If we need to access an Azure VM using RDP or SSH, most of the time we access it using the public IP address. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it, and RDP or SSH service ports will open to the internet via NSG. This method provides easy access but not a very secure method.
If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration at the network level.
Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity.
Azure Bastion deployment is per virtual network. Once Azure Bastion service is enabled in a virtual network, remote access (RDP/SSH) will be available for all the virtual machines in that particular virtual network. According to Microsoft’s recent announcement, Azure Bastion is now supporting VNet Peering. Let’s assume we enable Azure Bastion for a Virtual network which is already peered with another VNet. Now we do not need another Azure Bastion deployment to access virtual machines hosted in the peered network. We can use centralized Azure Bastion deployment to reach virtual machines in all peered networks. Azure Bastion supports two types of peering.
• Virtual network peering – Virtual network peering in the same Azure region
• Global virtual network peering – Virtual network peering between different Azure regions
In peered virtual networks, Azure Bastion can be deployed either using hub-and-spoke or full-mesh topologies. In this post, I am going to demonstrate how to deploy and use Azure Bastion with Global VNet peering.
Azure VNet peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. VNet peering can use to connect virtual networks in the same Azure region or different Azure regions. If it is between regions, we call it “Azure Global VNet Peering“.
Global VNET Peering has the following benefits,
• Low latency and high bandwidth as it uses Azure network backbone
• No requirement for encryptions, VPN gateways, or public internet to connect VNnets
The following diagram explains what we going to set up in this demo.
Here we are going to create three resource groups in three different Azure regions. Each resource group will have its own Azure virtual network. For the connectivity, we will be using the hub-and-spoke network model. EUSVnet1 & UKSVnet1 will be Spoke virtual networks and BASVnet1 will be the Hub virtual network. Both Spoke virtual networks will have Global VNet peering with Hub virtual network. We will enable Azure Bastion service on hub virtual network (BASVnet1) and try to connect to virtual machines hosted in Spoke virtual networks. I have summarized virtual network configuration as follows,
|Resource Group||Azure Virtual Network||Address Space||Azure Region|
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Create Resource Groups
As the first part of the configuration, I am going to create three new resource groups. To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create two new resource group using,
New-AzResourceGroup -Name EUSRG1 -Location “East US”
New-AzResourceGroup -Name UKSRG1 -Location “UK South”
New-AzResourceGroup -Name BASRG1 -Location “West US”
In the above, EUSRG1, UKSRG1 & BASRG1 are the names of new resource groups. From those, EUSRG1 is created in Azure East US region. UKSRG1 is created in Azure UK South region and BASRG1 is created in Azure West US region.
Create Spoke Virtual Networks
According to the plan, we need two virtual networks under EUSRG1 & UKSRG1 resource groups. Let’s start the configuration process by creating a virtual network under EUSRG1.
$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.15.0.0/24”
New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix “10.15.0.0/16” -Subnet $vmsubnet
In the above, EUSVnet1 is the new virtual network name. It has 10.15.0.0/16 address space. It also has a new subnet 10.15.0.0/24 (vmsubnet) for virtual machines.
Then let’s go ahead and create another virtual network under UKSRG1 resource group. This will be in UK South Azure region.
$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.75.0.0/24”
New-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1 -Location “UK South” -AddressPrefix “10.75.0.0/16” -Subnet $vmsubnet2
In the above, UKSVnet1 is the new virtual network name. It has 10.75.0.0/16 address space. It also has a new subnet 10.75.0.0/24 (vmsubnet2) for virtual machines.
Create Virtual Machines for Testing
Later on, we are going to test remote access to virtual machines running on Spoke virtual networks by using Azure Bastion. For that, first, we need to create test virtual machines in EUSRG1 and UKSRG1 resource groups. Let’s start the process by creating a test VM in EUSRG1 resource group.
$mylogin = Get-Credential
New-AzVm -ResourceGroupName EUSRG1 -Name “EUSRGVM01” -Location “East US” -VirtualNetworkName “EUSVnet1” -SubnetName “vmsubnet” -addressprefix 10.15.0.0/24 -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin
In the above, I am creating a virtual machine called EUSRGVM01 in East US Azure region. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 VM size. For networking, it uses EUSVnet1 virtual network and subnet 10.15.0.0/24.
Same way, I am going to create a new virtual machine under UKSRG1 resource group.
$mylogin = Get-Credential
New-AzVm -ResourceGroupName UKSRG1 -Name “UKSRGVM01” -Location “UK South” -VirtualNetworkName “UKSVnet1” -SubnetName “vmsubnet2” -addressprefix 10.75.0.0/24 -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin
In the above, I am creating a virtual machine called UKSRGVM01 in UK South Azure region. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 VM size. For networking, it uses UKSVnet1 virtual network and subnet 10.75.0.0/24.
Create an Azure Bastion resources
The next step of the configuration is to create Azure bastion resources in the Hub network. Before we do that, we need to create a Hub virtual network.
$azsubnetname = “AzureBastionSubnet”
$azsubnet = New-AzVirtualNetworkSubnetConfig -Name $azsubnetname -AddressPrefix 10.2.0.0/24
$vnet = New-AzVirtualNetwork -Name “BASVnet1” -ResourceGroupName “BASRG1” -Location “West US” -AddressPrefix 10.2.0.0/16 -Subnet $azsubnet
In the above, BASVnet1 is the new virtual network name. It has 10.2.0.0/16 address space. It also has a new subnet 10.2.0.0/24 for Azure Bastion. This subnet name must be set to AzureBastionSubnet. It should at least have /27 suffix.
Then we need to create Public IP address for Azure Bastion.
$pip = New-AzPublicIpAddress -ResourceGroupName “BASRG1” -name “BASPublicIP” -location “West US” -AllocationMethod Static -Sku Standard
Now we have everything in place to create Azure Bastion resource. We can go ahead and set up it using,
New-AzBastion -ResourceGroupName “BASRG1” -Name “REBELBastion” -PublicIpAddress $pip -VirtualNetwork $vnet
This will take 5-10 minutes to complete.
Create Global VNet Peering
As the next step of the configuration, we need to create Global VNet Peering between Hub and Spoke virtual networks.
First, I am going to create peering from BASVnet1 to EUSVnet1
$vnet1 = Get-AzVirtualNetwork -Name BASVnet1 -ResourceGroupName BASRG1
$vnet2 = Get-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1
Add-AzVirtualNetworkPeering -Name BASVnet1toEUSVnet1 -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id
Same way we also need to initiate peering from EUSVnet1 to BASVnet1
Add-AzVirtualNetworkPeering -Name EUSVnet1toBASVnet1 -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id
We also need to create peering from BASVnet1 to UKSVnet1
$vnet3 = Get-AzVirtualNetwork -Name BASVnet1 -ResourceGroupName BASRG1
$vnet4 = Get-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1
Add-AzVirtualNetworkPeering -Name BASVnet1toUKSVnet1 -VirtualNetwork $vnet3 -RemoteVirtualNetworkId $vnet4.Id
Then we need to create peering from UKSVnet1 to BASVnet1
Add-AzVirtualNetworkPeering -Name UKSVnet1toBASVnet1 -VirtualNetwork $vnet4 -RemoteVirtualNetworkId $vnet3.Id
This completes the configuration part. Next step is to do testing.
We have only enabled Azure Bastion on the Hub network. What we need to test is if we can use Azure Bastion with virtual machines running in Spoke networks.
To do that,
1. Log in to Azure portal (https://portal.azure.com) as Global Administrator
2. Go to Virtual Machines
3. From the VM list, click on the EUSRGVM01 virtual machine which we created in the earlier step.
4. On properties, page click on Connect
5. From the list select Bastion
6. On the Bastion service page click on Use Bastion
7. On the next page, we can see it is using Azure Bastion resources we created in the Hub network. To test the connectivity, type the VM login details and click on Connect
8. As expected, I can connect to VM without issue.
9. In the same way I was able to connect UKSRGVM01 virtual machine in UK South Azure region.
This confirms the Azure Bastion is working with Global VNet peering is working as expected.
This marks the end of this blog post. If you have any further questions about this feel free to contact me at email@example.com also follow me on Twitter @rebeladm to get updates about new blog posts.
All the PowerShell commands used in this demo is available on https://github.com/rebeladm/rebeladm/blob/master/AzureBastion.ps1