Using Azure Bastion to connect securely to your Azure VMs
Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
Architecture
Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.
RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn’t desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.
Above figure shows the architecture of an Azure Bastion deployment. In this diagram:
- The Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /27 prefix.
- The user connects to the Azure portal using any HTML5 browser.
- The user selects the virtual machine to connect to.
- With a single click, the RDP/SSH session opens in the browser.
- No public IP is required on the Azure VM.
Key features
The following features are available:
- RDP and SSH directly in Azure portal: You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
- Remote Session over TLS and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
- No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don’t need a public IP on your virtual machine.
- No hassle of managing NSGs: Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. You don’t need to apply any NSGs on Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
- Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
- Protect against zero-day exploits. Hardening in one place only: Azure Bastion is a fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.
Configure Bastion and connect to an Ubuntu VM through a browser
Prerequisites
- An Azure Subscription.
- A Virtual Network.
- An Ubuntu VM.
Sign in to the Azure portal
Sign in to the Azure portal.
Create a bastion host
This section helps you create the bastion host in your VNet. This is required in order to create a secure connection to the VM in the VNet.
- From the Home page, select + Create a resource.
- On the New page, in the Search box, type Bastion, then select Enter to get to the search results. On the result for Bastion, verify that the publisher is Microsoft.
- Select Create.
- On the Create a Bastion page, configure a new Bastion resource.
- Subscription: The Azure subscription you want to use to create a new Bastion resource.
- Resource Group: The Azure resource group in which the new Bastion resource will be created. If you don’t have an existing resource group, you can create a new one.
- Name: The name of the new Bastion resource.
- Region: The Azure public region that the resource will be created in.
- Virtual network: The virtual network in which the Bastion resource will be created. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. If you don’t see your virtual network from the dropdown, make sure you have selected the correct Resource Group.
- Subnet: Once you create or select a virtual network, the subnet field will appear. The subnet name in your virtual network should be AzureBastionSubnet and it is where the new Bastion host will be deployed. This subnet will be dedicated to the Bastion host. If You don’t have a subnet, you can create a new subnet with name called AzureBastionSubnet. The subnet must be at least /27 or larger.
- Public IP address: The public IP address of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a new public IP address. The public IP address must be in the same region as the Bastion resource you are creating. This IP address does not have anything to do with any of the VMs that you want to connect to. It’s the public IP address for the Bastion host resource.
- Public IP address name: The name of the public IP address resource. For this tutorial, you can leave the default.
- Public IP address SKU: This setting is pre-populated by default to Standard. Azure Bastion uses/supports only the Standard public IP SKU.
- Assignment: This setting is pre-populated by default to Static.
5. When you have finished specifying the settings, select Review + Create. This validates the values. Once validation passes, you can create the Bastion resource.
6. Review your settings. Next, at the bottom of the page, select Create.
7. You will see a message letting you know that your deployment is underway. Status will display on this page as the resources are created. It takes about 5 minutes for the Bastion resource to be created and deployed.
Create a virtual machine
This section helps you create the Virtual Machine in your VNet.
- From the Home page, select + Create a resource.
- On the New page, in the Search box, type Virtual Machine, then select Enter to get to the search results. On the result for Virtual Machine, verify that the publisher is Microsoft.
- Select Create.
- On the Create a virtual machine page, configure a new vm resource.
Basic Settings
- Subscription: The Azure subscription you want to use to create a new VM resource.
- Resource Group: The Azure resource group in which the new VM resource will be created. You should select the same resource group that you used to create the Bastion resource.
- Virtual machine name: The name of the new VM resource.
- Region: The Azure public region that the resource will be created in.
- Availability options: No infrastructure redundancy required.
- Image: Ubuntu Server 20.04 LTS-Gen1
- Azure Spot instance: Disabled
- Size: Standard_D2s_v3
- Administrator account: provide any username and password with selecting the password Authentication type option.
- Inbound port rules: Select None
Once done with the Basic Settings of VM, navigate to the Networking tab.
Network Interface Settings
- Virtual Network: The virtual network in which the vm resource will be created. Here, you should select the same virtual network that you used to deploy the Bastion resource.
- Public IP: None
- NIC network security group: Basic
- Public inbound ports: None
5. When you have finished specifying the network interface settings, select Review + Create. This validates the values. Once validation passes, you can create the VM resource.
6. Review your settings. Next, at the bottom of the page, select Create.
Connect to the VM
- In the Azure portal, navigate to the virtual machine that you have created. On the Overview page, select Connect, then select Bastion from the dropdown.
- After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. Select Use Bastion.
- On the Connect using Azure Bastion page, enter the username and password for your virtual machine with selecting the Authentication Type Password option, then select Connect.
- The SSH connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.
Clean up resources
If you’re not going to continue to use this application, delete your resources using the following steps:
- Enter the name of your resource group in the Search box at the top of the portal. When you see your resource group in the search results, select it.
- Select Delete resource group.
- Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME: and select Delete.
In this tutorial, you created a Bastion host and associated it to a virtual network. You then connected to the Ubuntu VM via Bastion service with your browser.
Happy Connecting!! :)