Aug 01 2019 04:41 AM - edited Aug 01 2019 04:48 AM
Azure Bastion is a relatively new Azure service that can simplify as well as improve remote connectivity - as a secure better alternative for stepping stone servers to your Windows Virtual Desktop - and infrastructure Virtual Machines on Microsoft Azure. Azure Bastion is completely web-based and works via SSL. In some simple configuration clicks - and most importantly without exposing any RDP (or SSH) ports to the outside internet - you can access your Windows Virtual Desktop Virtual Machines in Azure.“From an security perspective this is the most worst you can do, because once hackers are in - you’ve got access to almost everything!”
See below how it works from an architecture perspective…
One other alternative way to reduce exposure to a brute force attack to your Windows Virtual Desktop environment is to limit (and IP whitelist - filter) the amount of time that a port is open. This is something you could achieve with the also not so old service Just-in-time VM Access, it’s an Azure Security Center feature you can leverage. In a nutshell; Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
Read more about it here:
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
This step is easier to do prior to the Azure Bastion instance on Azure. One technical network requirement is to have a separate subnet, specifically for Azure Bastion traffic. You could either create a separate Azure Virtual Network and setup vNet peerings between your networks or just create a separate subnet in your existing vNet in Azure. This is the example I’m going to use in this article.
Note: To be most efficient with your network addresses at least a /27 or larger subnet (/27, /26, and so on).
Open the Azure vNet you want to use.
Add a new Subnet
Create the AzureBastionSubnet without any Network Security Groups, route tables, or delegations.
Continue to the next step where we deploy the Bastion instance.
Just because Azure Bastion is still in Preview mode – you have to use this Preview Azure Marketplace URL below to get access to the service. The expectation is that this service becomes GA soon.
Click on the URL below.
Search for Bastion (preview) in the Azure Marketplace
Click on create
Enter the required information for the VM deployment in your Azure IaaS environment.
Optional: Assign a Public IP for the external Access to your Bastion server.
Note: Make sure to select the correct Azure vNet we created/modified earlier.
Click on the review+ create button
Click on the Create button to start the deployment
...
After a couple of minutes, the deployment is finished.
The following steps are similar to when you normally set up a Remote Desktop Connection to a Virtual Machine in Azure, although then through an MSTSC RDP file connection – we now leverage the Azure Bastion capabilities over HTML5 (clientless).
Open the Virtual Machine that you want to manage
Click on the Connect button
Choose for the new option - BASTION
Enter the Domain / Local Administrator credentials to get access to the VM
Click on Connect
There we go – I’m connected to my Windows 10 Multi-User master image inside Microsoft
Azure via my Azure Bastion HTML5 (agentless) service!