Azure Bastion: In Preview

Quick Links

Overview

Hello there folks, how you all doing?  Good?  Glad to hear it, let’s learn things…man, that’s was a goofy intro 🙂

So, recently Microsoft released the Azure Bastion service into limited public preview, but what is it and why do I care?

Well, currently to manage your Azure VMs remotely, you’ve likely configured a VPN gateway service that connects back to your on-premises network via Site-to-site or Point-to-Site connections, OR you have public IP addresses configured on your VMs themselves.  For the latter option there, you’d likely have locked down access to those VMs, or the subnets they sit on to only allow traffic on ports 3389 and 22…at least I’d hope so.

Both of the above solutions, while not always perfect are completely viable and come with varying levels of management overhead, ongoing support etc. etc.

This is where the Azure Bastion service comes in.  It’s a PaaS service that is deployed directly into your Azure Virtual Network and allows secure RDP and/or SSH connectivity to your VMs without having to give them their own public IP address.

Interested?  In this guide we’ll go through the service in a little more detail and also go through a step-by-step setup.

Current Availability and Pricing

As mentioned earlier, the Azure Bastion service is currently in Public Preview and as such is only available in a subset of regions, there are:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

For the purposes of this guide, I’ll be deploying into the “West Europe” region.

Currently, you can only access the Bastion service via a preview version of the Azure Portal, located HERE, but it’s open to anyone with an Azure subscription, so that’s good 🙂

While the preview is in place, you’ll receive a 50%  discount, full details on the specifics can be found on the Pricing Page for the service.

NOTE:  At the time of writing, the following HTML5 browsers are supported:
* Windows
* Microsoft Edge Chromium
* Microsoft Edge
* Google Chrome
* Mac
* Google Chrome
* Microsoft Edge Chromium

Prerequisites

If you plan on working through this guide along with me, then you’ll need to have deployed the following resources before starting:

NOTE:  Make sure it’s into one of the preview regions mentioned above

  • A Virtual Network
  • A Windows VM
  • An Ubuntu VM

When provisioning the above, do not configure Network Security Groups on the VNET subnet, or VM NICs.  Also, do not add public IP addresses to the VMs.

Deploying the Azure Bastion Service

The first thing we’ll want to do it browse to the preview version of the Azure portal, HERE and log in.  You’ll know you got it right if you see the orange banner at the top of the screen:

Before we go ahead and deploy the Bastion Host, we’ll need to add a subnet for it to the VNET our VMs are connected to, with that in mind:

  • Navigate to your Virtual Network and select the “Subnets” blade.
  • Then click “+ Subnet”.
  • Name the subnet “AzureBastionSubnet”, this is a requirement.
  • Enter an “Address Range (CIDR block)”, this should be AT LEAST a /27
  • Do not configure add a “Network Security Group” or “Route Table” at this point.
  • Leave everything else as default and click “OK”

With that out of the way, we can crack on and deploy our Bastion Host:

  • Select “+ Create a resource” in the top left of the portal
  • Search for “Azure Bastion” and press enter
  • Select the “Bastion (preview)” tile from the list
  • Click “Create”
  • Select an existing or create a new “Resource Group” in the same region as the VNET you’re deploying the Bastion Host into
  • Give your Bastion Host a “Name”
  • Select the “Region” that host your Virtual Network
  • Select the “Virtual Network” that your VMs are connected to
  • For “Subnet”, make sure the “AzureBastionSubnet” you created earlier is selected
  • For “Public IP Address”, select “Create new”
  • Enter a “Public IP address name” that makes sense for its purpose

NOTE:  The “Standard” SKU and “Static” assignment are selected by default

  • Click “Review and create”
  • Assuming validation passed, click “Create”

NOTE:  From what I’ve witnessed so far, the service takes about 5 minutes or so to deploy.

  • Once completed, select “Go to resource”

You’ll see from the screenshot below that the Bastion resource blade doesn’t give a whole lot of information, we’ll go over how you actually make use of it in the section below.

Working With the Azure Bastion Host

So as we’ve just seen, you don’t actually interact with the Bastion Host from the resource itself, instead it’s tied into the “Connect” button of your VMs.

Windows
  • Navigate to the Windows VM you deployed earlier
  • Click “Connect”

You’ll notice you have a new tab called “Bastion”, here you can enter the username and password of your VM and click “Connect”

NOTE:  When connecting, you’ll see a popup asking you to allow the use of your clipboard to and from the VM.

NOTE:  Interesting fact, you can’t take a screenshot of RDP session using the build in Windows shortcut (WinKey + Shift + S) because…security reasons? Or possibly due to how the shared clipboard works…I’ve not thoroughly tested that yet.  Anyway,  ALT + PrintScrn works as expected.

As you can see from the screenshot below, we’re now connected to my Windows VM in our browser (Edge Chromium in my case).  Keep in mind this VM doesn’t have a public IP configured…neat.

The session if also really responsive from what I’ve experienced.  I mean, you’re not gonna get a good enough framerate to watch YouTube videos inside the VM (or sound for that matter)…but what the hell you trying to do that for anyway?

So what else can we do?  Well if you clicked the allow on the clipboard popup earlier, we can copy text from our local machine into the VM via a shared clipboard.

  • Click the “>>” icon on the middle left of your RDP session

From here,  you can type some text that will be automatically copied to the clipboard of your VM, you can also enable “Full Screen” by clicking the button.

  • Type something suitably random into the “Clipboard” box.
  • Open Notepad inside your VM
  • Copy in the contents of the clipboard (CTRL + V will work)

We can also copy text out the same way.

  • Type another suitable random message, this time into Notepad on the VM.
  • Mark the text and copy it to the VMs clipboard.
  • Click “>>” to expand the session clipboard.
  • You can now copy the text out of the session and do what you like with it.

NOTE:  It’s worth pointing out that at the time of writing, only text copy/paste is supported over the Bastion enabled remote session.  I’m not sure if this will change down the line as I can’t find much else on it yet.

You can end your session by either closing the tab it’s opened in, or the correct way, by logging out 😉

Linux

It’s not only Windows we get the above functionality for, it works for Linux (SSH) too which is great as I don’t always have an SSH client installed/configured as the majority of my work is Windows based.

Let’s have a look:

  • Navigate to your Ubuntu VM and click “Connect”
  • Make sure the “Bastion” tab is selected and enter the password or SSH key you configured.
  • Click “Connect”

As with Windows, you can make use of the shared clipboard and switch to full screen if that’s your preference…noice!

Quick Notes on NSG Integration

You’ll notice that when we deployed the Virtual Network and Bastion Host, we didn’t configure NSGs anywhere.

You can however do this, there are just a few caveats to be aware of, for example:

  • Making sure the subnet(s) your VMs sit on allows inbound traffic to port 3389 and 22 from the AzureBastionSubnet
  • Allow the following 2 Service Tags if applying an NSG to the AzureBastionSubnet
    • GatewayManager
    • AzureCloud

You can find full details on the subject HERE

Wrap Up

So that’s a quick overview for the Azure Bastion service, I think it’ll come in really quite useful.  It’ll be interesting to see what it’s costs look like when being used in anger and out of preview but as long the price sits somewhere between the cost of a bastion VM (which you also have management overhead for) and a VPN Gateway service then I think we’re in good shape.  I’m not sure how they’ll tackle it, but the ability to copy files other that secure connection would also be really useful…I guess we’ll see what the future holds.

Anyway folks, I hope that was somewhat useful and I hope to see you for the next one.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.