Bastion Architecture
Introduction
Azure Bastion is a service that allows you to connect to a virtual machine using your browser. Bastion provides secure RDP and SSH connectivity to all of the virtual machines in your workspace without exposing RDP or SSH ports to the outside world. In addition, Bastion does not require the public IP address, agent, or any special client-specific software in order to work. Therefore Azure Bastion solution is suitable for tenants that block RDP usage on-premises.
Key benefits of Bastion
- Bastion supports both RDP and SSH connections. Direct SSH terminal session possible via Bastion, no need to connect via Windows VM to the Linux machine
- Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM
- Secure traffic through firewalls - Bastion enables secure RDP or SSH session is over TLS on port 443
Drawbacks of Bastion
- Scaling Bastion hosts is possible but it’s a manual action, each additional instance costs approximately €97
- Extra costs, depending mainly on usage
- Access via Bastion needs to be done in Azure portal
- The user will need to navigate to the Azure portal in order to connect to the VM via Bastion via the "Manage and Monitor the selected VM" button
.
Implementation
Azure Bastion resource will be added to the tenant-specific shared subscription and will be available in all tenant-owned workspaces. In technical terms Bastion vnet will be peered to the workspace vnets of the tenant (see illustration below).
The user is able to access Azure Bastion resource via Azure portal. By navigating to specific VM in the portal and selecting Bastion connection. On the background the workspace vnets of the tenant will be paired with the Bastion vnet, enabling t
he connection.
Standard Azure Bastion resource offers t
wo Bastion hosts which can in theory maintain up to 40 RDP connections at once. For more connections manual upscaling is possible. However, we do not yet know how Bastion will hold up in terms of performance and scaling.
At the moment myDRE portal does not offer a simple way to choose a Bastion connection; waiting for Microsoft to release this feature. The user will need to navigate to the Azure portal in order to connect to the VM via Bastion via the "Manage and Monitor the selected VM" button .
Related Articles
myDRE Highlevel Architecture
Introduction This article describes the myDRE High-level Architecture. Note: Development, Acceptance, and Production are separated environments. Description Compute Infrastructure. myDRE.org Portal serves as the frontend for the solution offering ...Bastion and Auto Scaling
Introduction myDRE provides to option to access VMs via Azure Bastion with around 30-50 users per Bastion VM. If the number of users warrant it, Bastion can be rescaled manually. Why does support need to manually scale? The number of Azure Bastion ...myDRE and IAM
Current implementation Every user will get their own @mydre.org username. Security - every user is subject to the same policies No guest-accounts Minimally every 24h Multi-Factor Authentication (MFA) is required Trusted devices cannot be created ...myDRE & Firewalls
Introduction For domain and URL-whitelisting a Firewall is required. anDREa can provide the following options Using your own organization's firewall with Bastion Architecture (preferred) Using your own organization's firewall Deploying an Azure ...anDREa FAQ
First version: 2021-12-09 Last updated: 2024-03-10 Last change: Added Overview Agreements and User Training links Introduction This FAQ is a comprised out of links to other articles related to a particular topic. Contact details Contact information ...