There are a lot of cool things about Azure (and Microsoft) but what does it all mean for you? This post will cover how to get started with the service, step by step.
The “azure bastion basic vs standard” is a question that has been asked many times. The difference between the two versions of Azure Bastion is the number of concurrent connections allowed. Standard allows for 5, while Basic only allows 1.
Controlling Azure virtual machines has always been possible thanks to services like Remote Desktop Protocol (RDP) and Secure Shell (SSH). However, in the past, you had to either expose VM ports to the public Internet or set up a VPN to access them. Instead, you may now utilize Azure Bastion!
In this video, you’ll learn how to use Azure Bastion to defend both RDP and SSH access on your Azure VMs.
Let’s get started!
What is the purpose of Azure Bastion?
To access to an Azure VM using RDP or SSH before Bastion, you had to:
- Connect directly to the computer through direct host ports.
- To “tunnel” through yet still expose ports to the outside, use an intermediary like an RDP gateway.
- Make a new connection to the host by connecting to a “hop server” or “jump host.”
- A virtual network to which the Bastion host may be connected.
These solutions weren’t optimal since they required either a security risk or a lengthy connecting procedure. Bastion altered everything.
You can now set up a Bastion host that only exposes an HTTPS port to the outside world while transparently tunneling RDP or SSH traffic to an Azure VM using the managed Azure Bastion service.
Azure Bastion is a restricted and protected Azure VM dedicated to remote communication.
Cons of Bastion
Before you get too enthusiastic with Azure Bastion, you should first learn about some of its disadvantages before devoting a significant amount of effort to setting it up. Azure Bastion has a few restrictions that you should be aware of as of this writing.
Check Azure’s Networking feedback page on a regular basis to see what bugs and features Microsoft is working on.
- Limitations on the Shared Clipboard — If you’ve used RDP before, you’re probably familiar with its useful shared clipboard function. You may transfer text, photos, and files from your local computer to a remote host over RDP by using shared clipboards. In Bastion, this functionality does not exist. Azure Bastion is not for you if you need to transmit files from your local computer to a distant host via RDP.
- Only IPv4 is supported at this time; IPv6 is not.
Prerequisites
The rest of this post will serve as a guide for installing Azure Bastion. If you want to follow along with the lesson, make sure you have the following items:
- At least one Azure Windows virtual machine with a private IP address and the Windows firewall set to enable port 3389. The Bastion host will be used to connect to this VM.
- The Azure VM and its vNic have the Azure Reader role or higher assigned to them.
- On the VM host, access to a local (or domain) account.
- A resource group in Azure. If you don’t already have one, the guide will show you how to make one.
Rename/Move Azure Resource Groups (Related) (GUI and CLI)
- The Bastion host will be assigned a public IP address. If you don’t already have one, the guide will show you how to make one.
The Azure Bastion Resource is created.
Azure Bastion is a locked-down VM behind the covers, however it is not presented as a VM but as a unique Azure resource. To begin, you’ll need to generate the Bastion resource. In this video, you’ll learn how to do so by utilizing the Azure Portal.
The Azure PowerShell modules may also be used to set up a Bastion host using PowerShell.
1. Launch your preferred web browser and go to the Azure Portal.
2. Click on All Services —> Networking —> Bastions to view the overview page where all of your configured Bastion hosts will be shown.
3. Click Create Bastion on the Bastions overview page.
Creating an Azure Bastion resource is the first step.
4. Select your subscription and a resource group for the Azure Bastion host to be created in, or click Build new to create your own.
Creating a new Resource Group for Azure Bastion deployment
5. Finally, assign:
- A name for your Bastion host of choice.
- The area in which to build the Bastion host is usually the one nearest to you.
- The virtual network to which the Bastion host should be assigned. If you don’t currently have one, click Create new to make one.
IMPORTANT: If you establish your own virtual network, make sure the related subnet is named precisely “AzureBastionSubnet” and has a vNet address space with a /27 subnet mask. This need may change as Bastion develops, but for the time being, you must configure the subnet in this way.
- If you want Azure to generate a public IP address for you, give it a name. You are free to use whatever name you choose.
A public IP address is required for initial setup, but merely to establish a connection. You’ll connect to the target VM’s private IP address after you’ve joined.
In the Azure portal, create an Azure bastion host.
6. Click the Review + Create button after you’ve assigned all of the essential Bastion characteristics.
Button Review and Creation
7. When the validation is complete, click the Create button to tell Azure to start building the Bastion resource.
Using Azure Bastion to connect to an Azure VM
It’s time to examine how you can use Bastion to safeguard access to your Azure VMs now that you’ve installed it. Assuming you already have an Azure VM set up as per the requirements, let’s look at how to connect to a Windows VM through RDP using Azure Bastion.
While on the Azure portal, you should:
1. Locate the Azure VM you want to use Azure Bastion to connect to.
2. Select Bastion under the Connect button.
Select the option to connect to the VM from the Connect menu.
3. On the Connect screen, choose Use Bastion and provide the login and password for a local (or, if domain-joined, a domain account) account to connect to the VM.
To connect, press the Use Bastion button.
4. Click Connect, and Azure will create a new tab in your browser with the desktop of your virtual machine.
That’s it! In your browser, you are now securely connected to your VM over RDP via your Azure Bastion host.
Shared Clipboard is a useful feature.
If you’re using RDP to connect to a Windows PC, you’ll always have a shared clipboard where you may copy and paste. The same feature is available with Azure Bastion, but it appears differently.
To enable the shared clipboard while in the Bastion console tab, click the padlock in the URL bar and choose Allow, as shown below.
In Azure Bastion, allowing shared clipboard is possible.
After you’ve enabled the shared clipboard, you’ll see that a new Box with Clipboard appears, enabling you to put things into it to make them visible in your VM and vice versa.
Box with Clipboard
Conclusion
Azure Bastion is an excellent tool for securing RDP or SSH access. However, it may not be the best option for every company. Some critical capabilities, such as shared clipboard photos, shared files, and IPv6 support, are still unavailable. However, for you, the security element may outweigh the disadvantages.
Have you been a long-time user of Azure Bastion? What are your thoughts? What are some future features of Azure Bastion that you’d like to see?
The “azure bastion tunnel” is a tool that can be used to create a secure connection between your local computer and an Azure Bastion server. This allows for the use of SSH on Windows machines without having to install any software.
Related Tags
- azure bastion limitations
- connect to azure bastion without portal
- deploy azure bastion to existing vnet
- azure bastion subnet requirements
- azure bastion file transfer
