Wednesday 26 June 2019

Microsoft Azure Bastion Services

In Microsoft Azure all monitoring and management for the VMs in the Azure should be performed by the jumpbox in the management subnet. Also, implementing a DMZ between Azure and on-premises datacenter, define a single network route from the on-premises network through the gateway to the jumpbox, in order to restrict access.
If gateway connectivity from your on-premises network to Azure is down, you can still reach the jumpbox by deploying a public IP address, adding it to the jumpbox, and logging in from the Internet.

There are multiple options to place the management server
(Jumpbox) in Azure Stage environment:

Option-1 Place JumpBox on Separate Subnet (without PIP)

In this option, do not create a public IP address for the jumpbox. Instead, create one route to access the jumpbox through the incoming gateway. Create NSG rules so the management subnet only responds to requests from the allowed route.

Option-2 Place JumpBox on Separate Subnet (with PIP)

Create a public IP address for the jumpbox. Create NSG rules so the management subnet only responds to requests from the allowed route.

Option-3 Azure Bastion Host
Microsoft recently released manage PaaS service called Azure “Bastion” service. Azure Bastion is a new managed PaaS service that provides seamless RDP and SSH connectivity to Stage virtual machines over the Secure Sockets Layer (SSL). This is completed without any exposure of the public IPs on virtual machines. Azure Bastion provisions directly in Stage Azure Virtual Network,
providing bastion host or jump server as-a-service and integrated connectivity to all virtual machines in virtual networking using RDP/SSH directly from and through a browser and the Azure portal.

Azure Bastion is provisioned directly in VNet and support all VMs in VNet using the SSL without any exposure through public IP address.

Azure Bastion is deploying in the virtual network providing RDP/SSH access for all authorization VMs in Azure network, the following diagram will describe more:

Following are the key features
RDP and SSH from the Azure portal: You can RDP and SSH sessions directly in the Azure portal.
Remote session over SSL and firewall traversal for RDP/SSH: You can initiate the RDP/SSH session via HTML5 based web clients over SSL on port 443. This allows easy and securely traversal of corporate firewalls.
No public IP required on Azure Virtual Machines: Azure Bastion opens the RDP/SSH connection to Azure virtual machine using a private IP, limiting exposure the infrastructure to the public Internet.
Simplified secure rules management: Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion.
Increased protection against port scanning: The limited exposure of virtual machines to the public Internet will help protect against threats, such as external port scanning.
Hardening in one place to protect against zero-day exploits: Azure Bastion is a managed service maintained by Microsoft. It’s continuously hardened by automatically patching and keeping up to date against known vulnerabilities.

Registration an Azure Bastion
1. Signed to Azure account with using the subscription, and then register (enroll)
Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
2. Register Azure subscription once again with Microsoft.Network provider namespace
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
3.  Verify the AllowBastionHost feature registered with the subscription
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

 Creating an Azure Bastion
1. Go to in the Azure portal - preview only, click + Create a resource 
2. Search the Marketplace field, type Bastion, then click Enter to get to the search results
3. From the results, click Bastion (preview)
4. On the Bastion (preview) page, click Create to open the Create a bastion page
5. On the Create a bastion page, configure a new Bastion resource. Specify the configuration settings for your Bastion resource.

6. Provide all required information such as Name, Region, Virtual network information.
7. For Subnet, we have to create a new subnet with name  "AzureBastionSubnet" (Azure can identify easily this for Bastion subnet, which is different from gateway subnet). there will be no NSG, route tables associated with this subnet.
8. Public IP address- Bastion required a public IP address to access RDP/SSH over 443, so create new Public IP address.
9. Review all the information and then click on create.
Create a Bastion host settings
1. Go to in the Azure portal - preview only, and navigate the virtual machine and click on connect
you can see there is no public IP assigned to a virtual machine 
2. There are three options to connect the virtual machine, click on "Bastion" and "Use Bastion"
3. Now we will get the Bastion page and need to fill all the required information, such as subnet information, etc.
4. Once complete the information, we will get another wizard for connecting the virtual machine
5. Provide the credentials and click on connect, and a new browser will open with session initiation
6. Now you can see the successfully connect the virtual machine via RDP.

It will only be billed partially during public preview, for more details Azure Bastion Pricing