SlideShare a Scribd company logo

It's all about Security! Let’s get you started with Azure Bastion

Wim Matthyssen
Wim Matthyssen

Slide deck used during the MC2MC Kick-Off Evening - In this modern hybrid cloud world, security is key. In this session you will learn all about using Azure Bastion, a fully managed PaaS service, to connect securely to your Azure VMs.

Technology
1 of 29
It’s all about Security! Let’s get you started with Azure Bastion
That’s what we’re Tolkien about  Common VM administrative access methods  Dem time  What is Azure Bastion?  How to deploy Bastion  Dem time  Roadmap  Key Takeaways  Q&A(sk the wizard)
Introduction needed?
Common VM administrative access methods
Easily manage your VMs running in Azure… Peering VNet 2 (10.2.0.0/16) VNet 1 (10.1.0.0/16) Internet ATTACK! ATTACK! ATTACK!
NAT through Azure Load Balancer Peering VNet 2 (10.2.0.0/16) VNet 1 (10.1.0.0/16) Internet ATTACK! ATTACK! ATTACK!
…and you need to prevent breaches?
Resource group Gateway subnet NSG NSG Web subnet Virtual network Virtual network gateway Local network gatewayConnection On-premises network Client High security through Azure VPN/ExpressRoute…
Resource group Zone 1 Application Gateway subnet Zone 2 Zone 3 NSG NSG NSG Application Gateway NSG Jumpbox Management subnet Web tier subnet Data tier subnet DDoS Protection Public IP Public IP Azure load balancer Virtual network  A controlled entry point in your Azure environment  Improves security and reduce attack surface of your VMs  Setup inside a separated Virtual Network (VNet) or subnet (Management VNet or subnet)  To allow access from the Internet it uses a PIP  From that VM you need to jump to your other VMs  Deployed as a very small Linux VM (tunnel an RDP connection through SSH)  RDS Gateway as a small VM (tunnel an RDP connection through SSL) Jump Box
Just-In-Time VM Access (JIT)  Used to lock down inbound traffic and to limit the time management ports (RDP/SSH) are open  Available on the Standard tier of Azure Security Center  Three states: Configured, Recommended and No recommendation  Only supports Azure Resource Manager VMs  A user needs to request access to a VM  All requests can be reviewed in the Activity Log
“One does not simply walk into my VNet.” DEM
What is Azure Bastion?
“Azure Bastion is a PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL”
Azure Bastion Overview  A PaaS service (jumpbox as-a-service) provisioned inside your VNet  Secure RDP/SSH connectivity directly in the Azure Portal (SSL)  No Public IP address (PIP) is required on your Azure virtual machines (VMs)  Does not require any additional software for RDP/SSH access – agentless  Internally it is a VM scale set  Protection against port scanning, zero-day exploits and malware targeting
How Azure Bastion works
Keep in mind! for every VNet
Azure Bastion Use Cases  No VPN/Expressroute available  no S2S / P2S  Jumpbox does not meet the requirements  Port 3389 is not allowed  More expensive?  Hard requirement for HTTPS (port 443)  No management  Must be PAAS  RDS Gateway & Jumpbox is out of the option  Must be easy deployable/removable when needed  Temporary access to VM (and only VM) with JIT  no additional services (like VPN)  no access to other resources in the ResourceGroup/Vnet
€ 0.0591 per GB/moNext 100 TB (50 TB – 150 TB) € 0.0700 per GB/moNext 40 TB (10 TB – 50 TB) Pricing Azure Bastion Scale Unit (Zone 1 - West Europe) € 116.97/month Outbound Data Transfer First 5 GB / month 5 GB – 10 TB Free € 0.0734 per GB/moPrices differ depending on the regions which correspond to Zone 1 and Zone 2  Zone 1 – West Europe, East US, South Central US, West US  Zone 2 – Australia East, Japan East Next 350 TB (150 TB – 500 TB) € 0.0422 per GB/mo Over 500 TB / month – Contact Azure Sales
How to deploy Bastion
Deployment steps  Check if Azure Bastion is available in your Azure public region  Governance: Use a meaningful naming standard (mc2mc-prod-ba), use resource tags (VNet: mc2mc-prod-vn) and RBAC  Create a subnet in your VNet: AzureBastionSubnet (/27 or larger) Network Security Group (NSG) -> foresee all necessary inbound and outbound security rules Azure Firewall -> do not associate the RouteTable  Bastion requires a static PIP (Standard Public IP SKU)  Create the Azure Bastion host using the Azure Portal, Azure PowerShell or an ARM Template
AzureBastionSubnet NSG Inbound Rule  Allow traffic on port 443 from *  Allow traffic on ports 443 and 4443 from Service tag GatewayManager AzureBastionSubnet NSG Outbound Rules  Allow traffic on ports 3389 and 22 to your VM subnets  Allow traffic on port 443 for Service tag AzureCloud Target VM Subnet(s) Outbound Rule  Allow traffic on ports 3389 and 22 to Azure Bastion Subnet IP address range AzureBastionSubnet Network Security Group
What about JIT VM Access?
To access a VM at least the following roles are required  Reader role on the VM  Reader role on the NIC with private IP of the VM  Reader role on het Azure Bastion resource Required roles to access a VM
 Copy and paste (only text)  Full screen view  Currently no file-transfer support What can you do in a remote session?
DEM “My precious, Cloud.”
Future roadmap  VNet Peering support  Azure AD SSO with MFA  Native RDP/SSH clients  RDP full-session recording for auditing  Azure AD PIM integration  Private IP for Bastion host (access through ExpressRoute or S2S VPN) Azure Bastion Feedback page
Key Takeaways PaaS service for RDP/SSH to VMs direclty over SSL No need for a Public IP Address (PIP) Needed for every VNet Harden with NSG and JIT Keep an eye on your Cloud Sp€nd!
Azure Bastion Documentation https://docs.microsoft.com/en-us/azure/bastion/ Azure Architecture Center https://docs.microsoft.com/en-us/azure/architecture/ Manage virtual machine access using just-in-time https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time RDP to Azure Virtual machines using Azure Bastion https://www.youtube.com/watch?v=eLjuWG-L57Q&feature=youtu.be References
Q&A(sk the wizard)

Recommended

SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路Tzu-Ting(Fei) Lin
 
[234] toast cloud open stack sdn 전략-박성우
[234] toast cloud open stack sdn 전략-박성우[234] toast cloud open stack sdn 전략-박성우
[234] toast cloud open stack sdn 전략-박성우NAVER D2
 
MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?
MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?
MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?Kouhei Sutou
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Identity Days
 
Red Hat OpenStack - Open Cloud Infrastructure
Red Hat OpenStack - Open Cloud InfrastructureRed Hat OpenStack - Open Cloud Infrastructure
Red Hat OpenStack - Open Cloud InfrastructureAlex Baretto
 
Data Lineage with Apache Airflow using Marquez
Data Lineage with Apache Airflow using Marquez Data Lineage with Apache Airflow using Marquez
Data Lineage with Apache Airflow using Marquez Willy Lulciuc
 
RFC 〜 ネットワーク勉強会
RFC 〜 ネットワーク勉強会RFC 〜 ネットワーク勉強会
RFC 〜 ネットワーク勉強会Ken SASAKI
 
[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細
[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細
[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細オラクルエンジニア通信
 

Recommended

SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路SITCON2021 Web Security 領航之路
SITCON2021 Web Security 領航之路Tzu-Ting(Fei) Lin
 
[234] toast cloud open stack sdn 전략-박성우
[234] toast cloud open stack sdn 전략-박성우[234] toast cloud open stack sdn 전략-박성우
[234] toast cloud open stack sdn 전략-박성우NAVER D2
 
MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?
MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?
MySQLとPostgreSQLと日本語全文検索 - Azure DatabaseでMroonga・PGroongaを使いたいですよね!?Kouhei Sutou
 
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !
Appliquez le modèle Zero Trust pour le Hardening de votre Azure AD !Identity Days
 
Red Hat OpenStack - Open Cloud Infrastructure
Red Hat OpenStack - Open Cloud InfrastructureRed Hat OpenStack - Open Cloud Infrastructure
Red Hat OpenStack - Open Cloud InfrastructureAlex Baretto
 
Data Lineage with Apache Airflow using Marquez
Data Lineage with Apache Airflow using Marquez Data Lineage with Apache Airflow using Marquez
Data Lineage with Apache Airflow using Marquez Willy Lulciuc
 
RFC 〜 ネットワーク勉強会
RFC 〜 ネットワーク勉強会RFC 〜 ネットワーク勉強会
RFC 〜 ネットワーク勉強会Ken SASAKI
 
[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細
[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細
[非公開]Oracle Cloud Infrastructure Classic ネットワーク機能詳細オラクルエンジニア通信
 
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...Insight Technology, Inc.
 
トランザクションの設計と進化
トランザクションの設計と進化トランザクションの設計と進化
トランザクションの設計と進化Kumazaki Hiroki
 
RTI Support for FACE TSS
RTI Support for FACE TSSRTI Support for FACE TSS
RTI Support for FACE TSSReal-Time Innovations (RTI)
 
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜Juniper Networks (日本)
 
VMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowVMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowAniekan Akpaffiong
 
Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Roopa Tangirala
 
Wallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access ControlWallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access Controlzayedalji
 
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017Amazon Web Services
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsSandeep Patil
 
差分プライバシーとは何か? (定義 & 解釈編)
差分プライバシーとは何か? (定義 & 解釈編)差分プライバシーとは何か? (定義 & 解釈編)
差分プライバシーとは何か? (定義 & 解釈編)Kentaro Minami
 
Automated CloudStack Deployment
Automated CloudStack DeploymentAutomated CloudStack Deployment
Automated CloudStack DeploymentShapeBlue
 
Internals of Presto Service
Internals of Presto ServiceInternals of Presto Service
Internals of Presto ServiceTreasure Data, Inc.
 
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...VxRail ChampionClub
 
Alphorm.com Formation VMware vSphere 7 : La Mise à Niveau
Alphorm.com Formation VMware vSphere 7 : La Mise à NiveauAlphorm.com Formation VMware vSphere 7 : La Mise à Niveau
Alphorm.com Formation VMware vSphere 7 : La Mise à NiveauAlphorm
 
VMware vSAN - Novosco, June 2017
VMware vSAN - Novosco, June 2017VMware vSAN - Novosco, June 2017
VMware vSAN - Novosco, June 2017Novosco
 
Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Yuichi Nakamura
 
Alphorm.com Microsoft AZURE
Alphorm.com Microsoft AZUREAlphorm.com Microsoft AZURE
Alphorm.com Microsoft AZUREAlphorm
 
OAuth 2.0のResource Serverの作り方
OAuth 2.0のResource Serverの作り方OAuth 2.0のResource Serverの作り方
OAuth 2.0のResource Serverの作り方Hitachi, Ltd. OSS Solution Center.
 
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...Alphorm
 
Building large scale transactional data lake using apache hudi
Building large scale transactional data lake using apache hudiBuilding large scale transactional data lake using apache hudi
Building large scale transactional data lake using apache hudiBill Liu
 
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 

More Related Content

What's hot

[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...Insight Technology, Inc.
 
トランザクションの設計と進化
トランザクションの設計と進化トランザクションの設計と進化
トランザクションの設計と進化Kumazaki Hiroki
 
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜Juniper Networks (日本)
 
VMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowVMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowAniekan Akpaffiong
 
Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Roopa Tangirala
 
Wallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access ControlWallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access Controlzayedalji
 
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017Amazon Web Services
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsSandeep Patil
 
差分プライバシーとは何か? (定義 & 解釈編)
差分プライバシーとは何か? (定義 & 解釈編)差分プライバシーとは何か? (定義 & 解釈編)
差分プライバシーとは何か? (定義 & 解釈編)Kentaro Minami
 
Automated CloudStack Deployment
Automated CloudStack DeploymentAutomated CloudStack Deployment
Automated CloudStack DeploymentShapeBlue
 
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...VxRail ChampionClub
 
Alphorm.com Formation VMware vSphere 7 : La Mise à Niveau
Alphorm.com Formation VMware vSphere 7 : La Mise à NiveauAlphorm.com Formation VMware vSphere 7 : La Mise à Niveau
Alphorm.com Formation VMware vSphere 7 : La Mise à NiveauAlphorm
 
VMware vSAN - Novosco, June 2017
VMware vSAN - Novosco, June 2017VMware vSAN - Novosco, June 2017
VMware vSAN - Novosco, June 2017Novosco
 
Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Yuichi Nakamura
 
Alphorm.com Microsoft AZURE
Alphorm.com Microsoft AZUREAlphorm.com Microsoft AZURE
Alphorm.com Microsoft AZUREAlphorm
 
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...Alphorm
 
Building large scale transactional data lake using apache hudi
Building large scale transactional data lake using apache hudiBuilding large scale transactional data lake using apache hudi
Building large scale transactional data lake using apache hudiBill Liu
 

What's hot (20)

[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
[D36] Michael Stonebrakerが生み出した列指向データベースは何が凄いのか? ~Verticaを例に列指向データベースのアーキテクチャ...
 
トランザクションの設計と進化
トランザクションの設計と進化トランザクションの設計と進化
トランザクションの設計と進化
 
RTI Support for FACE TSS
RTI Support for FACE TSSRTI Support for FACE TSS
RTI Support for FACE TSS
 
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
BETTER TOGETHER 〜VMware NSXとJuniperデバイスを繋いでみよう!〜
 
VMware NSX 101: What, Why & How
VMware NSX 101: What, Why & HowVMware NSX 101: What, Why & How
VMware NSX 101: What, Why & How
 
Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup) Polyglot persistence @ netflix (CDE Meetup)
Polyglot persistence @ netflix (CDE Meetup)
 
Wallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access ControlWallix AdminBastion - Privileged User Management & Access Control
Wallix AdminBastion - Privileged User Management & Access Control
 
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
RDS Postgres and Aurora Postgres | AWS Public Sector Summit 2017
 
IBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for ProtocolsIBM Spectrum Scale Authentication for Protocols
IBM Spectrum Scale Authentication for Protocols
 
差分プライバシーとは何か? (定義 & 解釈編)
差分プライバシーとは何か? (定義 & 解釈編)差分プライバシーとは何か? (定義 & 解釈編)
差分プライバシーとは何か? (定義 & 解釈編)
 
Automated CloudStack Deployment
Automated CloudStack DeploymentAutomated CloudStack Deployment
Automated CloudStack Deployment
 
Internals of Presto Service
Internals of Presto ServiceInternals of Presto Service
Internals of Presto Service
 
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
20180222_VxRailccトラブルシューティングセミナー_VxRailサポートチームが語るVxRail Troubleshooting_DellE...
 
Alphorm.com Formation VMware vSphere 7 : La Mise à Niveau
Alphorm.com Formation VMware vSphere 7 : La Mise à NiveauAlphorm.com Formation VMware vSphere 7 : La Mise à Niveau
Alphorm.com Formation VMware vSphere 7 : La Mise à Niveau
 
VMware vSAN - Novosco, June 2017
VMware vSAN - Novosco, June 2017VMware vSAN - Novosco, June 2017
VMware vSAN - Novosco, June 2017
 
Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向Keycloakの紹介と最新開発動向
Keycloakの紹介と最新開発動向
 
Alphorm.com Microsoft AZURE
Alphorm.com Microsoft AZUREAlphorm.com Microsoft AZURE
Alphorm.com Microsoft AZURE
 
OAuth 2.0のResource Serverの作り方
OAuth 2.0のResource Serverの作り方OAuth 2.0のResource Serverの作り方
OAuth 2.0のResource Serverの作り方
 
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
Alphorm.com Formation Active Directory 2019 : Optimisation et Sécurisation av...
 
Building large scale transactional data lake using apache hudi
Building large scale transactional data lake using apache hudiBuilding large scale transactional data lake using apache hudi
Building large scale transactional data lake using apache hudi
 

Similar to It's all about Security! Let’s get you started with Azure Bastion

Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Thuan Ng
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Happiest Minds Technologies
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practiceswalk2talk srl
 
Hub_Spoke_v1.0.pptx
Hub_Spoke_v1.0.pptxHub_Spoke_v1.0.pptx
Hub_Spoke_v1.0.pptxAanSulistiyo
 
Azure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesAzure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesMarius Zaharia
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web SystemsInnoTech
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Neeraj Kumar
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Shawn Ismail
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksMatthias Güntert
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure BastionAmmar Hasayen
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and InfrastructurePhi Huynh
 
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayArchitecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayCynthia Hsieh
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure spherePushkar Saraf
 
Server-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows AzureServer-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows AzureNaoto MATSUMOTO
 
Configuring asa site to-site vp ns
Configuring asa site to-site vp nsConfiguring asa site to-site vp ns
Configuring asa site to-site vp nschiensy
 
Cld006 azure v_net___express_route_最新情報
Cld006 azure v_net___express_route_最新情報Cld006 azure v_net___express_route_最新情報
Cld006 azure v_net___express_route_最新情報Tech Summit 2016
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWSTeri Radichel
 
Cozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building cloudsCozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building cloudsAndrei Kvapil
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Servermmoizuddin
 

Similar to It's all about Security! Let’s get you started with Azure Bastion (20)

Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
Design a Secure Azure IaaS - Lesson Learnt from Government Cloud
 
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
Azure bastion- Remote desktop RDP/SSH in Azure using Bastion Service as (PaaS)
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Azure Hub spoke v1.0
Azure Hub spoke v1.0Azure Hub spoke v1.0
Azure Hub spoke v1.0
 
Hub_Spoke_v1.0.pptx
Hub_Spoke_v1.0.pptxHub_Spoke_v1.0.pptx
Hub_Spoke_v1.0.pptx
 
Azure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet TopologiesAzure Networking: Innovative Features and Multi-VNet Topologies
Azure Networking: Innovative Features and Multi-VNet Topologies
 
Architecting Secure Web Systems
Architecting Secure Web SystemsArchitecting Secure Web Systems
Architecting Secure Web Systems
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
 
Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)Azure Network Security Groups (NSG)
Azure Network Security Groups (NSG)
 
Azure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private LinksAzure Service Endpoints vs. Private Links
Azure Service Endpoints vs. Private Links
 
Introducing Azure Bastion
Introducing Azure BastionIntroducing Azure Bastion
Introducing Azure Bastion
 
Azure Network and Infrastructure
Azure Network and InfrastructureAzure Network and Infrastructure
Azure Network and Infrastructure
 
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit GatewayArchitecting Advanced Network Security Across VPCs with AWS Transit Gateway
Architecting Advanced Network Security Across VPCs with AWS Transit Gateway
 
Io t security and azure sphere
Io t security and azure sphereIo t security and azure sphere
Io t security and azure sphere
 
Server-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows AzureServer-side Intelligent Switching using Windows Azure
Server-side Intelligent Switching using Windows Azure
 
Configuring asa site to-site vp ns
Configuring asa site to-site vp nsConfiguring asa site to-site vp ns
Configuring asa site to-site vp ns
 
Cld006 azure v_net___express_route_最新情報
Cld006 azure v_net___express_route_最新情報Cld006 azure v_net___express_route_最新情報
Cld006 azure v_net___express_route_最新情報
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
 
Cozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building cloudsCozystack: Free PaaS platform and framework for building clouds
Cozystack: Free PaaS platform and framework for building clouds
 
Cisco Router As A Vpn Server
Cisco Router As A Vpn ServerCisco Router As A Vpn Server
Cisco Router As A Vpn Server
 

Recently uploaded

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

It's all about Security! Let’s get you started with Azure Bastion

  • 1. It’s all about Security! Let’s get you started with Azure Bastion
  • 2. That’s what we’re Tolkien about  Common VM administrative access methods  Dem time  What is Azure Bastion?  How to deploy Bastion  Dem time  Roadmap  Key Takeaways  Q&A(sk the wizard)
  • 5. Easily manage your VMs running in Azure… Peering VNet 2 (10.2.0.0/16) VNet 1 (10.1.0.0/16) Internet ATTACK! ATTACK! ATTACK!
  • 6. NAT through Azure Load Balancer Peering VNet 2 (10.2.0.0/16) VNet 1 (10.1.0.0/16) Internet ATTACK! ATTACK! ATTACK!
  • 7. …and you need to prevent breaches?
  • 8. Resource group Gateway subnet NSG NSG Web subnet Virtual network Virtual network gateway Local network gatewayConnection On-premises network Client High security through Azure VPN/ExpressRoute…
  • 9. Resource group Zone 1 Application Gateway subnet Zone 2 Zone 3 NSG NSG NSG Application Gateway NSG Jumpbox Management subnet Web tier subnet Data tier subnet DDoS Protection Public IP Public IP Azure load balancer Virtual network  A controlled entry point in your Azure environment  Improves security and reduce attack surface of your VMs  Setup inside a separated Virtual Network (VNet) or subnet (Management VNet or subnet)  To allow access from the Internet it uses a PIP  From that VM you need to jump to your other VMs  Deployed as a very small Linux VM (tunnel an RDP connection through SSH)  RDS Gateway as a small VM (tunnel an RDP connection through SSL) Jump Box
  • 10. Just-In-Time VM Access (JIT)  Used to lock down inbound traffic and to limit the time management ports (RDP/SSH) are open  Available on the Standard tier of Azure Security Center  Three states: Configured, Recommended and No recommendation  Only supports Azure Resource Manager VMs  A user needs to request access to a VM  All requests can be reviewed in the Activity Log
  • 11. “One does not simply walk into my VNet.” DEM
  • 12. What is Azure Bastion?
  • 13. “Azure Bastion is a PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL”
  • 14. Azure Bastion Overview  A PaaS service (jumpbox as-a-service) provisioned inside your VNet  Secure RDP/SSH connectivity directly in the Azure Portal (SSL)  No Public IP address (PIP) is required on your Azure virtual machines (VMs)  Does not require any additional software for RDP/SSH access – agentless  Internally it is a VM scale set  Protection against port scanning, zero-day exploits and malware targeting
  • 16. Keep in mind! for every VNet
  • 17. Azure Bastion Use Cases  No VPN/Expressroute available  no S2S / P2S  Jumpbox does not meet the requirements  Port 3389 is not allowed  More expensive?  Hard requirement for HTTPS (port 443)  No management  Must be PAAS  RDS Gateway & Jumpbox is out of the option  Must be easy deployable/removable when needed  Temporary access to VM (and only VM) with JIT  no additional services (like VPN)  no access to other resources in the ResourceGroup/Vnet
  • 18. € 0.0591 per GB/moNext 100 TB (50 TB – 150 TB) € 0.0700 per GB/moNext 40 TB (10 TB – 50 TB) Pricing Azure Bastion Scale Unit (Zone 1 - West Europe) € 116.97/month Outbound Data Transfer First 5 GB / month 5 GB – 10 TB Free € 0.0734 per GB/moPrices differ depending on the regions which correspond to Zone 1 and Zone 2  Zone 1 – West Europe, East US, South Central US, West US  Zone 2 – Australia East, Japan East Next 350 TB (150 TB – 500 TB) € 0.0422 per GB/mo Over 500 TB / month – Contact Azure Sales
  • 19. How to deploy Bastion
  • 20. Deployment steps  Check if Azure Bastion is available in your Azure public region  Governance: Use a meaningful naming standard (mc2mc-prod-ba), use resource tags (VNet: mc2mc-prod-vn) and RBAC  Create a subnet in your VNet: AzureBastionSubnet (/27 or larger) Network Security Group (NSG) -> foresee all necessary inbound and outbound security rules Azure Firewall -> do not associate the RouteTable  Bastion requires a static PIP (Standard Public IP SKU)  Create the Azure Bastion host using the Azure Portal, Azure PowerShell or an ARM Template
  • 21. AzureBastionSubnet NSG Inbound Rule  Allow traffic on port 443 from *  Allow traffic on ports 443 and 4443 from Service tag GatewayManager AzureBastionSubnet NSG Outbound Rules  Allow traffic on ports 3389 and 22 to your VM subnets  Allow traffic on port 443 for Service tag AzureCloud Target VM Subnet(s) Outbound Rule  Allow traffic on ports 3389 and 22 to Azure Bastion Subnet IP address range AzureBastionSubnet Network Security Group
  • 22. What about JIT VM Access?
  • 23. To access a VM at least the following roles are required  Reader role on the VM  Reader role on the NIC with private IP of the VM  Reader role on het Azure Bastion resource Required roles to access a VM
  • 24.  Copy and paste (only text)  Full screen view  Currently no file-transfer support What can you do in a remote session?
  • 26. Future roadmap  VNet Peering support  Azure AD SSO with MFA  Native RDP/SSH clients  RDP full-session recording for auditing  Azure AD PIM integration  Private IP for Bastion host (access through ExpressRoute or S2S VPN) Azure Bastion Feedback page
  • 27. Key Takeaways PaaS service for RDP/SSH to VMs direclty over SSL No need for a Public IP Address (PIP) Needed for every VNet Harden with NSG and JIT Keep an eye on your Cloud Sp€nd!
  • 28. Azure Bastion Documentation https://docs.microsoft.com/en-us/azure/bastion/ Azure Architecture Center https://docs.microsoft.com/en-us/azure/architecture/ Manage virtual machine access using just-in-time https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time RDP to Azure Virtual machines using Azure Bastion https://www.youtube.com/watch?v=eLjuWG-L57Q&feature=youtu.be References