How to protect VMs with Azure Bastion hosts

Azure Bastion features

Azure Bastion is a fully managed PaaS that enables administrators to connect to their VMs directly through the Azure portal using Remote Desktop Protocol (RDP) or SSH. This prevents exposure of VM management ports to the public internet and provides an additional layer of security.

Some key features of Azure Bastion hosts are the following:

• Access point control. VM management remains isolated from public access, as Azure Bastion uses a private IP address to connect to VMs. By eliminating public IP addresses for VM management, Azure Bastion prevents port scanners from detecting open ports on those VMs. Traditional access methods that expose RDP (port 3389) or SSH (port 22) to the internet are vulnerable to various attacks, including brute force and automated scanning.
• Secure access. With an Azure Bastion host, the only public-facing component is the bastion host itself. This host can be monitored, and access can be restricted to known IP ranges, which reduces the risk of unauthorized access. All traffic between the client and Azure Bastion is end-encrypted, ensuring secure communication. Access to VMs is also protected by multifactor authentication. Activity logs provide insights into who accessed the VMs to help with audits and incident response.
• Azure integration. Seamless integration with Microsoft Entra ID and Azure role-based access control enables granular access management. Users can also configure Azure Firewall or network security groups (NSGs) to enforce additional rules. Users with a specific bastion host IP can set up NSGs to only accept management connectivity from the bastion hosts. Most of the appropriate NSG configurations automatically manage and update to allow access from the bastion. That is a major security win, as it also eases management overhead. Organizations can also configure Azure Monitor and Azure Security Center for threat detection to send alerts about suspicious activities related to bastion access.
• Browser-based access. Accessing VMs directly through a web browser eliminates the need for additional client software. Added client software could negatively impact security, whether it's from a data leak, malicious code being injected into a third-party application or a man-in-the-middle attack. External tools are supported if needed.

Azure Bastion costs and limitations

While Azure Bastion hosts can do a lot of good for businesses, they come at a cost. For example, Azure's East US 2 region has the standard bastion host billed at $0.29 per hour. That might not seem like a lot of money, but keep in mind bastion hosts cannot be shut down like other services. Bastion hosts can scale if need be, and users can increase the count at deployment time. However, hosts either exist or they don't.

Outbound data transfers also have a cost. Using our example of Azure's East US 2 region, outbound data transfers are free for the first 5 GB per month. After that, costs increase to $0.087 per GB. Depending on a business's data transfer needs, these costs could accrue substantially.

One noteworthy limitation of Azure Bastion hosts is that they cannot span Azure regions. If administrators need to access VMs across different Azure regions, they must set up several bastion hosts. However, Azure Bastion works with two types of network peering to connect VMs deployed inside peered virtual networks:

1. Virtual network peering. Enables users to connect virtual networks within the same Azure region.
2. Global network peering. Enables users to connect virtual networks across Azure regions.

How to set up Azure Bastion hosts

Users interested in setting up an Azure Bastion host can follow these steps to get started.

Step 1

Log in to the Azure portal. Navigate to Create a resource > Networking > Virtual Network. This invites the user to fill in the required details, such as name and address space. Once done, click Create. This creates a basic network for users to set up infrastructure that is accessible from the bastion host.

Step 2

In the Azure portal, using the search wizard, search for Bastions, and select it. Select Create. This opens a wizard that needs to be filled in. There are several mandatory fields, including the following:

• Subscription. Select the appropriate subscription.
• Resource group. Choose or create a new resource group.
• Name. Provide a name for the bastion host.
• Region. Select the same region as your virtual network.
• Virtual network. Choose the virtual network created earlier.
• Public IP address. Create a new public IP. This is the IP the bastion host sits upon.

Once updated with the correct settings, click Create. Creating the bastion host can take up to 20 minutes or more. Users can watch the progress by clicking the bell in the right-hand corner detailing current tasks.

Step 3

Once complete, the user can connect to a VM by visiting the Azure portal, selecting the VM in question and clicking on Connect. Select Bastion rather than the normal connection.

What is useful is that NSGs are updated automatically to allow only SSH and RDP from the bastion host.

Be mindful that using a bastion host is a major security upgrade. Several additional items work in conjunction with bastion hosts to ensure the NSGs are configured with a default deny to limit traffic between the internal networks.

Another useful tool to implement is just-in-time access. JIT access is a managed access tool that requires users to request and be granted RDP or SSH access from the bastion host. However, this capability is restricted to bastion hosts at higher SKU levels.

To change the SKU level, navigate to the search bar. Search for the bastion host that was created, select Settings > Configuration, and then select the desired SKU tier.

Stuart Burns is an enterprise Linux administrator at a leading company that specializes in catastrophe and disaster modeling.