Azure Bastion (the basics)

Skip to summary if you are in a hurry

Azure Bastion is more than just a service; it's a fully managed platform-as-a-service (PaaS) offering that you provision within your virtual network. Its primary function? To provide secure and hassle-free RDP/SSH connectivity directly from the Azure portal over TLS.

Imagine connecting to your VMs with just a few clicks, without the need for public IP addresses, additional agents, or specialized client software. That's the power of Azure Bastion. By leveraging this service, you shield your VMs from exposing RDP/SSH ports to the outside world while still ensuring secure access.

But how does Azure Bastion achieve this feat? Let's delve into its architecture.

When deploying Azure Bastion, it resides within your virtual network, specifically in the AzureBastionSubnet subnet. This subnet, ideally sized at /26 or larger, is part of the same VNet and resource group as the bastion host. It's important to note that no additional resources should be present in this subnet, keeping the focus solely on Bastion's functionality.

The deployment of Bastion is per virtual network, not per subscription or virtual machine. This means that once provisioned, Azure Bastion extends its secure RDP and SSH connectivity to all VMs within the same VNet and even those in peered VNets.

But what about permissions and network security groups (NSGs)?

To ensure Azure Bastion operates smoothly, users need appropriate permissions. This includes reader roles on the virtual machine, NIC with the VM's private IP, Azure Bastion resource, and the virtual network for peered networks.

As for NSGs, within the VNet, subnet-to-subnet communication is allowed by default, reducing the need for extensive NSG configurations. However, in certain scenarios, especially in production environments, specific NSG rules might be necessary to override default Azure NSG rules.

Azure Bastion also offers flexibility in its SKU options, allowing users to choose between Basic and Standard SKUs. The Standard SKU further enables host scaling, giving users the ability to specify the number of instances required based on workload demands.

Each instance supports a defined number of concurrent RDP and SSH connections, ensuring smooth operation even under varying workloads. It's crucial to plan the subnet size carefully, as it directly impacts the scalability of Bastion instances.

In summary, Azure Bastion gives remote access to VMs by combining robust security measures with unparalleled convenience. With its platform-managed approach, seamless connectivity, and scalability options, it's a must-have tool for modern cloud environments if you are doing VM's. But the most important features that is missing is the ability to connect to other PAAS services in the Azure, such a capability would be really awesome to see in the future.