Microsoft has a new service in public preview called Microsoft Azure Bastion. Azure Bastion enables you to secure and seamlessly RDP & SSH to your VMs in Azure virtual network without the need of public IP on the VM directly from the Azure portal, without the need of any additional client/agent or any piece of software.
What is a bastion host?
A bastion host is a specialized computer that is deliberately exposed on a public network. From a secured network perspective, it is the only node exposed to the outside world and is therefore very prone to attack. It is placed outside the firewall in single firewall systems or, if a system has two firewalls, it is often placed between the two firewalls or on the public side of a demilitarized zone (DMZ).
The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering the network, acting much like a gateway. The most common examples of bastion hosts are mail, domain name system, Web and File Transfer Protocol (FTP) servers. Firewalls and routers can also become bastion hosts. (source)
Enabling public preview
The public preview is only available in the following regions:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
If your Azure environment is in one of these regions you can enable the public preview by following the Azure Portal – Preview Link.
Provision Bastion Subnet
If you click on the Bastion button for the first time, you will be redirected to ‘Operations’ part of the virtual machine. On the screenshot you see that a subnet called ‘AzureBastionSubnet’ needs to be created. What is really helpfull is the ‘Manage Subnet configuration’ link. In my case I needed to remove a subnet to make room for the Bastion subnet. So if a n
Once you provision an Azure Bastion service in your virtual network, the seamless RDP/SSH experience is available to all your VMs in the same virtual network. The deployment is per virtual network and not per subscription/account or virtual machine.
Public IP on the VNET
While deploying the Bastion service, it needs a public IP, you can create a new one or use a existing one.
While the deployment was starting it directly said it failed but it was still running. I have waited a bit and after a while the provisioning succeseeded.
Connect without Public IP
As Microsoft stated there is no public IP on the virtual machine itself and you can still connect to the virtual machine using the public IP of your bastion host.
After a successful deployment you will be able to connect to a virtual machine using a bastion host. Fill in your credentials and click connect.
After a successful connection you will be able to control your virtual machine within the browser. The following browsers a supported. For Windows, please use Chrome or Edge browser and for Mac, please use Chrome browser.
- VNET Peering
Support for peered virtual networks coming soon. Azure Bastion Host service works only with provisioned virtual networks. Support for peered virtual networks is part of the roadmap and will be available soon.
Integration for Azure Active Directory for authentication and MFA coming soon. Integration with Azure Active Directory for AAD logon to the VM and authentication using multi-factor auth is part of our roadmap and we are working hard to add this support.
Azure Bastion Host can be a really good feature for securing RDP or SSH traffic to your jump hosts without this hosts having an public IP address. With the upcoming features this product can compete with third party solutions as CyberArk or BeyondTrust.