Blog Post

ITOps Talk Blog
3 MIN READ

Connect to your on-prem server from anywhere!

Pierre_Roman's avatar
Pierre_Roman
Icon for Microsoft rankMicrosoft
Jul 05, 2022

Hello Folks,

 

A few weeks ago, I wrote about upgrading my local network edge device with one capable of connecting to my Azure virtual network using a site-to-site VPN.  I also mentioned that I would cover many other services and capabilities that this site-to-site VPN configuration enables for hybrid work and management.

 

This week I’m covering the ability to connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion over ExpressRoute or a VPN site-to-site connection using a specified private IP address over RDP and SSH.

 

Over the years I have seen and heard many ITPros struggles to figure out a way to deploy and maintain a VPN infrastructure that would allow them to access the servers in their remote environments easily and cheaply without having to mess around with routing and remote access roles or port forwarding. And without having to manage VPN clients on their PC.

 

Furthermore, the option of exposing the RDP port to the internet is a really bad idea.  As mentioned in the Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks report,

 

“Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.”

 

 

 

Azure Bastion is a service you can deploy and use to securely connect to a virtual machine using your browser and the Azure portal. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. That way your virtual machines don't need a public IP address, agent, or special client software.

 

Before you can take advantage of this feature, verify that you have the following environment set up:

 

  • A VNet with Bastion already deployed.
    • Make sure that you have deployed Bastion to the virtual network. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM deployed in any of the virtual networks that is reachable from Bastion.
    • To deploy Bastion, see Quickstart: Deploy Bastion with default settings.
  • A virtual machine in any reachable virtual network. This is the virtual machine to which you'll connect.

Now you need to configure the bastion host.

 

  1. In the Azure portal, go to your Bastion deployment.
  2. IP-based connection requires the Standard SKU tier. On the Configuration page, for Tier, verify the tier is set to the Standard SKU. If the tier is set to the Basic SKU, select Standard from the dropdown
  3. To enable IP based connection, select IP based connection

 

Once you completed the changes, simply click apply.

 

That’s it.  You can now connect to any VM that is connected to your virtual network.  Like any VM running in a network connected by site-to-site VPN.

 

PLEASE NOTE:

 

On your edge device, you may have to add a route to your AzureBastionSubnet.  On my own edge device (a Ubiquiti Dream Machine Pro) I had to manually add the AzureBastionSubnet address space to my configuration.

 

 

If you do not add the route, you may end up with an error stating “the network connection to the Bastion Host appears unstable.” when trying to establish the RDP connection.

 

 

When connecting to the vm, you need to provide an IP address, fully qualified domain names are not supported.

 

 

 

 

Now, I can securely connect to all my servers, from anywhere using a simple browser and the Azure portal.

 

Try it out!

 

P.S.  please leave feedback in the comments below.  It really helps make the product better.

 

Cheers!

 

Pierre

Published Jul 05, 2022
Version 1.0
  • Joni_sf8's avatar
    Joni_sf8
    Copper Contributor

    klettcafe I have missed the notification! I didn't use Virtual Appliance neither user defined routes. Sorry

  • klettcafe's avatar
    klettcafe
    Copper Contributor

    How do you achieve this using a Virtual Appliance for S2S VPN? Seems like you cant associate user defined routes to AzureBastionSubnet?

  • Joni_sf8's avatar
    Joni_sf8
    Copper Contributor

    I have managed to resolve it as we found out that the Fortinet firewall need a inter-domain routing that was not specified.

     

    To help others the setup in Azure Stack HCI was the following:

     

    Virtual Network in "West Europe"

    Address Space 10.1.0.0/16

    Subnets FrontEnd 10.1.0.0/24; GatewaySubnet 10.1.255.0/27; AzureBastionSubnet 10.1.1.0/26

     

    Virtual Network Gateway

    SKU: VpnGw2

    GatewaySubnet 10.1.255.0/27

    VPN Type: Route-based

    No BGP enabled

     

    Local Network Gateway

    The virtual networks in Azure Stack HCI have the 10.10.1.0/25 address space and is added to the local network gateway.

    If there are challenges it's probably the firewall configuration rather than the Azure configuration.

     

    Address Space 10.10.1.0/25; 10.10.1.148/32

     

    Connections

    The SITE-TO-SITE VPN is configured and up and running using a IP sec connection with a shared key (PSK).

     

    The Virtual Network defined in the HCI is only 10.10.1.0/25 but not the 10.10.1.148.

  • Joni_sf8's avatar
    Joni_sf8
    Copper Contributor

    Thank you Pierre_Roman 

     

    1 - The connection troubleshooter shows a failure on the first hop for 10.10.1.28 inside the network of 10.10.1.0/25. I was trying to load a screenshot but I am not sure why 🙂 The result is Status  Unreachable

     
    Source virtual machine
     
    Name                                              Status      Next hop IP addr
    bastion-s2svpn-xxx        10.1.1.4     NOK       5x
    Vpngw-s2svpn-xxx         5.x             OK         8.X
    Local Network Gateway 8.x             OK         10.10.1.28
    Destination (10.10.1.28) 10.10.1.28 OK
     

     

    2 and 3 - I am triple checking if there's any blocking the 10.10.1.0/25 and not 10.10.1.148 

     

    4 - I have no NSGs configured for the VNET that has been created in the Azure Stack HCI and I do not think I can create one as I can only allocate NSGs to regions, right ?

     

    Thank you so much for your answer

    joni_sf8

     

     

  • Joni_sf8 I have not tried this with Azure Stack HCI.  but here are a few questions....  

     

    1- did you run the "Connection Troubleshoot" in the Bastion resource to see where the connection fails?

    2- did you check with the edge device?  mine (Ubiquiti DM Pro) needed to have the bastion subnet address space added to its routing table. (Edge devices tend to behave differently from each other)

    3 - are your firewalls setup to allow traffic over RDP

    4- Are your NSG configured to allow RDP

  • Joni_sf8's avatar
    Joni_sf8
    Copper Contributor

    Pierre_Roman , Did you ever tried to do this with Azure Stack HCI ?

     

    I am struggling to access the on-premise VMs which are connected into network defined as Virtual Networks in Azure Stack HCI. Did you ever tested out this solution with HCI ?

     

    The configuration is the following without exposing public IPs:

     

    Virtual Network in "West Europe"

    Address Space 10.1.0.0/16

    Subnets FrontEnd 10.1.0.0/24; GatewaySubnet 10.1.255.0/27; AzureBastionSubnet 10.1.1.0/26

     

    Virtual Network Gateway

    SKU: VpnGw2

    GatewaySubnet 10.1.255.0/27

    VPN Type: Route-based

    No BGP enabled

     

    Local Network Gateway

    Address Space 10.10.1.0/25; 10.10.1.148/32

     

    Connections

    The SITE-TO-SITE VPN is configured and up and running using a IP sec connection with a shared key (PSK).

     

    The Virtual Network defined in the HCI is only 10.10.1.0/25 but not the 10.10.1.148.

    The VM is created with the IP of 10.10.1.28 and does not have another other interface or connected to any other subnet expect the 10.10.1.0/25. This VM is not reachable from the Bastion in Azure but the 10.10.1.148 VM is reachable, I have tried to configured the address space 10.10.1.28/32 and I still cannot reach it.

     

    What should I do ? Is there anything wrong with such configuration ?

     

    Thank you

    Joni_sf8