Azure Bastion: Connecting Securely with Azure VMs – Blog
Microsoft Azure is the innovation leader, given the pace of technological advancement. Azure Bastion, a managed PaaS service that allows users to securely access Azure Virtual Machines via the Azure Portal without the use of a client, has been released.
RDP and SSH are the most popular methods of connecting to distant workstations. If we wanted to access a VM in Azure, before Bastion, we had to either expose the public RDP/SSH port or create a separate jumpbox server with these ports. This seems like a lot to do and a lot more danger than it is.
However, the domain has been completely redesigned with Azure Bastion. It allows you to securely connect to Azure Virtual Machines (virtual machines), using SSL directly from the Azure Portal without having to expose any ports. You can find out more information about this service here. We’re about to dive deep into the universe of Azure bastion!
What is Azure Bastion?
Azure Bastion allows you to connect via your browser to a virtual machine through the Azure portal. Azure Bastion is a fully managed PaaS service that can be deployed within your virtual network. It allows secure and seamless RDP/SSH connection to your virtual machines via the Azure portal over TLS. Your virtual machines don’t require an agent, public IP address, or special client software once they connect.
Bastion provisioned many VMs with secure RDP/SSH connectivity. Bastion protects the RDP/SSH ports of virtual machines from being exposed to the outside world, while also allowing secure access via RDP/SSH.
Azure Bastion Architecture:
Azure Bastion can be described as a controlled jump host. This is the most straightforward way to describe it. Jump hosts, also known as jump boxes, are virtual computers that connect to a virtual network. They are assigned a public IP address and protected from network traffic entry and egress by strict network traffic ingress/egress policies. The idea is to connect to the jumphost and then use the jump host to manage production VMs.
Azure Bastion is installed in a virtual network and not as a subscription, account or virtual machine. Once you have created a Bastion service within your virtual network, all VMs can access the RDP/SSH experience. RDP and SSH are the most popular methods to connect to Azure workloads.
Exposing RDP/SSH ports via the Internet is a bad idea. They are viewed as a significant threat surface. This is often due to protocol weaknesses. Bastion hosts should be deployed on the public side your perimeter network to reduce this danger. Bastion host servers are designed to withstand attacks and are ready to go. Bastion servers provide RDP and SSH connections to workloads behind the bastion as well as further inside the network.
The following figure helps you understand the Azure Bastion Architecture.
First, the Bastion host has been deployed in a virtual network that also includes the AzureBastionSubnet subnet. This subnet has a minimum prefix /27.
Second, any HTML5 browser can connect directly to the Azure portal.
The third step is that the user chooses the virtual computer to connect to.
Next, a single key will open the RDP/SSH session in the browser.
Lastly, no public IP is required for the Azure VM.
To fully understand Azure Bastion, we need to understand its most important features.
RDP and SSH directly from Azure portal: Just one click and you can access RDP or SSH sessions directly through the Azure portal.
Remote Session over TLS, Firewall Traversal for RDP/SSH – Bastion uses an HTML5 web client that streams to your local d.