Recently I took sometime to test the Azure Bastion (Preview)
What is Azure Bastion?
Azure Bastion is a PaaS that allows you to connect securely and seamlessly to your virtual machines running on Azure directly from the Azure portal over SSL, without assigning or exposing public IP for the machine.
Key features
- You can RDP and SSH to your virtual machine directly from the Azure portal.
- The RDP and SSH session are over SSL on port 443 therefore no changes to corporate firewalls are needed.
- Azure VM does not require a public IP.
- No need to harden with NSG.
- Since there is no public IP you are protected against port scanning.
- Since Azure Bastion is offered as PaaS its protected against zero-day exploits by the Microsoft team.
Prerequisites/Notes
You must use the preview link to access Azure Bastion.
Azure Bastion is currently only offered in the following regions.
West US
East US
West Europe
South Central US
Australia East
Japan East
How to setup Azure Bastion
- Login to Azure portal using the preview link https://aka.ms/BastionHost
- Search for Bastions in your Azure portal
- Add a new Bastion service.
- Region: you VM and Bastion instance must be in the same region
- Virtual network: would be the network assigned to the VM later
- Subnet: Subnet must contain the name AzureBastionSubnet
- When creating new virtual network the subnet name must contain AzureBastionSubnet.
- New create a new virtual machine
- Region: must be the same as the Bastion service
- Virtual network: assign the network created for Bastion
- Public IP: none
- Connect to the new VM
- Enter the username and password for the VM
- You would be connect to the new VM
- On the left you will see the clipboard
- You could copy and paste text from your local machine to this VM
Assign Network Security Groups (NSG) to Bastion
You can assign NSG to the AzureBastionSubnet however the following 3 rules must be allowed on the inbound security rules.
Source
https://docs.microsoft.com/en-us/azure/bastion/bastion-overview