Microsoft’s Azure Bastion Creates a Secure Connection to Off-Internet VMs

The Internet will go down as one of humanity’s best creations as a tool to distribute information at a wide scale in real time. While the platform has many benefits, not everyone wants to connect critical infrastructure component to it as there are also significant risks in exposing your components to the rest of the world.

Microsoft announced a new Azure service this week called Bastion which makes it significantly easier to securely and remotely connect to your non-connected VMs. The service is a new and managed PaaS offering that provides seamless RDP and SSH connectivity to your virtual machines over the Secure Sockets Layer (SSL).

The key here is that this connection can be made without exposing your IPs to the public Internet and instead, Azure Bastion provisions directly into your Azure Virtual Network; effectively securing the connection and keeping it private from outside eyes. This complex connection can be configured in two clicks, according to Microsoft, and mitigates the need to configure and manage network security policies.

Even though this is a preview, here’s a list of the key features included in this release:

• RDP and SSH from the Azure portal: Initiate RDP and SSH sessions directly in the Azure portal with a single-click seamless experience.
• Remote session over SSL and firewall traversal for RDP/SSH: HTML5 based web clients are automatically streamed to your local device providing the RDP/SSH session over SSL on port 443. This allows easy and securely traversal of corporate firewalls.
• No public IP required on Azure Virtual Machines: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using a private IP, limiting exposure of your infrastructure to the public Internet.
• Simplified secure rules management: Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion.
• Increased protection against port scanning: The limited exposure of virtual machines to the public Internet will help protect against threats, such as external port scanning.
• Hardening in one place to protect against zero-day exploits: Azure Bastion is a managed service maintained by Microsoft. It’s continuously hardened by automatically patching and keeping up to date against known vulnerabilities

On the road ahead, Microsoft will be adding more features including Azure Active Directory support, single-sign-on capabilities, and multi-factor authentication integration. Further, they are looking into enabling native support for third-party RDP/SSH clients as well.

The preview of this service is now available and you can try it out with your tenants here.