Slide deck used during the MC2MC Kick-Off Evening - In this modern hybrid cloud world, security is key. In this session you will learn all about using Azure Bastion, a fully managed PaaS service, to connect securely to your Azure VMs.
ICT role in 21st century education and its challenges
It's all about Security! Let’s get you started with Azure Bastion
1. It’s all about Security!
Let’s get you started with Azure Bastion
2. That’s what we’re Tolkien about
Common VM administrative access methods
Dem time
What is Azure Bastion?
How to deploy Bastion
Dem time
Roadmap
Key Takeaways
Q&A(sk the wizard)
8. Resource
group
Gateway subnet
NSG NSG
Web subnet
Virtual network
Virtual
network
gateway
Local network gatewayConnection
On-premises network
Client
High security through Azure VPN/ExpressRoute…
9. Resource
group
Zone 1
Application
Gateway subnet
Zone 2
Zone 3
NSG NSG NSG
Application
Gateway
NSG
Jumpbox
Management
subnet
Web tier
subnet
Data tier
subnet
DDoS
Protection
Public IP
Public IP
Azure load
balancer
Virtual network
A controlled entry point in your Azure
environment
Improves security and reduce attack surface
of your VMs
Setup inside a separated Virtual Network
(VNet) or subnet (Management VNet or
subnet)
To allow access from the Internet it uses a
PIP
From that VM you need to jump to your
other VMs
Deployed as a very small Linux VM
(tunnel an RDP connection through SSH)
RDS Gateway as a small VM
(tunnel an RDP connection through SSL)
Jump Box
10. Just-In-Time VM Access (JIT)
Used to lock down inbound traffic and to limit the time
management ports (RDP/SSH) are open
Available on the Standard tier of Azure Security Center
Three states: Configured, Recommended and No
recommendation
Only supports Azure Resource Manager VMs
A user needs to request access to a VM
All requests can be reviewed in the Activity Log
13. “Azure Bastion is a PaaS service that you
provision inside your virtual network. It
provides secure and seamless RDP/SSH
connectivity to your virtual machines
directly in the Azure portal over SSL”
14. Azure Bastion Overview
A PaaS service (jumpbox as-a-service) provisioned inside your VNet
Secure RDP/SSH connectivity directly in the Azure Portal (SSL)
No Public IP address (PIP) is required on your Azure virtual machines (VMs)
Does not require any additional software for RDP/SSH access – agentless
Internally it is a VM scale set
Protection against port scanning, zero-day exploits and malware targeting
17. Azure Bastion Use Cases
No VPN/Expressroute available
no S2S / P2S
Jumpbox does not meet the requirements
Port 3389 is not allowed
More expensive?
Hard requirement for HTTPS (port 443)
No management Must be PAAS
RDS Gateway & Jumpbox is out of the option
Must be easy deployable/removable when needed
Temporary access to VM (and only VM) with JIT
no additional services (like VPN)
no access to other resources in the ResourceGroup/Vnet
18. € 0.0591 per GB/moNext 100 TB (50 TB – 150 TB)
€ 0.0700 per GB/moNext 40 TB (10 TB – 50 TB)
Pricing
Azure Bastion Scale Unit (Zone 1 - West Europe) € 116.97/month
Outbound Data
Transfer
First 5 GB / month
5 GB – 10 TB
Free
€ 0.0734 per GB/moPrices differ depending on the regions which correspond to Zone 1 and Zone 2
Zone 1 – West Europe, East US, South Central US, West US
Zone 2 – Australia East, Japan East
Next 350 TB (150 TB – 500 TB) € 0.0422 per GB/mo
Over 500 TB / month – Contact Azure Sales
20. Deployment steps
Check if Azure Bastion is available in your Azure public region
Governance: Use a meaningful naming standard (mc2mc-prod-ba), use
resource tags (VNet: mc2mc-prod-vn) and RBAC
Create a subnet in your VNet: AzureBastionSubnet (/27 or larger)
Network Security Group (NSG) -> foresee all necessary inbound and
outbound security rules
Azure Firewall -> do not associate the RouteTable
Bastion requires a static PIP (Standard Public IP SKU)
Create the Azure Bastion host using the Azure Portal, Azure
PowerShell or an ARM Template
21. AzureBastionSubnet NSG Inbound Rule
Allow traffic on port 443 from *
Allow traffic on ports 443 and 4443 from Service tag
GatewayManager
AzureBastionSubnet NSG Outbound Rules
Allow traffic on ports 3389 and 22 to your VM subnets
Allow traffic on port 443 for Service tag AzureCloud
Target VM Subnet(s) Outbound Rule
Allow traffic on ports 3389 and 22 to Azure Bastion
Subnet IP address range
AzureBastionSubnet Network Security Group
23. To access a VM at least the following roles are required
Reader role on the VM
Reader role on the NIC with private IP of the VM
Reader role on het Azure Bastion resource
Required roles to access a VM
24. Copy and paste (only text)
Full screen view
Currently no file-transfer support
What can you do in a remote session?
26. Future roadmap
VNet Peering support
Azure AD SSO with MFA
Native RDP/SSH clients
RDP full-session recording for auditing
Azure AD PIM integration
Private IP for Bastion host (access through
ExpressRoute or S2S VPN)
Azure Bastion Feedback page
27. Key Takeaways
PaaS service for RDP/SSH to VMs direclty over SSL
No need for a Public IP Address (PIP)
Needed for every VNet
Harden with NSG and JIT
Keep an eye on your Cloud Sp€nd!
28. Azure Bastion Documentation
https://docs.microsoft.com/en-us/azure/bastion/
Azure Architecture Center
https://docs.microsoft.com/en-us/azure/architecture/
Manage virtual machine access using just-in-time
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
RDP to Azure Virtual machines using Azure Bastion
https://www.youtube.com/watch?v=eLjuWG-L57Q&feature=youtu.be
References