Microsoft recently announced public preview of Azure Bastion, a managed PaaS service which provides RDP and SSH connectivity through a browser to access Azure VMs. This eliminates the need of a public IP address assign to the VM. It is deployed in the Virtual Network and provides RDP/SSH provision for all the VMs in the same Virtual Network.
What is needed
- Azure VM
- Subnet in the Virtual Network using the name value “AzureBastionSubnet”
- Microsoft Edge or Google Chrome
What is not needed
- Public IP Address on Azure VM
- RDP or SSH Client
- Agent on Azure VM
- Jump box
Use the Azure portal – preview instead of the regular Azure portal to create the service. The preview is limited only to certain Azure public regions currently.
Setup for an existing VM
Create a subnet with the name “AzureBastionSubnet” in the Virtual Network. It is recommended to use at least a /27 or larget subnet
Search for “Bastion (preview)” from Microsoft.
Specify the configuration settings and create the resource
You can either click on the “connect” from the VM’s overview page or use the “Bastion” option listed under the “Operations” section of the VM.
As per Microsoft, customers already trying the preview version of the service and realizing the benefits
“A German premium car manufacturer is that they had concerns about exposing cloud virtual machines with RDP/SSH ports directly to the Internet due to the potential of experiencing a number of security and connectivity issues. During the preview of Azure Bastion, they were able to use RDP/SSH over SSL to our virtual machines which allowed them to traverse corporate firewalls effortlessly and at the same time, restrict Azure Virtual Machines to only private IPs.“
- Azure Active Directory Integration
- Single Sign-on, Azure Multi-Factor Authentication
- Two factor authentication for RDP/SSH connection
- Support for native RDP/SSH Clients
- Privilege Identity Management Integration
- Remote App Streaming
- Support for peered virtual networks
The pricing for this service is per hour and it is an “always on” service as of now.