Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure Virtual Machines. An Azure Bastion secures your strategic and critical assets in order to protect you from cyber risks. It is the only node exposed to the internet and it is acting like a Gateway.

Check the architecture on the following schema from Microsoft Docs:

Schema from Microsoft Docs

In this article, I will explain how to create an Azure Bastion host.

Prerequisites

The public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

To create an Azure Bastion, you must create a Virtual Network with the name “AzureBastionSubnet” and with the prefix of at least /27.

How does it work?

Once you provision the Azure Bastion in a Virtual Network, it is available to all your Virtual Machines in the same virtual network. It means that the deployment is per virtual network. Then a Public IP Address will be assigned to your Azure Bastion. When you will connect to a Virtual Machine, a new tab will be opened in your web browser. When you connect via Azure Bastion, your virtual machines do not need a public IP address.

Registering

The first step is to register for the preview. To perform this task, you must be signed into your Azure Account and then you must be enrolled with the following command:

Register-AzProviderFeature

The second step is to register your Azure subscription:

Register-AzResourceProvider

You can check that the feature is registered using the following command:

ProviderNamespace

Creating an Azure Bastion Host

Once the feature is registered, then you can open the Azure Portal Preview from this URL: http://aka.ms/BastionHost

Creating an Azure Bastion Host

Specify the configuration settings for your Bastion resource:

  1. Select a Resource Group
  2. Enter the name of your Azure Bastion
  3. Select the region (e.g the prerequisites)
  4. Select a Virtual Network
  5. Select the Subnet with at least /27
  6. Select a Public IP Address

Specify the configuration settings for your Bastion resourceIf you already have an existing Virtual Machine, then you can easily transform the VM to an Azure Bastion. Open the Virtual Machine and click “Connect”. Then, select “Bastion” and click “Use Bastion”.Transform the VM to an Azure Bastion

Connecting to Azure Bastion

Go back to the Azure Bastion blade, and confirm that the deployment is done.

Azure Bastion blade

In order to connect to a Virtual Machine using the Azure Bastion, you just need to:

  • Open the Virtual Machine Blade
  • Start the Virtual Machine you want to connect
  • Click “connect” and select “Bastion”
  • Enter the username and password and click “Connect”

Connect to a Virtual Machine using the Azure BastionA new tab will be opened into your web browser using the Bastion service and HTML5.Bastion service and HTML5Wait a few seconds and then you can use your Virtual Machine in your web browser. Use your Virtual Machine in your web browser

VSAN from StarWind is software-defined storage (SDS) solution created with restricted budgets and maximum output in mind. It pulls close to 100% of IOPS from existing hardware, ensures high uptime and fault tolerance starting with just two nodes. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment (ROI) and enjoy Enterprise-grade virtualization features and benefits at SMB price today!

Conclusion

Azure Bastion Service is still in preview, but it works like a charm. It is very easy to deploy and it will secure access to your Virtual Machines. You just need to assign one Public IP Address to the Azure Bastion instead of assigning one Public IP Address per Virtual Machine.

Back to blog