
close
close
Want to know about the security benefits of Microsoft's E5 license?
Azure Bastion native client support provides a secure way to log into Windows and Linux virtual machines (VMs) using the Remote Desktop Protocol (RDP) or Secure Shell (SSH). There’s no need to expose the VMs to the Internet, or even to your network. That means you can “air gap” the virtual machines to prevent zero-day vulnerabilities in remoting protocols from being attacked by compromised networks.
In this post, you are going to learn how to log into Azure virtual machines with the native Windows RDP client through Azure Bastion.
Table of Contents
az network bastion rdp –name “<BastionName>” –resource-group “<ResourceGroup>” –target-resource-id “<VM Resource ID>”
Keep reading if you want more details about how to use Azure Bastion with the Windows RDP client to log into Azure VMs.
Our own Russell Smith previously wrote a post about securing remote virtual machines using Azure Bastion. The technology has improved quite a bit since it first launched, with added support for hub-and-spoke network designs to allow the reuse of potentially expensive resources.
Azure Bastion Standard, a new tier with additional features, including session management, was also added. Moreover, Azure Bastion Standard added the ability to log into machines using native remote desktop (or SSH) clients instead of connecting through the Azure Portal.
Azure Bastion Standard is required to use the native Windows RDP client. The higher cost of Azure Bastion Standard implies that you will deploy Bastion as a shared resource, rather than as a workload-specific resource.
You can find more details about Azure Bastion in the support pages below:
Adding support for the native desktop RDP client was probably one of the biggest feature requests when Azure Bastion was first released. Developers and operators did not want to log into their machines through the Azure Portal.
Support for the native Remote Desktop client brought the following new features:
If you want to support native RDP (or SSH) clients, then you must alter the configuration of your Standard (required) tier for Azure Bastion. The follow instructions assume that you already have a Bastion host configured and that you have a Windows VM located in the same virtual network as the Bastion host.
Once those actions are completed, developers and operators can log into virtual machines using their Windows RDP client.
Before you attempt to log in, you will need to:
az vm show –name petriprotected –resource-group bastion –show-details
On your PC:
It’s important that you run Windows Terminal as an administrator, otherwise the ‘az network bastion rdp’ command will fail with a permissions error. This might be a bug but that’s been my experience at the time of writing.
Before you can launch the RDP client, you’ll need to log into your Azure tenant and choose a subscription.
az login
az account list
az account set --subscription "<subscription ID>"
Now let’s start the native Windows RDP client using Azure CLI.
$BastionName = 'PetriBastion' $BastionRG = 'Bastion' $VMResourceID= '<Subscription-Id>' az network bastion rdp --name $BastionName --resource-group $BastionRG --target-resource-id $VMResourceID
The Remote Desktop client will open on your PC and prompt you with valid log-in credentials for the guest OS, as long as the following requirements are met:
Assuming that copy and paste are enabled, the developer/operator will have a familiar session experience. One could probably create a custom PowerShell cmdlet to simplify the login experience if the same Azure Bastion resource was to be used repeatedly.
Using Azure CLI to connect to VMs behind an Azure Bastion Host is hardly ideal. It would be great if in the future, Microsoft built this functionality directly into the native RDP client in Windows.
But in the meantime, using Azure CLI to launch connections to Windows and Linux VMs protected by a Bastion Host is the only option you have. Assuming of course that you don’t want to connect to VMs using the Connect > Bastion option in the Azure Portal.
More in Azure
Microsoft's New Azure Fluid Relay Service Lets Developers Build Collaborative Apps
Aug 5, 2022 | Rabia Noureen
Oracle Teams Up with Microsoft to Launch New Database Service for Azure
Jul 21, 2022 | Rabia Noureen
Azure Bastion Native Client Support - Log Into VMs With the Windows RDP Client
Jul 15, 2022 | Aidan Finn
Most popular on petri