Introduction
Azure Bastion is a service that allows you to connect to a virtual machine using your browser. Bastion provides secure RDP and SSH connectivity to all of the virtual machines in your workspace without exposing RDP or SSH ports to the outside world. In addition, Bastion does not require the public IP address, agent, or any special client-specific software in order to work. Therefore Azure Bastion solution is suitable for tenants that block RDP usage on-premises.
Key benefits of Bastion
- Bastion supports both RDP and SSH connections. Direct SSH terminal session possible via Bastion, no need to connect via Windows VM to the Linux machine
- Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM
- Secure traffic through firewalls - Bastion enables secure RDP or SSH session is over TLS on port 443
Drawbacks of Bastion
- Scaling Bastion hosts is possible but it’s a manual action, each additional instance costs approximately €97
- Bastion and Auto Scaling
- Extra costs, depending mainly on usage
- See: anDREa / myDRE optional services
- Access via Bastion needs to be done in Azure portal
- The user will need to navigate to the Azure portal in order to connect to the VM via Bastion via the "Manage and Monitor the selected VM" button .
Implementation
Azure Bastion resource will be added to the tenant-specific shared subscription and will be available in all tenant-owned workspaces. In technical terms Bastion vnet will be peered to the workspace vnets of the tenant (see illustration below).
The user is able to access Azure Bastion resource via Azure portal. By navigating to specific VM in the portal and selecting Bastion connection. On the background the workspace vnets of the tenant will be paired with the Bastion vnet, enabling t
he connection.
Standard Azure Bastion resource offers t
wo Bastion hosts which can in theory maintain up to 40 RDP connections at once. For more connections manual upscaling is possible. However, we do not yet know how Bastion will hold up in terms of performance and scaling.
At the moment myDRE portal does not offer a simple way to choose a Bastion connection; waiting for Microsoft to release this feature. The user will need to navigate to the Azure portal in order to connect to the VM via Bastion via the "Manage and Monitor the selected VM" button
.