Setup secured HTTPS connection for Azure VMs using Azure Bastion

1 - Introduction :

In today's digital world, security has become a top priority. This is particularly true when it comes to managing and maintaining virtual machines (VMs) in the cloud. This article, entitled "Setting up a secure HTTPS connection for Azure VMs using Azure Bastion", will guide you through the steps required to establish a secure HTTPS connection for your Azure VMs. We'll explore how Azure Bastion, a fully managed PaaS service that provides secure and transparent access to your Azure VMs, can be used to achieve this goal.

2 - What is Azure Bastion?

Azure Bastion is a PaaS service that provides a secure RDP/SSH connection to Azure virtual machines without exposing them to the public Internet. Azure Bastion is deployed on a virtual network and supports the exchange of virtual networks. Specifically, Azure Bastion manages RDP/SSH connectivity to virtual machines created in the local or peer virtual network.

3 - Why Azure Bastion :

In normal use of a VM on Azure, we create a public IP address, then open RDP port 3389 or SSH port 22 via the NSG and finally connect to this VM as shown in the following image:

This method is not secure because it exposes the machine directly to the Internet, making it easy to be compromised.

Azure Bastion offers a secure and stable https connection to VMs on Azure, as shown in the figure below:

In the previous figure presented by Microsoft, you can see that connection to the Bastion is via the Azure portal, but today I'm going to show you another, more practical and more secure technique, called Shared Link Creation (I know there's another way of connecting to the VM via the Native Client, but I'll talk about that another time).

4 - Azure Bastion advantages :

1. Increased security : Azure Bastion provides a secure connection to your virtual machines, enabling you to access them without having to expose them to the public Internet.
2. Improved efficiency : With Azure Bastion, you can access RDP and SSH sessions directly in the Azure portal via a seamless, one-click experience.
3. Cost savings : Azure Bastion can help companies save money by reducing the need for hardware and VPN infrastructure.
4. Protection against zero-day attacks : Using a Bastion host can help mitigate threats such as port scanning and other types of malware targeting your virtual machines.
5. Simplicity of deployment : Azure Bastion provides an integrated platform alternative to manual deployment and management of standby servers to protect your virtual machines.
6. Flexible connectivity : This service lets you connect anywhere, on any device or platform, without an additional agent running on your virtual machines.

These benefits make Azure Bastion an attractive choice for organizations looking to improve the security and efficiency of their IT operations.

5 - Bastion SKUs :

The following table summarizes the various SKU (Stock Keeping Unit) options for Azure Bastion, a service that provides secure and transparent RDP and SSH access to virtual machines.

Here's a summary of the key information:

• VM connectivity : All SKUs enable connection to VMs in the same virtual network, but connectivity to VMs in paired virtual networks starts with the Basic SKU.
• AAD authentication : Azure Active Directory authentication is available from SKU Basic.
• AKV private keys : Access to Linux VM private keys in Azure Key Vault is available from the Basic SKU.
• Additional features : Features such as host scaling, file uploading and downloading, and Shareble link are only available with the standard and Premium SKU.

In the following image I've highlighted the "Shareable link", as I believe this feature is crucial for enterprises.

The "Shareable link" in Azure Bastion is a feature that allows users to connect to a target resource (virtual machine or group of identical virtual machines) using Azure Bastion without having to access the Azure portal. This feature is very important for businesses looking to facilitate access to resources and secure access at the same time.

Here are some key points on how to use it:

• When a user without Azure credentials clicks on a shareable link, a web page opens and invites the user to connect to the target resource via RDP or SSH.
• Users authenticate using a username and password or a private key, depending on what you've configured for the target resource.
• The shareable link does not contain any credentials. The administrator must provide the user with login credentials.
• By default, users in your organization will only have read access to shared links. If a user has read access, they can only use and display shared links, but cannot create or delete a shareable link.

This feature offers greater flexibility and ease of use for administrators and users alike.

here is the direct link to see Microsoft updated SKUs :

https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku

6 - Azure Bastion prices and benefits :

1. Secure, transparent RDP and SSH access to your virtual machines.
2. No public IP exposure on the virtual machine.
3. VM public IP can be removed after Bastion creation.
4. Helps limit threats such as port scanning and other types of malware targeting your virtual machines.
5. Uses a modern HTML5-based web client and standard SSL ports. This makes firewalls and other security rules very easy to manage.
6. Fixed service fee. This is the price charged per hour for deploying the service. For example, in Eastern Canada, this cost is approximately US$0.19 per hour for Basic.
7. Outgoing data transfer charges. These are charges based on total outgoing data transfer. They are then divided into several categories according to total consumption.

Monthly price for Basic SKU :

Monthly price for Standard SKU :

You can check updated prices directly on Azure Price Calculaur from this link : Pricing Calculator | Microsoft Azure

7 - Mindmap to configure Azure Bastion :

Here are the steps to follow to set up Azure Bastion :

8 - Configuring Azure Bastion :

In this example, I'm going to create an Azure Bastion with Standard SKU for companies use cases.

Before starting to create and configure our Bastion, we need to start by creating a Subnet in the same VNET as our VM for the Bastion.

To do this, start by

• Log into your Azure portal and go your Resource Group that contain the VM you want to share then select your VNET.

Once you have accessed your VNET :

1. Go to "Subnets"
2. select "+ Subnet" to add new subnet.
3. Select subnet type as "Azure Bastion" from Subnet Purpose list.
4. Select Add

New Subnet will appear in Subnets section. We will use this subnet to deploy our Bastion, because Bastion need to be in a same VNet but in different Subnet.

Now we're going to start creating and configuring our Bastion :

• Start with typing bastion in Azure search bar then select Bastion as the following picture.

Select "Create" to start configuration :

On "Basic" Section start with :

1 - Choose a resource group that contain the VM you want to share

2 - Give your Bastion a name, a region and an availibility zone

3 - Choose the Bastion Tier (Developper SKU, Basic SKU, Standard SKU, Premium SKU), here we'll be working with the Standard tier as it will enable us to generate a link that we can share with the company's employees to connect to the Bastion.

4 - Choose a number of instances for your Bastion depending on your company needs (each instance can handle 20 simultaneous RDP connections and 40 simultaneous SSH connections for average workloads). (more info from here)

5 - Choose which VNet your Bastion will connect to (here AzureBastionSubnet will be selected automatically).

6 - Select "Next: Advanced"

On "Advanced" section , make sure these options are checked :

• Copy and paste
• Shareable link

Then select "Review + Create"

Deployement can take 20 minutes.

Clic on "Go to resource" to open new Bastion page on azure.

Once you are in the window of our newly created bastion :

1. Go to "Shareable link"
2. Select "+ Add" to add new "Shareable link"
3. Select your "Subscription"
4. Select your "Ressource Group"
5. Select the VM you want to share through "Shareable link"
6. Select "Apply".

here is this link that can be copied and shared with every employee of the company :

by entring the copied link in the browser, here is the authentication page to access your VM :

After authentication :

9 - Deleting VM Public IP Address :

After creating the Bastion, you don't need to keep the public IP address of your VM, and you can delete it, otherwise your VM will always be exposed on the Internet without any protection.

You can't delete Public IP addresses directly from Azure, as you'll need to disassociate these addresses before deleting them.

• Start by going to VM1
• In the right-hand menu, look for "Network Setting", then click on the Public IP address as follows :

• Click on "Dissiociate" then choose YES.

• Click on "Delete" then choose YES.

• Go back to the "Network settings" menu, and you'll notice that the Public IP address no longer exists.

10 - Conclusion :

In conclusion, setting up a secure HTTPS connection for Azure VMs using Azure Bastion is an essential step in ensuring the security of your cloud resources. Not only does it enhance the security of your data, it also improves the management and maintenance of your VMs. With the detailed steps provided in this article, you should be able to successfully set up such a connection for your Azure VMs. Remember, in the cloud world, security isn't an option, it's a necessity.

Thanks

Aymen EL JAZIRI

System Administrator