Microsoft Azure

Securing Remote Virtual Machines Using Azure Bastion

Remote Desktop Protocol (RDP) and Secure Shell (SSH) are both protocols used for accessing virtual machines (VMs) in the cloud. Azure uses RDP for Windows VMs and SSH for Linux. RDP is less than ideal as a secure protocol and it continues to see Microsoft regularly issue patches.

In June 2019, Microsoft announced Azure Bastion. As a managed Platform-as-a-Service (PaaS) offering, Azure Bastion lets you connect directly to VMs without assigning them a public IP address. Bastion acts as a jump server that forwards secure SSL connections from a browser to VMs. General availability was announced at Microsoft Ignite last year.

Image #1 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Microsoft)

Bastion is useful in situations where it wouldn’t be cost effective to deploy your own secure connection solution in Azure or if you can’t connect to an Azure VNET using a virtual private network (VPN). If you are using Windows Virtual Desktop (WVD), you don’t need Azure Bastion. VMs provisioned using WVD are already protected using an architecture like that provided by Bastion.

How to deploy Azure Bastion

First check that the Azure region you want to use supports Bastion. You can find an up-to-date list of supported regions on Microsoft’s website here. You’ll also find detailed instructions on how to create an Azure Bastion host.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

There are two ways you can set up Bastion in the Azure management portal. The first is to create a Bastion host resource manually. The process involves three main steps:

  1. Select a subscription, resource group, giving the Bastion host a name and assigning a region.
  2. Select an existing VNET or create a new one. The VNET must contain a subnet called AzureBastionSubnet with a prefix of at least /27.
  3. Finally, you need to assign a public IP address. You can select an existing IP address or create a new one.

Once the three main configuration steps are completed, you can also assign tags and review the settings before provisioning.

Image #2 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Russell Smith)

Changing VM connection settings

Alternatively, you can create a Bastion from the settings pane of an existing VM. Regardless of whether you have a Bastion host already deployed in your subscription, when connecting to a virtual machine using the Azure management portal, there is the option to select Bastion instead of RDP or SSH.

Assuming a Bastion isn’t already associated with the VNET where the virtual machine is located, you will be given the opportunity to create a Bastion. The process differs slightly from that described above in that you only need to specify the Bastion subnet, public IP address, and resource group.

Image #3 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Russell Smith)

Once the Bastion has been created, regardless of the method, you can connect securely to the VM by selecting Bastion instead of RDP or SSH when connecting via the Azure management portal from Edge or Google Chrome.

Image #4 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Russell Smith)

What else should you know before setting up Azure Bastion?

There are some disadvantages to using Azure Bastion. It’s not free, so be sure to check out pricing before you commit. IPv6 isn’t supported and nor are some advanced RDP features. Only text copy and paste are currently available. If you want to use features like drive redirection, you’ll need to connect to your VM directly using RDP. You can find a full list of frequently asked questions on Microsoft’s website.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: