Azure: Bastion Service Introduction

Azure Bastion is a fully managed PaaS service enabling SSH and RDP access to your Virtual Network (Jump-Server/Bastion Host) resources through Azure Portal. In this article, we will discuss how can we configure Azure Bastion service to enable secure SSH or RDP access to our Virtual Network resources without needing an IaaS VM with a public IP exposed to the internet. The service at the writing of this post is in preview mode.

Below is the sample architecture diagram of using Azure Bastion service. As you could have noticed, Azure Bastion service enables connection to the Virtual Machines in the Virtual Network over SSL, port 443, directly from Azure portal.

The public preview of the service is limited to the following Azure Public regions.

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

Though no particular reason I will be deploying my resources in the South Central US region. Now let’s explore how to configure Azure Bastion Service.
The process of deploying Bastion Service is straightforward. The Azure portal provides an option to select an existing virtual network or allow us to create a new Virtual Network for deploying the Bastion Service.
For deploying Bastion Service log in to the Azure portal. As the service is in public preview you will need to access the special link provided below to access the service.
Now click Create a Resource and in the Azure Market place search box type in Bastion and click enter. Click on the Bastion (Preview) service published by Microsoft.

If you try to create the Bastion service using you will not be able to find this service, at least until the Microsoft make the service Generally Available. 
Provide a name for the instance that will run Bastion Host. Select the region. 
The next step is to provide a Virtual network. Here I will be creating an entirely new Virtual network. 

The Bastion service requires Subnet within the Virtual Network with a name ‘Azure Bastion Subnet’ with a prefix of at least /27.

Click OK. Review and Create and initialize the deployment by clicking Create.
The deployment took around 4 mins to complete and parallelly I have initiated deployment of an Ubuntu VM with no public IP address into the same virtual network.
Now for connecting to the VM, go to the VM resource you want to connect and click Connect.
An extra tab will be available with the option of Bastion. Provide the username and authentication details and click Connect.

And the connection is successfully established.


Popular posts from this blog

Check SQL Server Database Status

PowerShell and Azure Resource Graph

Static Code Analysis: Some Tools