If we need to access an Azure VM using RDP or SSH, most of the time we access it using the public IP address. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it, and RDP or SSH service ports will open to the internet via NSG. This method provides easy access but not a very secure method.
If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration at the network level.
Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity.
Azure Bastion deployment is per virtual network. Once Azure Bastion service is enabled in a virtual network, remote access (RDP/SSH) will be available for all the virtual machines in that particular virtual network. According to Microsoft’s recent announcement, Azure Bastion is now supporting VNet Peering. Let’s assume we enable Azure Bastion for a Virtual network which is already peered with another VNet. Now we do not need another Azure Bastion deployment to access virtual machines hosted in the peered network. We can use centralized Azure Bastion deployment to reach virtual machines in all peered networks. Azure Bastion supports two types of peering.
• Virtual network peering – Virtual network peering in the same Azure region
• Global virtual network peering – Virtual network peering between different Azure regions
In peered virtual networks, Azure Bastion can be deployed either using hub-and-spoke or full-mesh topologies. In this post, I am going to demonstrate how to deploy and use Azure Bastion with Global VNet peering.
Azure VNet peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. VNet peering can use to connect virtual networks in the same Azure region or different Azure regions. If it is between regions, we call it “Azure Global VNet Peering“.
Global VNET Peering has the following benefits,
• Low latency and high bandwidth as it uses Azure network backbone
• No requirement for encryptions, VPN gateways, or public internet to connect VNnets
Demo Environment
The following diagram explains what we going to set up in this demo.
Here we are going to create three resource groups in three different Azure regions. Each resource group will have its own Azure virtual network. For the connectivity, we will be using the hub-and-spoke network model. EUSVnet1 & UKSVnet1 will be Spoke virtual networks and BASVnet1 will be the Hub virtual network. Both Spoke virtual networks will have Global VNet peering with Hub virtual network. We will enable Azure Bastion service on hub virtual network (BASVnet1) and try to connect to virtual machines hosted in Spoke virtual networks. I have summarized virtual network configuration as follows,
| Resource Group | Azure Virtual Network | Address Space | Azure Region |
| EUSRG1 | EUSVnet1 | 10.15.0.0/16 | East US |
| UKSRG1 | UKSVnet1 | 10.75.0.0/16 | UK South |
| BASRG1 | BASVnet1 | 10.2.0.0/16 | West US |
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Create Resource Groups
As the first part of the configuration, I am going to create three new resource groups. To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create two new resource group using,
New-AzResourceGroup -Name EUSRG1 -Location “East US”
New-AzResourceGroup -Name UKSRG1 -Location “UK South”
New-AzResourceGroup -Name BASRG1 -Location “West US”
In the above, EUSRG1, UKSRG1 & BASRG1 are the names of new resource groups. From those, EUSRG1 is created in Azure East US region. UKSRG1 is created in Azure UK South region and BASRG1 is created in Azure West US region.
Create Spoke Virtual Networks
According to the plan, we need two virtual networks under EUSRG1 & UKSRG1 resource groups. Let’s start the configuration process by creating a virtual network under EUSRG1.
$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.15.0.0/24”
New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix “10.15.0.0/16” -Subnet $vmsubnet
In the above, EUSVnet1 is the new virtual network name. It has 10.15.0.0/16 address space. It also has a new subnet 10.15.0.0/24 (vmsubnet) for virtual machines.
Then let’s go ahead and create another virtual network under UKSRG1 resource group. This will be in UK South Azure region.
$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.75.0.0/24”
New-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1 -Location “UK South” -AddressPrefix “10.75.0.0/16” -Subnet $vmsubnet2
In the above, UKSVnet1 is the new virtual network name. It has 10.75.0.0/16 address space. It also has a new subnet 10.75.0.0/24 (vmsubnet2) for virtual machines. [Continue reading] about Step-by-Step Guide: How to use Azure Bastion with Global VNet Peering?
