Azure Bastion Service
Azure Bastion- In a nutshell it’s a jump box as service. Azure Bastion however is sightly different and way more secure.
Microsoft recently announced a new service named Azure Bastion.
In a nutshell it’s a jump box as service. A jump box for those not familiar with the term is a VM that allows external users to access it and from there they can “jump” to internal VM’s . Now, in reality a regular jump box is really not that secure, as you are exposing a resource that has access to internal resources.
Azure Bastion however is sightly different and way more secure. Once deployed it allows either RDP or SSH access to Azure Vm’s in the same Vnet. However, you do not connect directly to the Jump Box, instead you first login to the Azure prtal, prefabbly using MFA (Multi Factor Authentication) you then choose the VM and click connect with Bastoin, the connectoin to that VM is then initiated over a secure HTML 5 with HTTPS channel via the browser.
So the connection is first secured with MFA via login to the Azure portal and then traffic is secured over HTTPS using HTML 5.
Security Wise:
- Remote Session over SSL and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over SSL on port 443 enabling you to traverse corporate firewalls securely.
- No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don’t need a public IP on your virtual machine.
- No hassle of managing NSGs: Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. You don’t need to apply any NSGs on Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
- Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
- Protect against zero-day exploits. Hardening in one place only: Azure Bastion is a fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up-to-date for you.
Making this the perfect solution to administrate your Azure VM’s without the hassle of VPN or other complex solution’s.
comments powered by Disqus