Securing developer machines with Azure Bastion and DevTest Labs

%3CLINGO-SUB%20id%3D%22lingo-sub-795579%22%20slang%3D%22en-US%22%3ESecuring%20developer%20machines%20with%20Azure%20Bastion%20and%20DevTest%20Labs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-795579%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EIntroduction%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%20I%20have%20seen%20multiple%20enterprise%20customers%20struggling%20with%20the%20same%20issue%26nbsp%3B%20which%20was%20how%20to%20give%20developers%20the%20right%20tools%20and%20connectivity%20to%20do%20their%20development%20work%20against%20Azure%20resources.%20Luckily%2C%20most%20of%20Azure%20services%20are%20reachable%20on%20HTTPS%2C%20which%20in%20most%20cases%20will%20be%20allowed%20and%20only%20a%20request%20to%20allow%20the%20URLS%20in%20the%20web%20proxy%20should%20be%20sufficient.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20what%20with%20the%20non-https%20connections%20like%20RDP%2C%20SSH%2C%20SQL%2C%20Redis%2C%20etc.%3F%20Most%20of%20the%20time%2C%20non-HTTPS%20outbound%20traffic%20is%20blocked%20by%20the%20corporate%20firewall.%20When%20you%20initiate%20the%20same%20connection%20from%20another%20location%20-%20outside%20the%20corporate%20network%20or%20your%20mobile%20phone%20-%20these%20connection%20will%20work%20without%20any%20issue.%20Of%20course%2C%20with%20the%20assumption%20IP%20ACLs%20and%20Service%20Endpoints%20are%20correctly%20configured%20on%20the%20Azure%20resources%26nbsp%3B%20to%20accept%20the%20traffic%20from%20this%20location.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20seen%20this%20very%20specific%20issue%20on%20how%20to%20allow%20TCP%2F1433%20to%20an%20Azure%20SQL%20Database%20generating%20friction%20and%20frustrations%20for%20the%20developers%2C%20opening%20again%20the%20traditional%20discussions%20between%20the%20digital%20teams%20and%20infrastructure%20teams.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BI%20considered%20several%20options%20to%20solve%20this%20problem%2C%20but%20each%20of%20them%20hade%20pro's%20and%20cons%3A%3C%2FP%3E%3CUL%3E%3CLI%3ETCP%2F1433%20over%20Internet%3A%3C%2FLI%3E%3CUL%3E%3CLI%3EPro%3A%20Easiest%20solution%3C%2FLI%3E%3CLI%3ECon%3A%3C%2FLI%3E%3CUL%3E%3CLI%3ESecurity%20teams%20have%20each%20time%20refused%20this.%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CLI%3EQuery%20Editor%20in%20the%20Portal%3A%3C%2FLI%3E%3CUL%3E%3CLI%3EPro%3A%20Integrated%20in%20the%20Portal%3C%2FLI%3E%3CLI%3ECon%3A%3C%2FLI%3E%3CUL%3E%3CLI%3EReduced%20feature%20set%20compared%20to%20SSMS%3C%2FLI%3E%3CLI%3ETraffic%20is%20also%20initiated%20on%20port%201433%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3C%2FUL%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20696px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126227i4C3295E7F761CDA4%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22QueryEditor_Conn.png%22%20title%3D%22QueryEditor_Conn.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EGo%20for%20Managed%20Instances%3C%2FLI%3E%3CUL%3E%3CLI%3EPro%3A%3C%2FLI%3E%3CUL%3E%3CLI%3EAzure%20SQL%20available%20on%20private%20IP%20address%2C%20no%20hassle%20with%20outbound%20connectivity%3C%2FLI%3E%3C%2FUL%3E%3CLI%3ECon%3A%3C%2FLI%3E%3CUL%3E%3CLI%3EHigh%20consumption%20costs%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3CLI%3EMicrosoft%20Peering%20on%20the%20ExpressRoute%3C%2FLI%3E%3CUL%3E%3CLI%3EPro%3A%3C%2FLI%3E%3CUL%3E%3CLI%3ENo%20outbound%20connectivity%3C%2FLI%3E%3C%2FUL%3E%3CLI%3ECon%3A%3C%2FLI%3E%3CUL%3E%3CLI%3EChallenging%20to%20get%20this%20properly%20configured%20(Express%20Route%2C%20ISP%2C%20Route%20Filters%2C%20BGP%20announcements%2C%20etc.)%3C%2FLI%3E%3C%2FUL%3E%3C%2FUL%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EAzure%20Bastion%20in%20combination%20with%20DevTest%20Labs%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWith%20the%20announcement%20of%20the%20preview%20of%20Microsoft%20Azure%20Bastion%2C%20it's%20possible%20to%20create%20an%20seamless%20RDP%20and%20SSH%20session%20over%20HTTPS%20(TCP%2F443).%20As%20you%20can%20see%2C%20there%20is%20no%20real%20solution%20for%20traffic%20other%20than%20RDP%20and%20SSH%2C%20but%20we%20can%20use%20this%20Bastion%20host%20as%20in-between%20to%20access%20the%20Azure%20SQL%20from%20a%20developer%20virtual%20machine%20running%20in%20Azure.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20first%20feedback%20from%20customers%20is%20that%20there%20is%20again%20an%20IaaS%20component%20(DevTest%20Labs)%20present%2C%20which%20I%20fully%20can%20understand%2C%20but%20for%20now%20there%20is%20no%20alternative%20to%20give%20a%20developer%20a%20full%20SSMS%20console%20than%20hosting%20it%20on%20a%20VM.%20Managing%20golden%20images%20like%20they%20used%20to%20do%20is%20not%20something%20they%20have%20in%20their%20plan%20when%20adopting%20PaaS%20Services.%20I'm%20convinced%20Azure%20DevTest%20Labs%20is%20a%20good%20alternative.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3ELarge%20list%20of%20available%20base%20images%20that%20can%20be%20customized%20with%20formulas%20(SKU%2C%20VNET%2C%20Private%20IP%2C%20etc.)%3C%2FLI%3E%3CLI%3EArtifacts%20can%20be%20used%20to%20install%20developer%20tools%20(Git%2C%20Visual%20Studio%20Code%2C%20SQL%20Server%20Management%20Studio%2C%20etc.)%3C%2FLI%3E%3CLI%3EMachine%20Auto-Start%20and%20Auto-Stop%20Integrated%20(What%20is%20turned%20off%20is%20less%20vulnerable)%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20combination%20with%20the%20DevTest%20Labs%2C%20I%20have%20decided%20to%20configure%20a%20service%20endpoint%20on%20the%20subnet%20where%20the%20DevTest%20Lab%20VMS%20reside.%20In%20this%20way%2C%20only%20the%20machines%20running%20in%20this%20VNET%20will%20be%20able%20to%20access%20the%20Azure%20SQL.%20Another%20Service%20Endpoint%20can%20be%20created%20for%20subnets%20that%20need%20access%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAdditionally%2C%20an%20NSG%20can%20be%20applied%20on%20the%20AzureBastionSubnet%20where%20the%20access%20to%20the%20Bastion%20Host%20can%20be%20limited.%20In%20my%20case%2C%20I%20limited%20it%20to%20the%20IP%20addresses%20of%20the%20web%20proxy%20of%20the%20customer.%20This%20will%20cover%20connections%20from%20on-premise%20clients%2C%20clients%20connecting%20from%20home%20over%20VPN%20and%20any%20other%20traffic%20leaving%20the%20corporate%20proxy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESetup%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F126228i9075C75985893355%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20you%20find%20this%20solution%20helpful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-795579%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20%2B%20Storage%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%20Cloud%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Introduction

 

Recently I have seen multiple enterprise customers struggling with the same issue  which was how to give developers the right tools and connectivity to do their development work against Azure resources. Luckily, most of Azure services are reachable on HTTPS, which in most cases will be allowed and only a request to allow the URLS in the web proxy should be sufficient.

 

But what with the non-https connections like RDP, SSH, SQL, Redis, etc.? Most of the time, non-HTTPS outbound traffic is blocked by the corporate firewall. When you initiate the same connection from another location - outside the corporate network or your mobile phone - these connection will work without any issue. Of course, with the assumption IP ACLs and Service Endpoints are correctly configured on the Azure resources  to accept the traffic from this location.

 

I have seen this very specific issue on how to allow TCP/1433 to an Azure SQL Database generating friction and frustrations for the developers, opening again the traditional discussions between the digital teams and infrastructure teams.

 

 I considered several options to solve this problem, but each of them hade pro's and cons:

  • TCP/1433 over Internet:
    • Pro: Easiest solution
    • Con:
      • Security teams have each time refused this.
  • Query Editor in the Portal:
    • Pro: Integrated in the Portal
    • Con:
      • Reduced feature set compared to SSMS
      • Traffic is also initiated on port 1433

QueryEditor_Conn.png

 

  • Go for Managed Instances
    • Pro:
      • Azure SQL available on private IP address, no hassle with outbound connectivity
    • Con:
      • High consumption costs
  • Microsoft Peering on the ExpressRoute
    • Pro:
      • No outbound connectivity
    • Con:
      • Challenging to get this properly configured (Express Route, ISP, Route Filters, BGP announcements, etc.)

 

Azure Bastion in combination with DevTest Labs

 

With the announcement of the preview of Microsoft Azure Bastion, it's possible to create an seamless RDP and SSH session over HTTPS (TCP/443). As you can see, there is no real solution for traffic other than RDP and SSH, but we can use this Bastion host as in-between to access the Azure SQL from a developer virtual machine running in Azure.

 

The first feedback from customers is that there is again an IaaS component (DevTest Labs) present, which I fully can understand, but for now there is no alternative to give a developer a full SSMS console than hosting it on a VM. Managing golden images like they used to do is not something they have in their plan when adopting PaaS Services. I'm convinced Azure DevTest Labs is a good alternative.

 

  • Large list of available base images that can be customized with formulas (SKU, VNET, Private IP, etc.)
  • Artifacts can be used to install developer tools (Git, Visual Studio Code, SQL Server Management Studio, etc.)
  • Machine Auto-Start and Auto-Stop Integrated (What is turned off is less vulnerable)

 

In combination with the DevTest Labs, I have decided to configure a service endpoint on the subnet where the DevTest Lab VMS reside. In this way, only the machines running in this VNET will be able to access the Azure SQL. Another Service Endpoint can be created for subnets that need access too.

 

Additionally, an NSG can be applied on the AzureBastionSubnet where the access to the Bastion Host can be limited. In my case, I limited it to the IP addresses of the web proxy of the customer. This will cover connections from on-premise clients, clients connecting from home over VPN and any other traffic leaving the corporate proxy.

 

Setup:

 

 

clipboard_image_2.png

 

I hope you find this solution helpful.

 

0 Replies