25.11.2024 | TD SYNNEX
Lizenz: Adobe Stock
Like all Cloud services, Azure Bastion continues to evolve and improve by adding new and very practical features. In this article, we will take you on a tour of the service and changes that have been made to its range and features, such as automatic registration and 100% private access.
This is not the first article to talk about Azure Bastion on this blog, here is a link to the one written in 2023. The product has undergone some changes since then, which we will cover here.
From Microsoft’s point of view, the goal of this jump service has not changed:
Azure Bastion is a fully managed PaaS service that you use to securely connect to virtual machines via a private IP address. It provides secure and seamless RDP/SSH connectivity to your virtual machines, either directly over TLS from the Azure portal or via native SSH or an RDP client already installed on your local machine. When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.
Thus, Azure Bastion is still a jump service to access virtual machines on Azure, whether they are under Windows or Linux.
The diagram below shows us the access tunnel created between Azure Bastion and the initiating user (via a reverse connection) using the TLS protocol :
Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network it is provisioned for. Azure Bastion protects your VMs from exposing RDP/SSH ports to the outside world, while providing secure access using RDP/SSH.
I also reposted the video dedicated to Azure Bastion in French right here:
Only one word immediately comes to mind: SECURITY .
Like any jump service, Azure Bastion becomes the de facto exposed resource of your cloud infrastructure. In effect, it integrates firewall functions and perimeter security measures.
In addition, accessing the service from the Azure portal provides the pre-authentication layer of Azure AD. It then benefits from all its security measures, such as Conditional Access, RBAC rights management, etc.
The approach of a secure connection via TLS allows you to free yourself from strict security rules.
Finally, Azure Bastion satisfies everyone thanks to the removal of public IP addresses on your Azure VMs, because the RDP/SSH connection between Bastion and your virtual machine will be done via the Azure virtual private network, thanks to and only via its private IP address.
To make things clearer, Microsoft provides a table of its main advantages :
| Advantage | Description |
|---|---|
| RDP and SSH through the Azure portal | You can access RDP and SSH sessions directly in Azure portal in a seamless, one-click experience. |
| Remote session via TLS and firewall traversal for RDP/SSH | Azure Bastion uses an HTML5-based web client that is automatically integrated to your local device. Your RDP/SSH session uses TLS on port 443. This allows traffic to traverse firewalls more securely. Bastion supports TLS 1.2. Earlier versions of TLS are not supported. |
| No public IP address is needed on the Azure VM. | Azure Bastion opens the RDP/SSH connection to your Azure VM using the private IP address on your VM. You don’t need a public IP address on your VM. |
| No constraints related to the management of network security groups (NSG) | You don’t need to apply network security groups on the Azure Bastion subnet. Because Azure Bastion connects to your VMs through a private IP address, you can configure your network security groups to allow RDP/SSH from Azure Bastion only. You no longer have to manage network security groups every time you need to securely connect to your VMs. For more information about network security groups, see Network security groups . |
| You do not need to manage a separate Bastion host on a virtual machine | Azure Bastion is a fully managed PaaS service from Azure, hardened internally to provide you with secure RDP/SSH connectivity. |
| Port Scan Protection | Your virtual machines are protected from port scanning by malicious users because you don’t need to expose them to the Internet. |
| Strengthening security in one place | Because Azure Bastion resides at the perimeter of your virtual network, you don’t have to worry about hardening the security of each and every virtual machine in your virtual network. |
| Protection against zero-day exploits | The Azure platform protects against zero-day exploits by providing always-on, up-to-date hardened security for Azure Bastion. |
This is where things have changed since my last post. There are now 4 SKUs available for Azure Bastion:
On the pricing side, Microsoft provides a table of Azure Bastion prices on this page :
To get a good idea of the price differences, this gives the following monthly rates:
As noted above, Azure Bastion Developer is free, but your unique access is then based on a shared instance of Azure Bastion:
For other SKUs, Microsoft says the following, and I confirm it to you: Azure Bastion is billed as soon as it is deployed regardless of its use :
Azure Bastion is billed hourly from the time the resource is deployed until it is deleted, regardless of outbound data usage. Hourly pricing is based on the selected SKU, the number of configured scale units, and data transfer rates.
Microsoft Pricing
The features will determine which SKU is best suited to your needs:
| Functionality | Developer SKU Reference | Reference | Standard Reference | SKU Premium |
|---|---|---|---|---|
| Connect to target virtual machines in the same virtual networks | Yes | Yes | Yes | Yes |
| Connect to target virtual machines in the same virtual networks | No | Yes | Yes | Yes |
| Support for simultaneous connections | No | Yes | Yes | Yes |
| Access Linux Virtual Machine Private Keys in Azure Key Vault (AKV) | No | Yes | Yes | Yes |
| Connect to a Linux virtual machine with SSH | Yes | Yes | Yes | Yes |
| Connect to a Windows virtual machine with RDP | Yes | Yes | Yes | Yes |
| Connect to a Linux virtual machine with RDP | No | No | Yes | Yes |
| Connect to a Windows virtual machine with SSH | No | No | Yes | Yes |
| Specify custom input port | No | No | Yes | Yes |
| Connect to virtual machines using Azure CLI | No | No | Yes | Yes |
| Host scaling | No | No | Yes | Yes |
| Upload or download files | No | No | Yes | Yes |
| Kerberos Authentication | No | Yes | Yes | Yes |
| Shareable link | No | No | Yes | Yes |
| Connect to virtual machines via IP address | No | No | Yes | Yes |
Note: Keep in mind that you can upgrade your Azure Bastion SKU, but you cannot downgrade it.
You can find detailed instructions on how to set up Azure Bastion in a blog post on jloulinux.azurewebsites.net by Jean-Loup Orgitello. Click on the link to leave the TD SYNNEX blog.
TD SYNNEX
License Desk Team
software.ch@tdsynnex.com
All articles by the author