What is Azure Bastion?

By: Microtek Learning


Azure Bastion

In this blog I am going to introduce a service called Azure Bastion and discuss more on the working, architecture and why and when to use this product. This is an important product which is widely used to increase the security of the architecture that the customer has on the cloud. Moreover this is a topic which you are preparing for AZ 303 and AZ 700 certifications.

When customers deploy their resources in Azure and want to access that resource there are many ways to do it. One such way is to access resources using the Internet using the resource’s public IP address. Other way is to use VPN (Virtual Private Network) or P2S (Point to Site) which is a secured way to access the resource. But the problem with VPN and P2S is that both need a Virtual Network Gateway which is chargeable per hour for the deployment and cost may increase based on the amount of traffic that is sent over the gateway. Another factor is that this setup will need configuration at the client side which add up to the administrative cost. 

Since accessing the resource over the Internet is a simpler and cheaper option security is the major concern. Let me explain how exposing a server’s SSH or RDP port to the Internet is risky. The number of attacks that is trending towards the servers on the cloud is increasing day by day and it is important not to expose your critical services’ RDP and SSH ports to wide internet. So, the way architects design the system is having a DMZ built which is exposed to the Internet and critical servers are part of the network will not be exposed to the Internet. So, access to the servers will happen via the specialized server in the DMZ zone called Jump box. 

Jump boxes are the servers which are typically VMs which is exposed to the internet. Now, the problem with the Jump box is that the server needs to be managed, patched by the customers. In order to solve this problem Azure came up with a product called Azure Bastion which is a Microsoft managed Jump box as a service. 

With this Bastion, one can access the Virtual Machine without using Public IP address. RDP or SSH is possible via the browser which makes it easier for the users who are using different Operating Systems. Since the entire session happens over TLS, it can bypass firewall and users don’t want to contact their administrator to allow RDP or SSH access in their On-Premises. Since the Virtual Machine is not exposed to the Internet directly, the port scanning attacks can be prevented. 

When a Virtual Machine is exposed to the Internet and in order to secure the server, administrator will be using Network Security Groups to harden the server. This is a time consuming process and there are changes of human error leading to exposing the server to the internet. With Azure Bastion, we can have a centralized place where the user can implement the Network Security requirements and it makes management easy. Bastion will be able to withstand any such attack. 

Azure Bastion comes with 2 SKUs:

1.    Basic 
2.    Standard 

Basic SKU has the following features:

1.    Connect to destined VMs in peered virtual networks
2.    Access Linux Virtual Machine Private Keys in Azure Key Vault 
3.    Connect to Linux Virtual Machine using RDP
4.    Connect to Windows Virtual Machine using SSH

Standard SKU has the following features:

1.    Connect to destined VMs in peered virtual networks
2.    Access Linux Virtual Machine Private Keys in Azure Key Vault 
3.    Connect to Linux Virtual Machine using SSH
4.    Connect to Windows Virtual Machine using RDP
5.    Host scaling - Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances.
6.    Can assign custom port to the RDP or SSH sessions. 
7.    Connect to Linux Virtual Machine using RDP
8.    Connect to Windows Virtual Machine using SSH
9.    File transfer from the local machine to Azure Virtual Machine.


Azure Bastion needs to be deployed in a VNET with a subnet named “Azure Bastion Subnet” which need to have minimum of /26 prefix. When a user wants to connect to the VM, on the VM’s overview page the user gets a option named connect. When connect is clicked, the user gets to choose whether the user wants to use bastion or Private IP or its Public IP address. When clicked on Bastion, then user will need to choose the protocol whether its RDP or SSH based on the Operating System of the Virtual Machine. Once that is chosen and user name and password are filled, a new tab opens where the RDP/SSH session is formed to the VM which is selected. 

The data flows from the browser to the Azure Bastion over HTML5 and then gets terminated at the Bastion. Based on the protocol that is been chosen, Bastion creates a new connection to the VM which is present in the VNET with the protocol specified. This is how a user can get into the VM using Azure bastion. 
Another important thing to note is that:

Below are the roles which are required by the user to access Bastion:
•    Reader role for VM, NIC which has Private IP. 
•    Reader role on the Azure Bastion resource.
•    Reader Role on VNET. 

Currently Azure Bastion is used to connect to a Virtual Machine which can be Windows or Linux based systems, Virtual Machine Scale Sets, Azure Devtest Lab machines. 

Leave a message here

Get In Touch
Are you being sponsored by your employer to take this class?
* I authorize Microtek Learning to contact me via Phone/Email