One of the basic rule of thumb for securing any service is to restrict the access. In traditional ways people would use Jump servers to ensure actual production/application server’s network is part of secured zone and can only be accessed from specific servers based on the configured routing.

Microsoft Azure provides Azure Bastion service which is designed to serve similar purpose. RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn’t desired and is seen as a significant threat surface. As a best practice, you should not enable public IP on any virtual machine. But that would mean you have to setup VPN to allow RDP or SSH from your local machine. We can alternatively setup a jump server in same network, but that defeats the whole purpose because hackers would still have a way to penetrate your network.

Since setting up a VPN isn’t feasible everytime, you might not have required permissions or resources to setup a VPN tunnel. We can use Azure Bastion service in this case to access a server that doesn’t have a public IP assigned. Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. To contain this threat surface, you can deploy bastion hosts. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.

Architecture

Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.

Azure Bastion supports manual host scaling. You can configure the number of host instances (scale units) in order to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for the Azure Bastion Standard SKU only.

Diagram showing the Azure Bastion architecture.

This figure shows the architecture of an Azure Bastion deployment. In this diagram:

  • The Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /26 prefix.
  • The user connects to the Azure portal using any browser.
  • The user selects the virtual machine to connect to.
  • With a single click, the RDP/SSH session opens in the browser.
  • No public IP is required on the Azure VM.