Azure Bastion
Azure Bastion is a fully managed service that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) connectivity to your virtual machines (VMs) directly through the Azure portal. It eliminates the need to expose public IP addresses on your VMs, thus enhancing security by preventing exposure to the public internet.
Key Features of Azure Bastion
- Secure Access:
- Provides RDP and SSH access to VMs without exposing them to the internet.
- Uses the Azure portal to establish connections, leveraging a secure, managed service.
- No Public IP Requirement:
- VMs do not need public IP addresses for access, reducing the attack surface.
- Integrated Experience:
- Integrated directly into the Azure portal for easy access and management.
- No need to manage jump servers or maintain VPNs for access.
- Protection Against Threats:
- Protects against threats such as port scanning and other network-based attacks.
- Establishes a secure connection over SSL, utilizing the Azure Bastion service.
- Managed Service:
- Azure Bastion is a fully managed PaaS (Platform as a Service) solution, reducing the operational overhead.
How Azure Bastion Works
- Deploy Azure Bastion:
- Deploy the Azure Bastion service within your virtual network (VNet).
- The service is deployed to a dedicated subnet called
AzureBastionSubnet
.
- Access VMs:
- Once deployed, use the Azure portal to initiate RDP or SSH sessions directly to your VMs.
- Azure Bastion establishes the connection securely without the need for a public IP.
- Connection Flow:
- User accesses the Azure portal.
- The Azure portal securely connects to the Azure Bastion service within the VNet.
- Azure Bastion then initiates the RDP or SSH connection to the target VM over the private IP address.
Example Deployment
- Create AzureBastionSubnet:
- Add a subnet named
AzureBastionSubnet
to your VNet. - Ensure the subnet has an IP address range of at least /27 (e.g.,
10.0.0.0/27
).
- Add a subnet named
- Deploy Azure Bastion:
- Go to “Create a resource” > “Networking” > “Azure Bastion”.
- Configure the basics:
- Name:
MyBastion
- Virtual network: Select your VNet.
- Subnet: Ensure
AzureBastionSubnet
is selected. - Public IP address: Create a new public IP address or use an existing one.
- Name:
- Click “Review + create” and then “Create”.
- Connect to a VM:
- Navigate to the VM you want to access.
- Click “Connect” and select either “Bastion” for RDP or SSH.
- Enter the required credentials and initiate the session.
Diagram: Azure Bastion Connection Flow
+---------------------------------------------+
| Azure Portal |
+---------------------------------------------+
|
| Secure Connection (SSL)
v
+--------------------+-------------------------+
| Azure Bastion |
| (Deployed in AzureBastionSubnet in your VNet)|
+--------------------+-------------------------+
|
| Private IP Connection
v
+--------------------+-------------------------+
| VM |
| (No public IP required, accessed via Bastion)|
+---------------------------------------------+