Microsoft Azure

Securing Remote Virtual Machines Using Azure Bastion

Remote Desktop Protocol (RDP) and Secure Shell (SSH) are both protocols used for accessing virtual machines (VMs) in the cloud. Azure uses RDP for Windows VMs and SSH for Linux. RDP is less than ideal as a secure protocol and it continues to see Microsoft regularly issue patches.

In June 2019, Microsoft announced Azure Bastion. As a managed Platform-as-a-Service (PaaS) offering, Azure Bastion lets you connect directly to VMs without assigning them a public IP address. Bastion acts as a jump server that forwards secure SSL connections from a browser to VMs. General availability was announced at Microsoft Ignite last year.

Image #1 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Microsoft)

Bastion is useful in situations where it wouldn’t be cost effective to deploy your own secure connection solution in Azure or if you can’t connect to an Azure VNET using a virtual private network (VPN). If you are using Windows Virtual Desktop (WVD), you don’t need Azure Bastion. VMs provisioned using WVD are already protected using an architecture like that provided by Bastion.

How to deploy Azure Bastion

First check that the Azure region you want to use supports Bastion. You can find an up-to-date list of supported regions on Microsoft’s website here. You’ll also find detailed instructions on how to create an Azure Bastion host.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

There are two ways you can set up Bastion in the Azure management portal. The first is to create a Bastion host resource manually. The process involves three main steps:

  1. Select a subscription, resource group, giving the Bastion host a name and assigning a region.
  2. Select an existing VNET or create a new one. The VNET must contain a subnet called AzureBastionSubnet with a prefix of at least /27.
  3. Finally, you need to assign a public IP address. You can select an existing IP address or create a new one.

Once the three main configuration steps are completed, you can also assign tags and review the settings before provisioning.

Image #2 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Russell Smith)

Changing VM connection settings

Alternatively, you can create a Bastion from the settings pane of an existing VM. Regardless of whether you have a Bastion host already deployed in your subscription, when connecting to a virtual machine using the Azure management portal, there is the option to select Bastion instead of RDP or SSH.

Assuming a Bastion isn’t already associated with the VNET where the virtual machine is located, you will be given the opportunity to create a Bastion. The process differs slightly from that described above in that you only need to specify the Bastion subnet, public IP address, and resource group.

Image #3 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Russell Smith)

Once the Bastion has been created, regardless of the method, you can connect securely to the VM by selecting Bastion instead of RDP or SSH when connecting via the Azure management portal from Edge or Google Chrome.

Image #4 Expand
Securing Remote Virtual Machines Using Azure Bastion (Image Credit: Russell Smith)

What else should you know before setting up Azure Bastion?

There are some disadvantages to using Azure Bastion. It’s not free, so be sure to check out pricing before you commit. IPv6 isn’t supported and nor are some advanced RDP features. Only text copy and paste are currently available. If you want to use features like drive redirection, you’ll need to connect to your VM directly using RDP. You can find a full list of frequently asked questions on Microsoft’s website.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: