Forum Discussion
Only allow SSH/RDP traffic from Azure Bastion
I just found the solution to my own question. The solution was quite obvious by the way...
When deploying Azure Bastion, you create a subnet called "AzureBastionSubnet". The IP address range that's associated with this subnet can easily be configured in a security rule that allows incoming traffic on ports 22 and 3389.
In the example below I created a security rule with priority 900 called "AllowManagementPortsAzureBastionInbound". This rule ensures that incoming traffic on ports 22 and 3389 are allowed coming from the Azure Bastion subnet.
The second security rule, with priority 1000 called "DenyAllManagementPortsInbound", blocks all traffic on ports 22 and 3389. This rule will only be triggered if the source is from any other location, other than the Azure Bastion subnet.
I just found the solution to my own question. The solution was quite obvious by the way...
When deploying Azure Bastion, you create a subnet called "AzureBastionSubnet". The IP address range that's associated with this subnet can easily be configured in a security rule that allows incoming traffic on ports 22 and 3389.
In the example below I created a security rule with priority 900 called "AllowManagementPortsAzureBastionInbound". This rule ensures that incoming traffic on ports 22 and 3389 are allowed coming from the Azure Bastion subnet.
The second security rule, with priority 1000 called "DenyAllManagementPortsInbound", blocks all traffic on ports 22 and 3389. This rule will only be triggered if the source is from any other location, other than the Azure Bastion subnet.