscription Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network #---------------------------------------- #----------THE END------------ #----------------------------------------
Step 2: Create Azure Bastion resource
Now go to this URL http://aka.ms/BastionHost which will redirect you to the Azure portal with preview features enabled. It looks something like the below picture.
Now add a new resource and search for Bastion. Click Create to start the deployment wizard.
Now choose a resource group to host the bastion resource, give it a name and pick a region. Now keep in mind that the Azure Bastion is deployed in a VNET, so there is one-to-one relation between your VNETs and your Azure bastion resources.
I already have a VNET called vnet-production that is hosted my production workloads. I am going to choose it. Now the wizard is telling me I have to create a subnet in that VNET with an exact name of AzureBastionSubnet and with an IP prefix of at least /27. Now this is the same as when you deploy the managed VPN gateway in Azure as it is host in its own gateway subnet.
Now I will go to my vnet-production VNET and create a new subnet. Keep in mind that the name of this subnet MUST be AzureBastionSubnet. Now for the IP address range, I will choose 10.0.200.0/27
Now go back to the Azure Bastion deployment wizard, and now you can see we don’t have errors when we picky our virtual network, and the wizard detects the subnet we’ve just created.
Next, you can see that the Azure bastion host requires creating a public IP address that will be used for SSL connectivity only from the internet. This means you are paying for the public IP resource. Now this IP is not going to be attached to your VMs in anyway.
Now we are done. It takes couple of minutes for the deployment to complete and now you have an Azure Bastion resource as you see in the below figure. You can see that this resources has:
- Public DNS Name
- Public IP Address
- Attached to a VNET
Step 3: Connect to a virtual machine
Now let me browse to my jumbox device inside my vnet-producion VNET and this can be any of your virtual machines inside your VNET. I already have a virtual machine called ManagementVM (my jumbox vm).
Now notice that this VM does not have a public IP address, which means I can’t connect to it from the internet.
Now if I click Connect, you can see I have a new option called Bastion. I will then type the admin credentials for my ManagementVM virtual machine and click Connect.
Now a new browser Window opens and I am getting my profile loading
Now I can access my ManagementVM desktop directly from my browser, without having a Public IP on my ManagementVM.
Now this is not a normal RDP session, so I cannot (as per today) copy files from my local machine to the desktop of my management VM, but I can however copy text.
I will open Notepad on my machine, copy a text, and then you can see here two small arrows, I will click here and it will show me the text I just copied from my local machine.
I can also go to a full screen mode.
Step 4: Create Network Security Group for the AzureBastionSubnet
Now the final thing I want to show you is how to apply a network security group to the Azurebastionsubnet if you want to harden it.
I already configured a network security group called nsg-bastion at this subnet and here is the three inbound security rules you need to configure:
- Allow https from internet
- Allow any traffic from a service tag called AzureCloud
- Allow any traffic from a service tag called Gateway manager.
The rest of the rules are the default ones.
To better understand the network security group requirement for the AzureBastionSubnet, the Azure portal and the AzureBastionSubnet use the Azure GatewayManager to facilitate such connectivity.
So for your AzureBastionSubnet NSG, you need to allow ingress or inbound traffic from the GatewayManager, and also from AzureCloud, which are both available as service tags in the network security group interface, and also you need to allow inbound https from the internet for this to work.
You can learn more about Azure Bastion by going to Microsoft documentation here, and watch my YouTube video about this topic. You can also view the PowerPoint presentation slides I used by going to my SlideShare here.
Watch My Video About Azure Bastion
You Can Also Become Microsoft MVP
How To Start Your Own Blog – Microsoft MVP Story
Cloud Reference Architecture CRA P1 – Foundation
Azure Bastion Step-by Step Guide
Azure advanced threat protection lateral movement
Get my latest book about Cloud Migration
This book covers a practical approach for adopting and migrating on premises systems and applications to the Public Cloud. Based on a clear migration master plan, it helps companies and enterprises to be prepared for Cloud computing, what and how to successfully migrate or deploy systems on Cloud, preparing your IT organization with a sound Cloud Governance model, Security in the Cloud and how to reach the benefits of Cloud computing by automation and optimizing your cost and workloads..
Get the book here and learn more.
Subscribe to my YouTube Channel
In my YouTube channel, I post videos about cloud security and Microsoft MVPs story to help people understand cloud and cybersecurity in simplified and professional way.
Blog Post Notification
Be the first to get notification when key blog post articles are released. No marketing material.
really great and informative article , thanks
one question though , if i am using Azure Bastion to securely connect to my vms , theoretically do i need to deploy a jump box from a security prospective as per your example or should i go ahead and connect to all the machines directly.
i think the concept of jump box doesn’t have a use anymore, right?
Hi Rami. The Azure Bastion eliminates the need for public IP to access your resources from the internet. That’s it. Now having a jumbox has nothing to do with this feature. A Jumbox VM is a virtual machine you have all your administrative tools and scripts on, so that you don’t need to log on to your production VMs to remotely manage them. Also, as a best practice, you can restrict your production servers so that the only IP that can connect to using RDP or SSH is your jumbox server that is deployed in a separate management subnet.
Now, if you don’t have already a Jumbox server, then you can still use Azure Bastion to connect directly to your VMs without any problem.
I just tried the steps as you mentioned. But, i did not get the option of bastion under VM Connect – Am i missing something ?
Hi, I am sorry to hear that. Did you successfully do the PowerShell commands and register for the preview? Did you use the http://aka.ms/BastionHost link to open the Azure management portal? and finally, did the Azure Bastion host successfully get deployed?
Thanks for the wonder information on Azure Bastion. I tried to replicate the instruction on my free subscription environment, however, I’m getting the below error. Could you please help me understand the issue?
“The selected subnet is not supported”
I have following subnets attached to different resource groups.
I have created a new subnet “10.0.200.0/27”, but I’m unable to configure it.
Is there a way, I can configure a single Bastion and use it to connect the VM in all the three different resource groups/subnets.
can we give a domain\username and connect to VM? or only a local user of VM is needed to connect?
Great Post – Thanks for the Information.
Is it rigth, that there is a need of the Bastion Host per Network?
Really great article about azure bastion. I was able to create bastion host and connected to VMs using bastion.
great work !
I tried to install Kali linux and Debian linux and I was successful with both through Bastion but my problem was that I can’t get the GUI to work whats so ever could you please point me to a detailed steps on where I can accomplish that and I can’t find lots of details on the internet either.
Well, I never tried Linux and GUI before. Perhaps someone from the readers can answer 🙂 also try to post on Microsoft Tech Community. I am sure they will answer you quickly
maybe you can try SSH tunnel
This was awesome thanks!
Glad you liked it 🙂
So I have tried to attach a NSG to my Bastion VNET with the same 3 rules as in your post but I am getting this error:
Failed to save subnet ‘AzureBastionSubnet’. Error: ‘Network security group NSG-BASTION-A-PROJECT does not have necessary rules for Azure Bastion Subnet AzureBastionSubnet.’
Strange, they work from me. I posted this while in preview, perhaps things changed? Could you post this at Microsoft TechCommunity and reply here if you got an update?
Rules have changed.
See https://docs.microsoft.com/en-us/azure/bastion/bastion-nsg for current requirements.
Thanks Burt. The new rules published by Microsoft work. Cheers.
Got help on Reddit.
These are the rules that worked for me: https://imgur.com/a/BL2vh1G
Very Clear Explanation..Thanks @Ammar Hasayen
How do i configure the Bastion to be accessed by administrators from other Azure subscription to manage my widnows/linux machines?