Azure Bastion is a Microsoft Azure service designed to improve the security of accessing virtual machines (VMs) within a virtual network. It provides remote access to VMs through the Secure Shell (SSH) or Remote Desktop Protocol (RDP) without the need to publicly expose network ports. Integrating directly with the Azure portal, Azure Bastion facilitates secure and secure access to internal resources, reducing the risk of external attacks and simplifying the management of remote connections. In this article, we are going to take a closer look at how Azure Bastion works, how to use it and what are the factors that influence the cost of the service.
Cloud computing has become the buzzword, and with the proliferation of cloud technology, security has become a major concern. As more companies migrate their infrastructure and workloads to the cloud, it's becoming increasingly important to ensure that these resources are secure and protected from external threats.
Microsoft Azure introduced Azure Bastion, a fully managed platform that provides secure and seamless access to virtual machines via RDP and SSH directly through the Azure portal.
The service eliminates the need for a public IP address, a VPN connection, or a jump server to access your virtual machines. With Azure Bastion, you can log in to your VMs with a single click from the Azure portal and provides an additional layer of security using Enter ID for authentication.
Azure Bastion is an excellent solution for businesses of all sizes that want to improve the security of their virtual machines and simplify the process of accessing them. By eliminating the need for a public IP address, a VPN connection, or a jump server, Azure Bastion reduces the attack surface of your virtual machines and provides a more secure way to access them.
But how does it work exactly? Let's see it in the next sections.
Before moving to Azure Bastion, let's first understand what a Jump Box or Jump Host is.
A Jump Box is a virtual machine that is located on a virtual network and prevents all other virtual machines from being exposed to the Internet or other insecure networks. This means that the Jump Box acts as a gateway for all RDP connections made to your VMs. In addition, using a Jump Box, only a single port will be exposed instead of multiple ports that would be exposed without its use.
Now, let's go back to Azure Bastion. Azure Bastion is a managed Jump Box. What does' managed 'mean? It refers to the ability to configure the Jump Box according to personal needs. It is important to note that you cannot interact directly with it, but you can configure its settings. It supports both Remote Desktop Protocol (RDP) and Secure Shell (SSH) connections, and the Network Security Group (NSG) can be adjusted to improve the security of your connection.
RDP and SSH are two of the most common methods through which we can connect to our workloads running on Azure. The first is a protocol developed by Microsoft that allows users to connect to another computer through a network using a graphical interface and allows you to control it on a desktop as if you were physically in front of the remote computer, while the second is an encrypted network protocol that allows you to manage and control remote systems through a command line interface, mainly used to securely access Unix-like systems.
As an example, in a general RDP connection, a public IP is required to configure a virtual machine exposed to the outside world, and the client machine uses the IP to connect and access the virtual machine. Due to vulnerabilities in the protocols, exposing RDP/SSH ports on the Internet may prove to be a potential dangerous point of attack, but with Bastion, you can reduce the risk of exposure by deploying Bastion hosts (also known as jump-servers) on the public side of your perimeter network.
A Bastion host is a server specially configured and reinforced to resist cyberattacks, used as a secure access point to an internal network or critical resources. Usually placed in a separate subnet, a Bastion host acts as an intermediary between the outside and inside of the network, allowing secure access to internal systems, such as servers or databases, by authorized users and designed to be protected with the strictest security measures.
When connecting through Azure Bastion, virtual machines don't need an agent or a public IP address, avoiding the exposure of RDP and SSH ports to the outside world, while still allowing secure connections.
Here's how the connection works:
It should also be mentioned that the Azure Bastion deployment is per virtual network and not per account, subscription or virtual machine. The SSH or RDP experience is available for all your virtual machines in the same virtual network, once you have configured an Azure Bastion service within it.
SKU, which stands for Stock Keeping Unit (Stock Preservation Unit), is a term commonly used in commerce and inventory management to describe a specific unit of product or service that can be sold, inventoried and tracked.
In the field of cloud services, such as Azure Bastion, a SKU is a specific configuration of a service that defines its technical characteristics and capabilities. Four are currently available for Azure Bastion SKU:
As of today, you can easily upgrade from the Basic SKU to the Standard SKU in the Azure Portal or with Azure PowerShell. Choosing the right SKU is crucial to optimizing performance and the cost of the service.
Opting for a SKU with more resources can improve the user experience and ensure that the service can handle the volume of traffic and the sessions requested. On the other hand, choosing an SKU with fewer resources may reduce costs but may not meet performance needs.
The Developer SKU (available since the end of last year), as already mentioned, has very limited functionality and is designed by Microsoft for use only in development and testing environments.
The “Premium” SKU, on the other hand, adds several additional levels of security, ideal for organizations that must meet particularly strict security and compliance requirements or that manage highly sensitive workloads in their VMs on Azure. For example, Azure Bastion Premium includes an 'Only-private' feature. This allows users to log in to their Azure VMs through a private endpoint instead of a public IP address, which is the login method used by other Azure Bastion SKUs.
If a user is trying to connect to their Azure VMs from an on-premises network, they can combine this Private-Only functionality with Azure ExpressRoute's private peering for virtually isolated access to the VMs.
Azure Bastion Premium also offers more monitoring and logging capabilities than other versions. A 'graphical session recording' feature allows organizations to record every VM session activity initiated through an Azure Bastion connection.
Organizations can decide where to keep these records and for how long, and they can be used to detect abnormal user behavior that could be a forerunner of a security incident.
We have created the Infrastructure & Security team, focused on the Azure cloud, to better respond to the needs of our customers who involve us in technical and strategic decisions. In addition to configuring and managing the tenant, we also take care of:
With Dev4Side, you have a reliable partner that supports you across the entire Microsoft application ecosystem.
Now that we have a little clearer how Azure Bastion works, it's time to put it to the test with a small practical example.
We will then create a bastion host with relative VNet and then connect it to a virtual machine in three simple steps. Let's look at them better in the next sections.
To begin with, let's log in to the Azure portal and go to the search area. In the search box, search for 'Bastion'. Once selected, on the screen that will appear, click on Create to create a new Bastion host.
We will arrive at the screen of the image proposed below. Here we will simply have to enter our usual details, such as Subscription, Resource Group, Instance Name, Region and even Virtual Network.
Once compiled, we can take care of configuring the subnet.
Once we have reached the Subnet option, we click on Manage Subnet Configuration.
Then we click on Add subnet and create a subnet with the name AzureBastionSubnet and a prefix of /26 or greater. Let's make sure we only use this name.
Let's go back and select our Subnet on the Bastion creation page. Now we can choose to create a new public IP address or use an existing address.
If we create a new one, we provide a name and use Standard SKU. Through the 'Advanced' tab, we can decide which features we want to enable. Once chosen, we click on Review+Create and finally, we click on Create after the validation is successfully completed.
Now we can go to Virtual Machine, select our new instance of Bastion and then click on Connect>Bastion, in the Overview section.
Now we just have to click on Use Bastion again and enter our credentials.
Now we are finally connected. A new browser window will open with the virtual machine in the tab.
When using Azure Bastion in a production environment, it is recommended to improve user security by using features such as Multi-Factor Authentication (MFA) and Conditional Access.
These features can help, for example, to require that a user logs in to the Azure portal using multiple authorization factors or that they must connect from a trusted device or IP address.
In addition to MFA and Conditional Access, you can manage access to Azure resources, such as your virtual machines (VMs), through role assignments using Azure RBAC. With RBAC, for example, you can grant a user access to a VM through Azure Bastion, but at the same time prevent that user from making changes to the Azure infrastructure or to any other Azure resource in your environment.
When connecting to a VM using Azure Bastion, a user will need at least the following role assignments:
If the Bastion host must also connect to a VM in a linked (peered) virtual network, the assignment of the Reader role on the virtual network (VNet) of the target virtual machine is also required. You can define the scope of these roles at any level you want:
As a best practice, it is recommended that you apply RBAC roles only at the Management Group, Subscription, or Resource Group level. In addition, it is always important to use the least privilege access model (least privilege principle) when granting access with RBAC. So, we try to grant users only the privileges they need to carry out their tasks.
As explained above, it is necessary to ensure that the user has at least read access to both the VM and the connected VNet. The last role is only necessary if one or more connected VNets are in use in your environment.
Fortunately, to simplify everything, you can assign the built-in default role 'Virtual Machine Access' at the subscription level. Let's just remember that it is necessary to do it on every Azure subscription where the user must be able to use the Azure Bastion service to connect to one or more VMs in that subscription.
In addition to that role, the user must also be assigned the Reader role on the Azure Bastion host's resource group. When both roles are assigned to the correct scopes, the user will be authorized to use the Bastion host to securely connect to the VM or VMs in the subscription.
As usual, the time has come to talk about the price and the factors that influence it. As far as Azure Bastion's pricing is concerned, this is based on two main components: the hourly rate and the cost of the data transferred.
Bastion has a fixed hourly cost for each instance of the service. This means that, regardless of the number of login sessions or the actual time of use, you will pay a fixed and constant rate for each hour that the Bastion instance is active.
The hourly rate may vary depending on the region in which the service is distributed and the chosen SKU configuration, which we remember is currently Basic and Standard with Premium announced only this summer and still in preview.
There is also another free SKU (Developer) made available by Microsoft for testing purposes in development environments and with extremely limited functionality, which, however, could be useful when you want to test the most basic capabilities of the service to understand if it is the solution that best suits your needs.
The second factor affecting the price of the service is the cost associated with the data transfer. When you use Azure Bastion to access your VMs, the data that travels between the user's browser and the VM through the service generates a data transfer cost. This cost is calculated based on the amount of data transferred during virtual machine access sessions.
To start making a first estimate of the actual costs of the service for your organization, you can, on the official Azure page, use the convenient calculation tool provided by Microsoft (which you can find hither) that allows you to calculate the price based on region and currency.
The security of their digital assets with the advent of cloud computing has become more important than ever and it is no coincidence that large companies and cloud service providers invest dizzying amounts every year to guarantee the security of their users and their resources “in the clouds” from increasingly treacherous and sophisticated cyber threats.
Azure Bastion is another of the numerous investments mentioned above for Microsoft, aimed at ensuring the security of its organization's virtual machines, hosted within the giant cloud platform of the Redmond company.
Its ease of use and the ability to configure it at will make it a solid option for the protection of their virtual machines that should not be underestimated by all those organizations that care about security from the cyberthreats of the modern world. Why not give it a chance and see if its features are also right for you?
Azure Bastion is a managed service from Microsoft Azure that allows you to securely access virtual machines without exposing RDP and SSH ports to the Internet. The service allows direct connection from the Azure portal, eliminating the need to configure VPNs or public IP addresses.
Azure Bastion acts as a managed jump box, allowing access to virtual machines via RDP and SSH using an HTTPS connection on port 443. This system reduces the risks of cyberattacks because it avoids the exposure of web access ports and does not require the manual configuration of firewalls or complex network rules.
Azure Bastion improves cloud infrastructure security by eliminating the need to expose VMs to the Internet. The service simplifies remote access to virtual machines directly from the Azure portal without additional configuration. It also allows integration with Entra ID, improving access control and identity management.
A traditional Jump Box is a dedicated virtual machine that acts as a centralized access point for other VMs. This method requires the management and maintenance of the operating system and security rules. Azure Bastion, on the other hand, is a service fully managed by Microsoft, updated automatically and with a simplified configuration that eliminates the need for a dedicated Jump Box.
Microsoft offers several SKUs for Azure Bastion. The Basic SKU provides essential functionality for secure access to VMs without public IP addresses. The Standard SKU offers advanced features such as support for multiple simultaneous sessions and customization of access ports. The free and limited Developer SKU is designed for development and test environments. The Premium SKU introduces additional levels of security, including Only-Private Bastion functionality and session recording.
To connect to a virtual machine through Azure Bastion, a user must have at least the role of Reader on the target VM, on the VM's network interface, and on the Azure Bastion resource. If the VM is located in a virtual network connected through peering, the user must have the role of Reader also on the associated virtual network. It is recommended to apply RBAC roles with the principle of least privilege to ensure the security of the environment.
Yes, the price of the service is based on a fixed hourly cost for each active instance and on a variable cost linked to the transfer of data during access sessions. The cost varies depending on the SKU chosen and the region where the service is distributed. Microsoft provides an online calculator to estimate costs based on specific business needs.
Azure Bastion is compatible with all Azure virtual machines that support RDP and SSH protocols. To work properly, VMs must be placed in a virtual network that includes the AzureBastionSubnet subnet with a minimum size of /26.
To configure Azure Bastion, you must create a Bastion host in the Azure portal, define a dedicated subnet within the virtual network, and connect the virtual machines to the service. After configuration, you can access the VMs directly from the Azure portal without the need for public IPs or VPNs.
Yes, you can upgrade from Basic SKU to Standard SKU directly from the Azure portal or through PowerShell. However, it is not possible to downgrade from Standard SKU to Basic SKU.
Yes, Azure Bastion can be used to connect to Azure virtual machines from an on-premises network. For more secure and isolated access, you can combine the service with Azure ExpressRoute Private Peering.
Only the Premium SKU offers session recording, allowing organizations to monitor and keep logs of activities performed while accessing virtual machines. This functionality is useful for ensuring greater security and compliance with business regulations.
Azure Bastion allows secure access to VMs without the need for a VPN, but it doesn't replace a VPN for other business connectivity needs. The service is specifically designed to facilitate access to virtual machines securely and without exposing RDP or SSH ports to the Internet.
The Infra & Security team focuses on the management and evolution of our customers' Microsoft Azure tenants. Besides configuring and managing these tenants, the team is responsible for creating application deployments through DevOps pipelines. It also monitors and manages all security aspects of the tenants and supports Security Operations Centers (SOC).
