Understanding Azure Bastion

  1. Home
  2. Understanding Azure Bastion

Go back to Tutorial

In this tutorial, we will learn about Azure Bastion and and its features.

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. This service is a fully platform-managed PaaS service that you provision inside your virtual network. Moreover, it provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS.

Further, Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using this service will protect your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

Architecture

Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. Once you provision an Azure service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.

Azure Bastion Architecture
Image Source: Microsoft

However, in this figure shows the architecture of an Azure Bastion deployment. In this diagram:

  • Firstly, the Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /27 prefix.
  • Secondly, the user connects to the Azure portal using any HTML5 browser.
  • Thirdly, the user selects the virtual machine to connect to.
  • Next, with a single click, the RDP/SSH session opens in the browser.
  • Lastly, no requirement for public IP on the Azure VM.
Practice tests Azure Bastion

Key features

The following features are available:

  • Firstly, RDP and SSH directly in the Azure portal. You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
  • Secondly, Remote Session over TLS and firewall traversal for RDP/SSH. Azure Bastion uses an HTML5 based web client that automatically streams to your local device. This is so that you get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
  • Thirdly, No Public IP required on the Azure VM. Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. No requirement for public IP on your virtual machine.
  • Fourthly, No hassle of managing NSGs. Azure Bastion is a manageable platform PaaS service from Azure provides you secure RDP/SSH connectivity. You don’t need to apply any NSGs on the Azure Bastion subnet. Because this connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only.
  • Then, Protection against port scanning. Because you do not need to expose your virtual machines to the public Internet. As your VMs are protected against port scanning by rogue and malicious users outside your virtual network.
  • Lastly, Protect against zero-day exploits. Hardening in one place only. Azure Bastion is a manageable PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion always up to date for you.
sc-900 online course

Reference: Microsoft Documentation

Go back to Tutorial

Menu