Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure Virtual Machines. An Azure Bastion secures your strategic and critical assets in order to protect you from cyber risks. It is the only node exposed to the internet and it is acting like a Gateway.
Check the architecture on the following schema from Microsoft Docs:
In this article, I will explain how to create an Azure Bastion host.
The public preview is limited to the following Azure public regions:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
To create an Azure Bastion, you must create a Virtual Network with the name “AzureBastionSubnet” and with the prefix of at least /27.
How does it work?
Once you provision the Azure Bastion in a Virtual Network, it is available to all your Virtual Machines in the same virtual network. It means that the deployment is per virtual network. Then a Public IP Address will be assigned to your Azure Bastion. When you will connect to a Virtual Machine, a new tab will be opened in your web browser. When you connect via Azure Bastion, your virtual machines do not need a public IP address.
The first step is to register for the preview. To perform this task, you must be signed into your Azure Account and then you must be enrolled with the following command:
PS > Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
The second step is to register your Azure subscription:
PS > Register-AzResourceProvider -ProviderNamespace Microsoft.Network
You can check that the feature is registered using the following command:
PS > Get-AzProviderFeature -ProviderNamespace Microsoft.Network
Creating an Azure Bastion Host
Once the feature is registered, then you can open the Azure Portal Preview from this URL: http://aka.ms/BastionHost
Specify the configuration settings for your Bastion resource:
- Select a Resource Group
- Enter the name of your Azure Bastion
- Select the region (e.g the prerequisites)
- Select a Virtual Network
- Select the Subnet with at least /27
- Select a Public IP Address
If you already have an existing Virtual Machine, then you can easily transform the VM to an Azure Bastion. Open the Virtual Machine and click “Connect”. Then, select “Bastion” and click “Use Bastion”.
Connecting to Azure Bastion
Go back to the Azure Bastion blade, and confirm that the deployment is done.
In order to connect to a Virtual Machine using the Azure Bastion, you just need to:
- Open the Virtual Machine Blade
- Start the Virtual Machine you want to connect
- Click “connect” and select “Bastion”
- Enter the username and password and click “Connect”
A new tab will be opened into your web browser using the Bastion service and HTML5.Wait a few seconds and then you can use your Virtual Machine in your web browser.
Azure Bastion Service is still in preview, but it works like a charm. It is very easy to deploy and it will secure access to your Virtual Machines. You just need to assign one Public IP Address to the Azure Bastion instead of assigning one Public IP Address per Virtual Machine.