Azure Bastion: Remote VM access in your Web browser

One of the many benefits of partnering with Microsoft is that occasionally Xello gets to see, explore and put to the test upcoming products and services ahead of time.

With Azure Bastion finally being announced and released to public preview, we’ve had Bastion for a while and are keen to share our impressions of its capabilities. 

In short, for remote VM access directly in your web browser and private virtual machine access, it’s awesome and well worth looking into.

Today’s blog post from our senior consultant James Auchterlonie will explain what Azure Bastion is, why you should use it, and how to deploy the service in your business.

What is Azure Bastion?

Azure Bastion is designed to allow administrative access to a virtual machine without leaving the browser.

In Microsoft high level architecture for protected services, you can see an IaaS Bastion Host in the bottom left corner. While these hosts do increase security, they come with a few drawbacks; you need to maintain and harden them against vulnerabilities, and you need to pay extra to run them  as they can possibly introduce more vulnerabilities.

Azure Bastion removes the need for this IaaS Virtual machine, simonizing your network footprint, maintenance overhead and allows you to get on with your day-to-day ops.

Azure Bastions example diagram

Why should I use Bastion hosts?

If you haven’t already guessed, Azure Bastion increase security in a number of different ways.

  • Logging: Who accessed what, when and what did they do?
  • Protecting your application against (some) port scanning.
  • Harden a single external endpoint.
  • Prevent rogue SSH/RDP access by adding an additional layer.
  • Slow down attackers.

Some key advantages that Microsoft touts in their official documentation for Azure Bastion include:

  • RDP directly in Azure Portal.
  • SSH directly in Azure Portal.
  • Remote Session over HTML5 (HTTPS/443).
  • No Public IP required on the Azure VM.
  • No hassle of managing NSGs.
  • No Firewall Traversal for RDP/SSH.

How do I turn Azure Bastion on?

Azure Bastion is extremely easy to activate, provided you have the appropriate network size.

First, you need to assign a complete subnet to the service, ensuring that it  is larger than a /27 address space. The subnet must also match the name “AzureBastionSubnet’.

brave_M0JqiHVaop

Next, search for the Azure Bastion service within the Azure Portal. 

brave_chw85d2Agc

Select Create Azure Bastion, and fill out the required details.

brave_YaZdVH4sQI

From here, select Review + Create, and just like that – you have a enabled Azure Bastion for your network.

How do I connect to Azure Bastion for remote VM access?

Once you have enabled Azure Bastion, you can use the existing connection pane within the Azure portal to connect into your virtual machines.

You should now notice an extra “Azure Bastion” section under the connection pop-up.


If successful, you should have a new tab opened within your Web browser of choice. 

brave_0P3WW2p2c8

Azure Bastion: Early Thoughts and Minor Drawbacks

While I write this post, Azure Bastion is in public preview.

If I click publish, someone somewhere at Microsoft would be quite upset with me. There are a couple of caveats that you currently need to  be aware of when using it.

  • Azure Bastion currently doesn’t support Hub + Spoke vnet deployments. You will need to add a Bastion subnet for each vnet that you intend to use. 
  • Azure Bastion is HTML 5 and it does lack a couple of features you might be used to within RDP; I found copy/paste to be a bit flaky.
  • You currently cannot use Azure AD Sign in.
  • There isn’t currently a way to view who is using a Bastion session in the portal – you can use the event logs on each host if you’re desperate to get this information. 

That being said, this is easily one of my favourite ‘little releases’ of 2019 and I hope I can release this post as soon as possible.

The reason for this is the level of separation it provides for administrative hosts within Microsoft Azure.

Combine this solution with Just in Time network access, and you can easily avoid using any internet facing hosts – all with platform native tools. Another big win for Microsoft.

Liked this post? Feel free to reach out to the Xello team for more hands-on guidance on how Azure Bastions can fit your setup. Keep this page bookmarked as we update it with the latest capabilities as Azure Bastion continues to evolve past its public preview stage.

Originally Posted on xello.com.au

Published by jameswestall

I'm a Consultant for Arinco Australia, specializing in securing Azure & AWS cloud infrastructure. I'm passionate about cyber security, cloud native technology and DevOps practices. Hate buzzwords, and love a good rant…

Leave a Comment

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s