Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure virtual machines. If you wanted to access your Azure virtual machines using RDP or SSH today, and you were not using a VPN connection, you had to assign a public IP address to the virtual machine. You were able to secure the connection using Azure Just in Time VM access in Azure Security Center. However, this had still some drawbacks. With Azure Bastion you get a private and fully managed service, which you deploy to your Virtual Network, which then allows you to access your VMs directly from the Azure portal using your browser over SSL.
Azure Bastion brings a couple of advantages
- Removes requirement for a Remote Desktop (RDP) client on your local machine
- Removes element for a local SSH client
- No need for local RDP or SSH ports (handy when your company blocks it)
- Uses secure SSL/TLS encryption
- No need to assign public IP addresses to your Azure Virtual Machine
- Works in basically any modern browser on any device (Windows, macOS, Linux, etc.)
- Better hardening and more straightforward Network Security Group (NSG) management
- Can remove the need for a Jumpbox
If you want to know more directly here is the link to the Azure Bastion announcement blog and the Microsoft Docs.
Public Preview
Azure Bastion is currently in public preview. The public preview is limited to the following Azure public regions:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
To participate in this preview, you need to register. Use these steps to register for the preview:
Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network
To use the Azure Bastion service, you will also need to use the Azure Portal – Preview.
How to set up an Azure Bastion host for a private RDP and SSH access to Azure VMs
First, you will need to deploy Bastion Host in your virtual network (VNet). The Azure Bastion Host will need at least a /27 subnet.
Access Azure virtual machines using Azure Bastion
Azure Bastion integrates natively in the Azure portal. The platform will automatically be detected if Bastion is deployed to the virtual network your virtual machine is in. To connect to a virtual machine, click on the connect button for the virtual machine. Now you can enter your username and password for the virtual machine.
This will now open up a web-based SSL RDP session in the Azure portal to the virtual machine. Again, there is no need to have a public IP address assigned to your virtual machine.
Roadmap – more to come
As Yousef Khalidi (CVP Azure Networking) mentions in his preview announcement blog, the team will add more great capabilities, like Azure Active Directory and MFA support, as well as support for native RDP and SSH clients.
The Azure networking and compute team are doing more great work on creating a great Azure IaaS experience. I hope this gives you an overview of how you can get a private RDP or SSH access to your Azure VM. If you want to know more about the Azure Bastion service, check out the Microsoft Docs for more information. If you have any questions, feel free to leave a comment.
Tags: Access, Azure, Azure Bastion, Azure IaaS, Azure Virtual Machine, Azure VM, Bastion, IaaS, Microsoft, Private Access, Private RDP, Private SSH, RDP, SSH, SSL, Virtual Machine, VM Last modified: June 18, 2019
Or, with “(modern) Az commands” (:)):
Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Get-AzProviderFeature -ProviderNamespace Microsoft.Network
Cheers,
Tom
Thanks for sharing :)
I have a question.
I know this feature is still in preview, but do you think it will be possible to use that to access, for example, VMs or server on-prem that are reachable via a S2S-VPN? Like a cloud-replacement for the rds web client?
Thanks
Michael
Right now it is not possible. But the team is listening to feedback, to make sure it works for the customer in the best way.
If you have multiple subscriptions can you connect to them with a single bastion service if you make network peering between subscriptions?
For each VNET you need a bastion deployment?
In the preview, the bastion service needs to be in the same vnet.
Is there a way I can have this and ssh into it on port 443 using putty?
Hi Thomas,
Thanks for the wonder information on Azure Bastion. I tried to replicate the instruction on my free subscription environment, however, I’m getting the below error. Could you please help me understand the issue?
“The selected subnet is not supported”
I have following subnets attached to different resource groups.
10.0.0.0/24
10.0.1.0/24
10.0.2.0/24
I have created a new subnet “10.0.200.0/27”, but I’m unable to configure it.
Is there a way, I can configure a single Bastion and use it to connect the VM in all the three different resource groups/subnets.
Please assist.
Regards,
Dinesh M
Followed the steps, and after waiting for the status registered, it still doesn’t appear as a deployment option.
either by clicking on the link or browsing the catalog.
Was it remove? can you see it’
Hi Luis
You will need to use the right link, you can’t see it in the GA portal. You will need to use the following link: https://aka.ms/BastionHost?WT.mc_id=thomasmaurer-blog-thmaure
I used that one.
And it redirected to my homepage (although I can see the URL with the reference):
https://portal.azure.com/?microsoft_azure_marketplace_itemhidekey=bastionhostv2µsoft_azure_compute_azbastion=true&feature.showassettypes=Microsoft_Azure_HybridNetworking_BastionHost#home
But no Bastion :(
switched to the preview page, searched the marketplace,… nothing around there
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network
FeatureName ProviderName RegistrationState
———– ———— —————–
AllowBastionHost Microsoft.Network Registered
solved: it’s not available to Free/Trial subscriptions.
I could search and find on the marketplace using my paid subscription
Thanks Luis for sharing
It not explicit stated that the bastion host can only be used through the same preview portal: aka.ms/Bastionhost, access through portal.azure.com.
Hi Tom
Can i use the Bastion Host for Azurestack VM’s?
Regards
Robert
Hi Robert
Currently, Bastion is only available in Azure.
Hey :)
Do this solution support RDP Sessions outside from the Azure Website? Like access over Bastion with Royal TS or Remote desktop manager?
Thanks for Feedback
Hi Currently this supports the portal. If you want to use an RDP tool like this, you could use a S2S VPN or P2S VPN.
Vote it up https://feedback.azure.com/forums/34192–general-feedback/suggestions/38996107-allow-azure-bastion-to-also-protect-on-prem-vms-th
Nice!
Can I access the target VM via VS Code Remote-SSH? I’ve seen suggestions this can be done by editing the SSH config file, but I’m unable to get this to work. As the Bastion host only seems available via SSL or HTML (i.e., via the Azure Portal, I’m not quite sure how to set up the two step connection.