Jump to content













Photo
- - - - -

Azure Bastion – Jump Server as a Service

  Posted by Pantelis Apostolidis , in Azure 18 June 2019 · 39 views

<h1>Azure Bastion – Jump Server as a Service</h1>
<p>Azure Bastion is a new Azure Platform (PaaS) service, at this time is still in Preview, that allows to have RDP and SSH access to Virtual Machines inside a Virtual Network directly from the Azure Portal. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet.</p>
<p>The logic comes from the Jump Servers, but you don’t need to deploy any VMs and you don’t have to worry about the hardening. It all ready on Azure as a Service.</p>
<p>A jump server is a hardened and monitored device that spans two dissimilar security zones and provides a controlled means of access between them. You can find more about jump servers at <a href="https://en.wikipedia..._server</a></p>
<p>The connection to the virtual machines is achieved directly from the Azure Portal over Secure Sockets Layer (SSL) just using the browser. The Bastion Host is</p>
<h2>Azure Bastion Preview preparation</h2>
<p>For the time, Azure Bastion Hosts are in Public Preview. To use them we need to Register the Azure Bastion Host provider. Open PowerShell and login to Azure or use the Cloud Shell from the Azure Portal.</p>
<p>To register the provider run:</p>
<p>Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p>
<p id="zOeDhIo"><img class="alignnone wp-image-2732 size-full" src="https://www.e-aposto...91fe6262cc.png"alt="register provider" width="821" height="165" /></p>
<p>Then run:</p>
<p>Register-AzResourceProvider -ProviderNamespace Microsoft.Network</p>
<p id="DRILxeM"><img class="alignnone wp-image-2733 size-full" src="https://www.e-aposto...91ff460da0.png"alt="azure bastion register" width="646" height="84" /></p>
<p>The provider takes some time to register. Run the following command to check when it is registered:</p>
<p>Get-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network</p>
<p id="EZSfQTp"><img class="alignnone wp-image-2736 size-full" src="https://www.e-aposto...923cdafb5e.png"alt="register check" width="797" height="78" /></p>
<p>Once the Provider is Registered, access the Azure Portal using this link: <a href="http://aka.ms/Bastio...BastionHost</a>in order to access the Bastions Preview.</p>
<h2>Create the Bastion</h2>
<p>From the Azure Portal search for bastions</p>
<p id="IWWlOrg"><img class="alignnone wp-image-2727 size-full" src="https://www.e-aposto...801333cf93.png"alt="portal azure bastion" width="496" height="222" /></p>
<p>Hit “Add” to start the Bastion creation wizard</p>
<p id="BZxMhhc"><img class="alignnone wp-image-2728 size-full" src="https://www.e-aposto...80140b2353.png"alt="azure bastion" width="520" height="329" /></p>
<p>One thing to consider is that the Virtual Network must have an empty subnet with name “AzureBastionSubnet” and at least /27 range. This Subnet will be configured as a DMZ.</p>
<p id="qwRNwdC"><img class="alignnone wp-image-2729 size-full" src="https://www.e-aposto...80183b9c91.png"alt="azure bastion" width="750" height="115" /></p>
<p>At the Create a bastion wizard select the Subscription and the Resource group. I prefer to create a new Resource Group. Enter a name for the Bastion Host Instance and a Region. Of course the Virtual Network and the Region must be the same as the Virtual Machines that you want to access. Finally select a name for the Public IP of the Bastion Host and hit Review and Create to create the Bastion.</p>
<p id="xZvMCkm"><img class="alignnone wp-image-2730 size-full" src="https://www.e-aposto...801ea435a4.png"alt="azure bastion" width="843" height="870" /></p>
<p>Once the Bastion is ready you can see its properties. Not much to configure, just the IAM.</p>
<p id="dfkMDjH"><img class="alignnone wp-image-2739 size-full" src="https://www.e-aposto...92bdbb123f.png"alt="azure bastion" width="1162" height="645" /></p>
<h2>Using the Bastion Host</h2>
<p>And now the magic. Once you have a bastion deployed to a Virtual Network, browse a Virtual Machine and hit “Connect”. Beside the RDP and SSH, you will see a new option, the BASTION!</p>
<p id="LiCqvkU"><img class="alignnone wp-image-2741 size-full" src="https://www.e-aposto...92c6bebb80.png"alt="azure bastion" width="1157" height="551" /></p>
<p>Since the topology is Intternet –&gt;Public IP of Bastion –&gt; Bastion –&gt; Virtual Network – NSG – Private IP –&gt; VM you need to allow the RDP / SSH traffic from the Bastion VNET to the Virtual Machine and https traffic (no RDP / SSH needed) from the internet (or your public ip) to the Bastion Subnet.</p>
<p>Enter the VMs username and password and hit connect and we have RDP over HTTPS</p>
<p id="OphcKAS"><img class="alignnone wp-image-2742 size-full" src="https://www.e-aposto...93149258cf.png"alt="azure bastion" width="1379" height="1021" /></p>
<h2>Copy Text to / from the VM</h2>
<p>There a little icon &gt;&gt; at the right middle of the screen.</p>
<p id="JTaxuWt"><img class="alignnone size-full wp-image-2748 " src="https://www.e-aposto...9355db8db6.png"alt="" /></p>
<p>Click it and the Copy / paste box will open. Any text you paste at that box it will be available at the VMs clipboard. Also the Fullscreen button is available there.</p>
<p id="WQLZHRX"><img class="alignnone size-full wp-image-2749 " src="https://www.e-aposto...935877025c.png"alt="" /></p>
<p>Also any text you copy from the VM will appear at that box, like the image below:</p>
<p id="ZvVaJdz"><img class="alignnone size-full wp-image-2750 " src="https://www.e-aposto...935cf0a626.png"alt="" /></p>
<p>The Remote Desktop experience is excellent! No RDP client needed, just your browser.</p>
<p>Sources:</p>
<p><a href="https://docs.microso...ion-faq</a></p>
<p><a href="https://docs.microso...ion-nsg</a></p>
<p><a href="https://azure.micros...astion/</a></p>
<p><a href="https://docs.microso...-portal</a></p>
<p><a class="a2a_button_email" href="https://www.addtoany...r as a Service"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&amp;linkname=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazure-bastion-jump-server-as-a-service%2F&title=Azure%20Bastion%20%E2%80%93%20Jump%20Server%20as%20a%20Service" data-a2a-url="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/" data-a2a-title="Azure Bastion – Jump Server as a Service"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/microsoft/azure-bastion-jump-server-as-a-service/">Azure Bastion – Jump Server as a Service</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>


<a href="https://www.e-aposto...-as-a-service/"class='bbc_url' rel='nofollow external'>Source</a>