Currently, to connect to Azure VM without a VPN you have two choice: RDP or SSH. A public IP address must be set to these VM. So, your critical workloads are facing Internet directly and it can lead to security issues. To avoid that, some customers uses VPN to connect to VMs without using a public IP address such as point-to-site or site-to-site.

Soon we will have another way to connect to these VMs without IP address: Azure Bastion. Currently this feature is still in preview, but you can try it from the preview Azure Portal. This feature enables to connect to RDP or SSH endpoint over SSL. That means that you can open a RDP or SSH session from the Azure Portal. Thanks to Azure Bastion, the public IP address is not a required to connect to the Azure VMs.

Top-level Azure Bastion architecture

Azure Bastion is deployed inside the virtual network. A specific subnet must be created, and the IP range must be /27 at least. Once the Azure Bastion is implemented, all Azure VMs connected to the virtual network will be reachable through the Azure Bastion.

Configure the virtual network

First of all, a virtual network must be created. Open the marketplace and look for Virtual Network. Then specify settings such as the name, the address space and so on.

Configure the virtual network

Once the virtual network is created, open its settings and add a new subnet called AzureBastionSubnet. The address range must be at least /27.

AzureBastionSubnet

So the virtual network should have at least two subnets: one for the VM and the other for the Azure Bastion.

Two subnets: one for the VM and the other for the Azure Bastion

Deploy Azure Bastion

Because Azure Bastion is a preview, you have to enable some feature from PowerShell. The following cmdlets log you on Azure and enable Azure Bastion preview.

Next you have to connect to the preview Azure Portal. Open the market place and look for Bastion. Select Bastion (Preview).

Deploy Azure Bastion

Then click on create.

Bastion (Preview)

Provide a name to your bastion and select the virtual network you have previously created. The wizard should select automatically the AzureBastionSubnet.

A public IP is required. You can provision it manually or you can leave the wizard create one for you.

A public IP is required

At the end of the wizard you can review your settings. Click on Create to start the Azure Bastion deployment.

Review your settings

Try the Azure Bastion

While the Azure Bastion is deploying, I create two virtual machines based on Ubuntu and Windows Server.

Try the Azure Bastion

I connect these virtual machines to the virtual network where Bastion was implemented and I don’t configure public inbound ports.

virtual network interface

When the VM is deployed, you can click on Connect to open a session.

Connect to open a session

Now a right-side blade appears and you can choose Bastion. For a Windows VM, specify your credentials.

Specify your credentials

As you can see in the following screenshot, a RDP session is opened in the Azure Portal over SSL.

RDP session is opened in the Azure Portal over SSL

If you connect to a Linux VM, you can specify credentials but also a SSH private key.

Pass or SSH private key

Once connected, you have access to an SSH from the Azure Portal.

You have access to an SSH from the Azure Portal

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ VSAN from StarWind

Conclusion

Azure Bastion is a good feature to increase the security level of your Azure infrastructure. Thanks to this feature, you don’t need a public IP on Azure VM to open an RDP/SSH session. When Azure Bastion will be GA, I think that will be a must have.

Views All Time
7
Views Today
20
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Romain Serre
Romain Serre
Senior consultant at Exakis
Romain Serre works in Lyon as a Senior Consultant. He is focused on Microsoft Technology, especially on Hyper-V, System Center, Storage, networking and Cloud OS technology as Microsoft Azure or Azure Stack. He is a MVP and he is certified Microsoft Certified Solution Expert (MCSE Server Infrastructure & Private Cloud), on Hyper-V and on Microsoft Azure (Implementing a Microsoft Azure Solution).