Securing remote access in Azure
Ramssel L.
Security Architect | CISSP | CCSP | SC-100 | AZ-500 | AZ-140 | CCSK | eNDP | OSWP
As we secure remote access to virtual machines to our On-Premise networks, through a jump server or even accessible only from the internal network, it is necessary to keep in mind this cloud architecture design.
For this, we have services such as Bastion in Azure that allows the securitization of remote access in a completely managed way, avoiding the exposure of the port on the Internet:
As we can see, with Bastion, we avoid having to set a public IP from the virtual machine for remote access, having a fully managed service that only exposes port 443 for access ONLY from the web portal.
In this way, we only need to deploy Bastion in a subnet connected to the network we want to access (it can be a subnet of the same vnet where we have the virtual machines whose accesses we want to be managed by bastion, or with the use of peering between the bastion and the virtual machine's network).
POC
We start from a virtual machine in a vnet with a default subnet and a public IP to be able to access by RDP to its administration. Therefore, this machine has port 3389 exposed to the internet, with the traffic allowed in the network security group:
As can be seen, this virtual machine is exposed to the Internet and we can access from RDP to its public IP:
How can we secure access with Bastion?
To secure access through the Bastion service, the first thing to do is to deploy Bastion on the created vnet. To do this, you must create a subnet on the same vnet called "AzureBastionSubnet" and deploy the Bastion service over this subnet:
As can be seen, another public IP has been created for the Bastion service. This IP is not accessible from the Internet, but is only accessible from the portal:
However, the virtual machine could currently be accessed both through direct access from the Internet and from Bastion. Therefore, to secure this access, the network security group must be configured so that only access to port 3389 is allowed from the Bastion subnet:
Therefore, as we have the virtual machine on 10.0.0.0/24 and the bastion on 10.0.1.0/26, we have to configure that it can only be accessed by RDP(3389) from the bastion subnet, thus avoiding exposure to the Internet:
Thus, the virtual machine can no longer be accessed from the public IP exposed to the Internet:
So, how can the virtual machine now be accessed?
This access has been secured, so that you can access the virtual machine through the Bastion through the Azure portal, leaving this virtual machine exposed to the Internet and allowing access to the administration only to those users who are given access to the portal and with the necessary roles for it:
Since it is not necessary to use the public IP assigned to the machine for access to the machine's administration, we eliminate this IP, thus avoiding unnecessary costs:
In this way, access has been secured by Bastion. Once Bastion is deployed, all the virtual machines that are deployed in any of the subnets of the vnet in which Bastion is deployed, can make use of this service.
In addition, all vnets peering with the Bastion service will also be able to make use of this service.
Finally, this service is also valid for securing SSH access.