If we need to access an Azure VM using RDP or SSH, most commonly we use public IP method. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it. Also, RDP or SSH service ports will open to the public via NSG. This is easy but not a very secure method.
If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration in-network level.
Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity. Let's go ahead and explore a bit more about the Azure bastion solution.
1. This service is now generally available (From 4th of Nov 2019). However, it is still only available for six Azure regions which are Australia East, East US, Japan East, South Central US, West Europe, and West US.
2. Azure bastion service deployment is per virtual network.
3. Users can connect to Azure bastion service via the Azure portal. It is a browser-based connectivity. From the user end, only TCP port 443 needs to be open.
4. Machines in the virtual network don't need to have public IP addresses assigned. Bastion service can connect to virtual machines using private IP addresses.
5. Azure bastion is a fully managed PaaS service. We do not need to worry about the hardening or protection of it.
In this post, I am going to demonstrate how we can enable Azure bastion service.
Create Virtual Machines
Before we go into the Azure bastion service setup, I am going to create one windows 2019 virtual machine and one ubuntu Linux virtual machine. These machines will not have any public IP address assign. After that, I will demonstrate how we can access those securely using Azure bastion service.
1. Log in to Azure portal (https://portal.azure.com) as Global Administrator
2. Go to Virtual Machines | + Add
3. Create Windows Server 2019 Server with following settings,
Resource Group Name (new) : REBELBASTION
Virtual Machine Name : REBELWIN01
Region : East US
Image : Windows Server 2019 DataCenter
Size : Standard D2s v3
Public inbounds ports: None
Virtual network : REBELBASTION-vnet
Subnet : 10.0.3.0/24
Public IP : None