What is Azure Bastion?

Azure Bastion is a fully managed Platform as a Service (PaaS) from Microsoft, designed to provide secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) connectivity to your virtual machines (VMs) directly over Transport Layer Security (TLS).

Key Benefits of Azure Bastion

Azure Bastion offers a myriad of benefits that enhance security and improve usability.

1. RDP and SSH through the Azure portal: Azure Bastion enables you to use RDP and SSH sessions directly in the Azure portal, providing a single-click seamless experience.

2. Remote Session over TLS and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443, allowing the traffic to traverse firewalls more securely. Bastion supports TLS 1.2, with older TLS versions not supported.

3. No Public IP address required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure VM using the private IP address on your VM. Hence, a public IP address on your virtual machine is not necessary.

4. No hassle of managing Network Security Groups (NSGs): You don't need to apply any NSGs to the Azure Bastion subnet. As Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This eliminates the hassle of managing NSGs each time you need to securely connect to your virtual machines.

5. Protection against port scanning: Your VMs are protected against port scanning by rogue and malicious users as you don't need to expose the VMs to the internet.

6. Hardening in one place only: Azure Bastion sits at the perimeter of your virtual network, so hardening each of the VMs in your virtual network is not necessary.

7. Protection against zero-day exploits: The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

SKUs

Azure Bastion offers multiple SKU tiers, with features ranging from connecting to target VMs in the same virtual network, support for concurrent connections, access to Linux VM Private Keys in Azure Key Vault (AKV), host scaling, and more. The SKUs include Developer SKU, Basic SKU, and Standard SKU.

The Developer SKU provides basic functionality, including connecting to Linux and Windows VMs in the same virtual network using SSH and RDP, respectively. The Basic and Standard SKUs offer additional features, including connectivity to VMs in peered virtual networks, support for concurrent connections, and access to Linux VM Private Keys in AKV. The Standard SKU further expands on this with features like connecting to Windows VM using SSH, specifying custom inbound port, host scaling, file upload/download, and more.

Architecture

Azure Bastion is deployed to a virtual network and supports virtual network peering, managing RDP/SSH connectivity to VMs created in the local or peered virtual networks.

RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.

Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions might, or might not, be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.

Host Scaling

Azure Bastion supports manual host scaling. You can configure the number of host instances (scale units) to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for the Azure Bastion Standard SKU only.

Azure Bastion and Azure Private DNS Zones

Using Azure Bastion with Azure Private DNS Zones is possible as long as the zone name selected does not overlap with the naming of certain internal endpoints that Azure Bastion needs to communicate with to connect to target resources successfully. Ensure that the host virtual network is not linked to a private DNS zone with specific names such as management.azure.com, blob.core.windows.net, core.windows.net, vaultcore.windows.net, vault.azure.net, and azure.com. Azure Bastion is currently not supported with Azure Private DNS Zones in national clouds.

Azure Bastion and Virtual WAN

Azure Bastion can be used for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub is not supported. You can deploy Azure Bastion in a spoke VNet and use the IP-based connection feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a Secured Virtual Hub, the default 0.0.0.0/0 route must not be overwritten.

Closer Look at Azure Bastion Developer SKU

For those seeking a lightweight, cost-effective solution for secure VM connectivity, Azure's Bastion Developer SKU is an excellent choice. This SKU is tailor-made for Dev/Test users who require secure access to their VMs without the need for additional features or scaling capabilities.

About the Developer SKU

The Developer SKU is a new, lower-cost, lightweight SKU. This SKU is ideal for Dev/Test users who want to securely connect to their VMs if they don't need additional features or scaling. With the Developer SKU, you can connect to one Azure VM at a time directly through the virtual machine connect page.

When you deploy Bastion using the Developer SKU, the deployment requirements are different than when you deploy using other SKUs. Typically when you create a bastion host, a host is deployed to the AzureBastionSubnet in your virtual network. The Bastion host is dedicated for your use. When using the Developer SKU, a bastion host isn't deployed to your virtual network and you don't need an AzureBastionSubnet. However, the Developer SKU bastion host isn't a dedicated resource and is, instead, part of a shared pool.

Because the Developer SKU bastion resource isn't dedicated, the features for the Developer SKU are limited. You can always upgrade the Developer SKU to a higher SKU if you need more features.

Availability

As of the time of writing this article, the Developer SKU (Preview) is currently available in the following regions:

• Central US EUAP
• East US 2 EUAP
• West Central US
• North Central US
• West US
• North Europe

Note that VNet peering isn't currently supported for the Developer SKU.

Deploying Bastion Developer SKU

Deploying Bastion Developer SKU is straightforward and can be done directly through the Azure portal. Once deployed, you can connect to your VM via the portal using RDP/SSH connectivity and the VM's private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it.

Removing VM Public IP Address

When you connect to a VM by using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM. This is a simple process that can be done through the Azure portal.

In summary, Azure Bastion's Developer SKU is a cost-effective, lightweight solution for Dev/Test users who require secure connectivity to their VMs. With its easy deployment process and limited feature set, it's an ideal choice for users who don't require additional features or scaling capabilities.

Azure Bastion Frequently Asked Questions (FAQs)

1. Which browsers are supported?

Azure Bastion supports any browser that supports HTML 5, such as Microsoft Edge or Google Chrome on Windows. For Apple Mac, use the Google Chrome browser. Microsoft Edge Chromium is also supported on both Windows and Mac.

2. How does pricing work?

Azure Bastion pricing is a combination of hourly pricing based on SKU and instances (scale units), plus data transfer rates. Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For the latest pricing information, see the Azure Bastion pricing page.

3. Is IPv6 supported?

At this time, IPv6 isn't supported. Azure Bastion supports IPv4 only. This means that you can only assign an IPv4 public IP address to your Bastion resource, and that you can use your Bastion to connect to IPv4 target VMs. You can also use your Bastion to connect to dual-stack target VMs, but you'll only be able to send and receive IPv4 traffic via Azure Bastion.

4. Where does Azure Bastion store customer data?

Azure Bastion doesn't move or store customer data out of the region it's deployed in.

5. Can I have an Azure Bastion subnet of size /27 or smaller (/28, /29, etc.)?

For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.

6. Can I deploy multiple Azure resources in my Azure Bastion subnet?

No. The Azure Bastion subnet (AzureBastionSubnet) is reserved only for the deployment of your Azure Bastion resource.

7. Is user-defined routing (UDR) supported on an Azure Bastion subnet?

No. UDR isn't supported on an Azure Bastion subnet.

8. Does Bastion support connectivity to Azure Virtual Desktop?

No, Bastion connectivity to Azure Virtual Desktop isn't supported.

9. How do I handle deployment failures?

Review any error messages and raise a support request in the Azure portal as needed. Deployment failures may result from Azure subscription limits, quotas, and constraints. Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.

10. Does Bastion support zone redundancies?

Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions may or may not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.

The Wrap Up

Azure Bastion is an innovative service that enhances your cloud network's security by providing a secure and seamless way to connect to your virtual machines. By leveraging Azure Bastion, businesses can ensure they are safeguarding their sensitive data while still allowing for efficient access to resources. By understanding how Azure Bastion works and the benefits it offers, you can make informed decisions on how to best utilize this service within your own cloud infrastructure.