Many enterprise environments, both large and small, have leveraged a bastion or jump host to ensure that the tools needed for troubleshooting or managing systems are available and configured properly. In many of these cases, the bastion host is another VM that needs to be patched, managed, and secured so it can perform these functions without causing additional risk.
Microsoft has taken some of the capabilities of a jump host and rolled them into the Azure platform. By doing this, there is no longer a need to patch and manage jump hosts within your Azure environment if the tasks you need to perform are just general administration (more on that later). In addition to ensuring there is a method to manage the servers within a VNet, Bastion also allows connection to either public or private IP addresses. Meaning that the systems do not need to be directly Internet facing for this to work. You can remain connected to a server via Azure Bastion while removing the public IP address of the server. Not that this is recommended, but I may or may not have tried this during testing.
In this guide, you will learn what Azure Bastion is, what it is not, and how it might help you manage your Azure environment more securely.
When you’re finished, you’ll be able to complete the following tasks:
To get started with Azure Bastion, you’ll need the following:
Azure Bastion uses its predefined subnet to connect to the Virtual Network where it is deployed. This is done to ensure that the service does not run over things that are already on other subnets and helps to keep networking relatively simple. This is called out as an optional step above, but I have found it is easier to configure the networking in advance for Bastion than during the process. There is less changing screens and note-taking to ensure you have all the information you might need at hand.
First, log in to the Azure Portal (https://portal.azure.com) and locate the virtual machine that you want to use with Azure Bastion.
Select the networking option from the settings list on the left, locate the network (and subnet) to which the virtual machine is connected, and click the link to go to that resource.
From the network resource, select Subnets and ensure that there isn’t already a subnet called AzureBastionSubnet. Click the Add button to add a subnet and enter the name AzureBastionSubnet (case sensitivity intact). Usually, Azure will suggest a subnet range that is available for the new subnet. Depending on the configuration of other subnets within this virtual network, some massaging may need to be done. If your subnets are generally all the same size, you should have no problems with this suggestion.
Inspect the address range provided and make sure that the network is at least a /27 in size. This is a requirement for Bastion. /24 will work too, but /28 or /29 will not work for this subnet.
Finally, once all of the subnet settings are configured, click Save to create the new AzureBastionSubnet. Remember - each virtual network that you will use with Azure Bastion will need its dedicated subnet for this service. Once it is configured within the needed VNets, you should be all set to move forward enabling Azure Bastion.
This step has been easier for me to complete beforehand and makes the Bastion setup much easier, next we will dive into the configuration of Azure Bastion itself.
With the networking out of the way, its time to turn on the feature and create an instance of Azure Bastion for the VNet. Please remember, Azure Bastion is configured for each virtual network where it will be used. If your organization has seven virtual networks, then to manage all of the systems across them, seven instances of Azure Bastion will be needed.
My recommendation for the placement of Azure Bastion is to place it in the same resource group and region as your virtual network. Since the bastion service will need to be in the same region as the virtual network this placement seems to fit pretty well.
To configure Azure Bastion, complete the following steps:
Note: Because we configured the subnet separately for use with Azure Bastion, the subnet should populate automatically when the VNet is chosen
Configuration does not take too long but is not immediate, you will need to wait maybe 20 minutes for the provisioning to complete.
With the networking and configuration of Bastion out of the way, you are ready to connect to a server using the bastion service.
The connection does not seem to be something that would need its section in a guide. Until I started putting this together, I agreed. When the local admin password for my Virtual Machine was not in the location I expected, it occurred to me that setting the password before connection might be useful.
To ensure your virtual machine has a well-known password (only if you have forgotten it or the one you swear is right does not work) let’s take a moment to reset the password for a VM and then connect to it with Azure Bastion.
Once the password has bee set (or reset) you can use Azure Bastion.
To do so, select the connect option for the virtual server and choose the Bastion tab
c00kies are Yummy
Enter the username and password that you specified earlier in this section and click Connect. The default is for the Bastion connection to open a new window or tab in your browser.
From here, the process is just like RDP or SSH - the biggest difference is that the display is in a browser. There are sa few caveats at the time of this writing that should be called out, but they are minute and can be worked around.
For Windows VMs, you can copy text in to and out of the virtual server using Azure Bastion (if you allow clipboard access within the browser session). Currently, you cannot copy and paste files into the bastion session. This means if you want to install something, you will need to do one of the following:
My favorite here is to put the files in a storage account in Azure, using a file share with approximately 10 GB of space available. Then mount the file share using the connection information provided. This way, I have a place to put temporary things - the storage can be permanent across multiple VMs and used just for files into and out of the managed server(s).
In addition to file movement in and out of VMs using Bastion, you will need to ensure that your network connection to the Bastion instance over port 443 is pretty good - this in and of itself will not be an issue, however if you find yourself using Just In Time Access or have Network Security Groups in play, you may get a notice from Azure when connecting to VMs that your connection to the resource is unreliable. Check NSG configurations between the client and VM for any out of the ordinary items.
In this article you configured three things:
Now you can use Azure Bastion to connect to virtual machines within a VNet. For the benefit it brings by not needing to maintain security and patching on another host and the fact that no public IP addresses are required, the bastion service is a great connection management tool. Is it perfect? No, but it is a cloud service and like many things in the cloud it will have improvements and changes much faster than traditional technology.
Derek Schauland is an IT Professional with over 20 years experience primarily in Microsoft technologies and is currently focused on Azure and Google Cloud Platform. Derek spent 10 years of his career as a Microsoft MVP, first in File System Storage and then in Cloud and Datacenter Management. He has been blogging and writing in the technical community for much of his career for sites like TechRepublic, CloudSkills.io, Pearson Education and Redmond Magazine. In addition to writing for the web, he has co-authored 4 books covering topics in the Microsoft space from Certification to PowerShell. Outside of the technology space, he enjoys barbecuing with family and friends.
Get exclusive access to special trainings, updates on industry trends, and tips on how to advance your career in the tech industry.