In this post, you’ll get a short introduction into Azure Bastion Host. To be honest, I still don’t know if I should pronounce it as [basˈti̯oːn] (German), /bæstʃən/ (US engl.) or [basˈt̪jõn] (french) but that shouldn’t stop us from learning more about Azure Bastion Host, what is it, and when it’s useful.
We will also discuss a webinar on Azure Security –
So let’s start.
What is Azure Bastion Host?
Azure Bastion Host is a Jump-server as a Service within an Azure vNet (note that this service is currently in preview). What does that mean exactly? Well, a jump server is a fixed point on a network that is the sole place for you to remote in, get to other servers and services, and manage the environment. Now some will say, but I build my own jump server VM myself! While you’re certainly free to do that yourself, there are some key differences between the self-built VM option and a Bastion Host.
A regular Jump-server VM must either be reachable via VPN or needs to have a public IP with RDP and/or SSH open to the Internet. Option one, in some environments, is rather complex. Option two is a security nightmare. With Azure Bastion Host, you can solve this access issue. Azure Bastion enables you to use RDP and SSH via the Internet or (if available) via a VPN using the Azure Portal. The VM does not need a public IP, which GREATLY increases security for the target machine.
NOTE: Looking for more great content on security? Watch our webinar on Azure Security Center On-Demand.
After the deployment (which we’ll talk about in a second), Bastion becomes the 3rd option when connecting to a VM through the Azure Portal, as shown below.
After you hit connect, an HTTPs browser Window will open and your session will open within an SSL encrypted Window.
Azure Bastion Use Cases
Now let’s list some possible use-cases. Azure Bastion can be very useful (but not limited) to these scenarios:
- Your Azure-based VMs are running in a subscription where you’re unable to connect via VPN, and for security reasons, you cannot set up a dedicated Jump-host within that vNet.
- The usage of a Jump-host or Terminal Server in Azure would be more cost-intensive than using a Bastion Host within the VNet (e.g. when you have more than one admin or user working on the host at the same time.)
- You want to give developers access to a single VM without giving them access to additional services like a VPN or other things running within the VNet.
- You want to implement Just in Time (JIT) Administration in Azure. You can deploy and enable Bastion Host on the fly and as you need it. This allows you yo implement it as part of your Operating System Runbook when you need to maintain the OS of an Azure-based VM. Azure Bastion allows you to do this without setting up permanent access to the VM.
How to deploy Azure Bastion Host in preview
The way you deploy Azure Bastion Host within a VNet is pretty straightforward. Let’s go through the steps together.
- Open the Azure Preview Portal through the following link.
- Search for the feature in the Azure Marketplace and walk through the deployment wizard by filling out the fields shown below.
Again, the deployment is quite simple and most options are fairly well explained within the UI. However, if you want further details, you can find them in the official feature documentation here.
Also, be aware that a Bastion Host must be implemented in every vNet where you want to connect to a VM. Currently, Bastion does not support vNet Peering.
How Much Does Azure Bastion Cost?
Pricing for Bastion is pretty easy to understand. As all Microsoft VM Services, you pay for the time the Bastion hast is deployed and for any Bastion service you have deployed. You can easily calculate the costs for the Bastions Hosts you need via Azure Price Calculator.
I made my example for one Bastion Host in West Europe, with the assumption it would be needed all month long.
Bastion Roadmap Items
Being in preview there are still a number of things that Microsoft is adding to Bastion’s feature set. This includes things like:
- Single-Sign-On with Azure AD
- Multi-Factor Auth
- vNet Peering (Not confirmed, but being HEAVILY requested by the community right now)
vNet Peering support would make it so that only a single Bastion Host in a Hub or Security vNet is needed.
You can see additional feature request or submit your own via the Microsoft Feedback Forum.
If you like a feature request or want to push your own request, keep an eye on the votes. The more votes a piece of feedback has, the more likely Microsoft will work on the feature.