Azure: Bastion Service Introduction

-

Azure Bastion is a fully managed PaaS service enabling SSH and RDP access to your Virtual Network (Jump-Server/Bastion Host) resources through Azure Portal. In this article, we will discuss how can we configure Azure Bastion service to enable secure SSH or RDP access to our Virtual Network resources without needing an IaaS VM with a public IP exposed to the internet. The service at the writing of this post is in preview mode.

Below is the sample architecture diagram of using Azure Bastion service. As you could have noticed, Azure Bastion service enables connection to the Virtual Machines in the Virtual Network over SSL, port 443, directly from Azure portal.


The public preview of the service is limited to the following Azure Public regions.

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

Though no particular reason I will be deploying my resources in the South Central US region. Now let’s explore how to configure Azure Bastion Service.
The process of deploying Bastion Service is straightforward. The Azure portal provides an option to select an existing virtual network or allow us to create a new Virtual Network for deploying the Bastion Service.
For deploying Bastion Service log in to the Azure portal. As the service is in public preview you will need to access the special link provided below to access the service.
Now click Create a Resource and in the Azure Market place search box type in Bastion and click enter. Click on the Bastion (Preview) service published by Microsoft.

If you try to create the Bastion service using https://www.portal.azure.com you will not be able to find this service, at least until the Microsoft make the service Generally Available. 
Provide a name for the instance that will run Bastion Host. Select the region. 
The next step is to provide a Virtual network. Here I will be creating an entirely new Virtual network. 

The Bastion service requires Subnet within the Virtual Network with a name ‘Azure Bastion Subnet’ with a prefix of at least /27.

Click OK. Review and Create and initialize the deployment by clicking Create.
The deployment took around 4 mins to complete and parallelly I have initiated deployment of an Ubuntu VM with no public IP address into the same virtual network.
Now for connecting to the VM, go to the VM resource you want to connect and click Connect.
An extra tab will be available with the option of Bastion. Provide the username and authentication details and click Connect.

And the connection is successfully established.

Comments

Post a Comment

Popular posts from this blog

Check SQL Server Database Status

-
Image
It's been a month since my last post. Today I am posting a function that can be used to check the status of MS SQL Server databases. At the current moment, I am not sure about the limitations on where this script works like which versions of Windows OS or supported MS SQL Server versions. I have been using the script on my laptop where I have installed Windows 10 OS and SQL Server 2014 Developer Edition. SQL Server Developer edition can be downloaded from here . There are multiple methods to connect to a SQL Server instance from Powershell. I found this very useful article on sqlshack . The script in this post makes use of the SQLPS module. <# . Synopsis Check database status on MS SQL Server instances. . DESCRIPTION Check the database status on one or a list of MS SQL Server instances. . Parameter ServerInstance Provide the server instance to connect to in case of a named instance servername\instancename. . EXAMPLE Get-DBStatus -Serv
Read more

PowerShell and Azure Resource Graph

-
Image
Introduction On today’s post, I want to discuss a service introduced on the Microsoft Azure platform fairly recently, Azure Resource Graph . Azure Resource Graph service enables the administrators to explore resources in large scale deployment with relative ease across multiple subscriptions and management groups. Azure Resource Graph queries provide the following capabilities. Ability to query resources with complex filtering, grouping, and sorting by resource properties. Ability to iteratively explore resources based on governance requirements and convert the resulting expression into a policy definition. Ability to assess the impact of applying policies in a vast cloud environment. Ability to detail changes made to resource properties (preview). Azure Resource Graph service was announced during 2018’s Microsoft Ignite Conference. The service coupled with cross-platform PowerShell Az module enables the administrators to discover resources much faster compared to
Read more

Static Code Analysis: Some Tools

-
Image
Security for applications is extremely important. While there are various considerations for securing the application, in this post, we will be concentrating on the code vulnerability scanning.     In a traditional approach, security audits were carried out in the final stages of development, with dedicated security audit teams and manual checks. It takes a long time to complete the security scans and audits and when vulnerabilities are identified at these final stages even longer to fix it.   The best way to do security audits in the DevOps world is to shift left and make the audits part of the build process, so the team is instantly aware of the application's security posture and the vulnerabilities are mitigated much earlier in the development cycle.   The first step in the journey to better code quality is to use source code analyzers such as  FxCopAnalyzers  that analyze the code for code style, quality, and maintainability, etc and provide metrics
Read more