cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Only allow SSH/RDP traffic from Azure Bastion

Richard Waal
Copper Contributor

‎Dec 21 2020 04:57 AM

‎Dec 21 2020 04:57 AM

Only allow SSH/RDP traffic from Azure Bastion

Hi all, 

 

I'm trying to create NSG security rules that allow RDP/SSH traffic from Azure Bastion, but denies traffic on these ports for any other source. The only way people should be able to RDP/SSH into machines is by means of Bastion.

 

There doesn't seem to be a service tag for Azure Bastion. So I'm struggling to find a way to get the result we want. 

 

Any ideas would be highly appreciated. Thanks in advance!

2,521 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Richard Waal (Copper Contributor)
Richard Waal

‎Dec 21 2020 06:11 AM - edited ‎Dec 21 2020 06:19 AM

‎Dec 21 2020 06:11 AM - edited ‎Dec 21 2020 06:19 AM

Solution

Re: Only allow SSH/RDP traffic from Azure Bastion

I just found the solution to my own question. The solution was quite obvious by the way...

 

When deploying Azure Bastion, you create a subnet called "AzureBastionSubnet". The IP address range that's associated with this subnet can easily be configured in a security rule that allows incoming traffic on ports 22 and 3389.

 

In the example below I created a security rule with priority 900 called "AllowManagementPortsAzureBastionInbound". This rule ensures that incoming traffic on ports 22 and 3389 are allowed coming from the Azure Bastion subnet.

 

The second security rule, with priority 1000 called "DenyAllManagementPortsInbound", blocks all traffic on ports 22 and 3389. This rule will only be triggered if the source is from any other location, other than the Azure Bastion subnet. 

 

2020-12-21_15-08-55.png

1 Like
Reply
Gil Blumberg

‎Jul 09 2021 04:15 AM

‎Jul 09 2021 04:15 AM

Re: Only allow SSH/RDP traffic from Azure Bastion

@Richard Waal 

Occured to me that you don't actually need that explicit deny.

By virtue of setting the allowed source IP address(s), any attempt to connect on port 22 or 3389 NOT from 10.20.10/27 will be dropped anyway.

 

On the other hand, if you want to drop anything else other than 22,3389, then you could a policy such as that.

 

Give it a try :)

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Richard Waal (Copper Contributor)
Richard Waal

‎Dec 21 2020 06:11 AM - edited ‎Dec 21 2020 06:19 AM

‎Dec 21 2020 06:11 AM - edited ‎Dec 21 2020 06:19 AM

Solution

Re: Only allow SSH/RDP traffic from Azure Bastion

I just found the solution to my own question. The solution was quite obvious by the way...

 

When deploying Azure Bastion, you create a subnet called "AzureBastionSubnet". The IP address range that's associated with this subnet can easily be configured in a security rule that allows incoming traffic on ports 22 and 3389.

 

In the example below I created a security rule with priority 900 called "AllowManagementPortsAzureBastionInbound". This rule ensures that incoming traffic on ports 22 and 3389 are allowed coming from the Azure Bastion subnet.

 

The second security rule, with priority 1000 called "DenyAllManagementPortsInbound", blocks all traffic on ports 22 and 3389. This rule will only be triggered if the source is from any other location, other than the Azure Bastion subnet. 

 

2020-12-21_15-08-55.png

View solution in original post

1 Like
Reply