{"id":38880,"date":"2020-04-12T09:01:36","date_gmt":"2020-04-12T16:01:36","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/premier-developer\/?p=38880"},"modified":"2020-03-26T09:34:46","modified_gmt":"2020-03-26T16:34:46","slug":"azure-bastion-secure-access-to-azure-vms","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/premier-developer\/azure-bastion-secure-access-to-azure-vms\/","title":{"rendered":"AZURE BASTION \u2013 SECURE ACCESS to AZURE VMS"},"content":{"rendered":"

App Dev Manager Vijetha Marinagammanava<\/a>r<\/span> spotlights secure access to Azure VMs using Bastion.<\/p>\n

\n

In this blog post, I am going to introduce you to Azure Bastion and show how to create your first Azure Bastion host.<\/p>\n

Azure Bastion is a new fully platform-managed PaaS service. It provides secure and seamless RDP\/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.<\/p>\n

Customers connecting to VM\u2019s on private networks face security risks all the time. Exposing network assets to the public internet through Remote Desktop Protocol and Secure Shell increases the security perimeter, making it harder to manage and protect them. Azure Bastion is provisioned directly in a customer’s Virtual Network and supports all VMs in their VNet using SSL, without any exposure through public IP addresses.<\/p>\n

Azure Bastion service is generally available now. This blog will provide a quick introduction of the service and steps to enroll the service in the environment to reach Azure VMs (Windows) over a secure way.<\/p>\n

The availability of Azure Bastion is updated on Microsoft documentation. Please refer to https:\/\/docs.microsoft.com\/en-us\/azure\/bastion\/bastion-overview<\/a> for region availability and pricing.<\/p>\n

\"AzureAzure Bastion architecture<\/strong><\/p>\n

Key features<\/strong><\/p>\n

    \n
  1. RDP and SSH directly in the portal<\/li>\n
  2. Remote session over SSL for SSH\/RDP<\/li>\n
  3. No public IP needed on the Azure VM<\/li>\n
  4. No need for an Agent inside the Azure VM<\/li>\n
  5. Browser support for Edge and Google Chrome<\/li>\n<\/ol>\n

    Create an Azure Bastion Resource<\/strong><\/p>\n

      \n
    1. There are two ways to deploy an Azure Bastion Host over the Portal or via the Azure VM Blade.<\/li>\n
    2. Login to your Azure portal and click \u201cCreate a new resource<\/strong>\u201d.<\/li>\n
    3. Then search for\u00a0Bastion<\/strong>. Click\u00a0Create<\/strong>\u00a0to start the deployment wizard.<\/li>\n
    4. Now choose a\u00a0resource group\u00a0<\/strong>to host the bastion resource, give it a\u00a0name\u00a0<\/strong>and pick a\u00a0region (east-us for the demo)<\/strong>. The Azure Bastion is deployed in a VNET, there is one-to-one relation between your VNETs, and your Azure bastion resources.<\/li>\n
    5. We are using newly created VNET\u00a0\u201cvnet-demo\u201d<\/strong>\u00a0that is hosted for demo purpose. Please note that the wizard prompts to create a subnet in that VNET with an exact name of\u00a0AzureBastionSubnet<\/strong>\u00a0and with an IP prefix of at least\u00a0\/27.<\/strong> <\/li>\n
    6. Create Subnet per requirements<\/li>\n
    7. Go back to the Azure Bastion deployment wizard and select the vnet and newly created subnet.<\/li>\n
    8. Azure bastion host requires creating a public IP address that will be used for SSL connectivity only from the internet. Now this IP is not going to be attached to your VMs in anyway.\nAzure automatically assigns a public IP to the service and generates a name that corresponds to the VNET declaration.<\/li>\n
    9. Tagging: Don\u00b4t forget to assign tags for the service and all other resources, this helps you to get a well-defined Azure infrastructure.<\/li>\n
    10. Click \u201cReview + create \u201c. The service will be provisioned in your VNET.<\/li>\n
    11. Connect to a virtual machine: Select they virtual machine inside \u201cvnet-demo\u201d VNET.<\/li>\n
    12. Click \u201cConnect<\/strong>\u201d and you will see 3 options \u2013 RDP, SSH and Bastion.\nSelect \u201cBastion<\/strong>\u201d.<\/li>\n
    13. Enter the VM user credentials to connect to the VM and hit \u201cConnect<\/strong>\u201d\n<\/li>\n<\/ol>\n

      Security<\/strong><\/p>\n

      Azure Bastion is a fully managed service by Microsoft and Microsoft hardens the service by default, but hardening to secure the Bastion host we should harden the subnet and use an NSG.<\/p>\n

      Create an NSG and define the following rules to the NSG,<\/p>\n