Slide deck used during the MC2MC Kick-Off Evening - In this modern hybrid cloud world, security is key. In this session you will learn all about using Azure Bastion, a fully managed PaaS service, to connect securely to your Azure VMs.

1. It’s all about Security!
Let’s get you started with Azure Bastion

2. That’s what we’re Tolkien about
 Common VM administrative access methods
 Dem time
 What is Azure Bastion?
 How to deploy Bastion
 Dem time
 Roadmap
 Key Takeaways
 Q&A(sk the wizard)

3. Introduction needed?

4. Common VM administrative
access methods

5. Easily manage your VMs running in Azure…
Peering
VNet 2 (10.2.0.0/16)
VNet 1 (10.1.0.0/16)
Internet
ATTACK!
ATTACK!
ATTACK!

6. NAT through Azure Load Balancer
Peering
VNet 2 (10.2.0.0/16)
VNet 1 (10.1.0.0/16)
Internet
ATTACK!
ATTACK!
ATTACK!

7. …and you need to prevent breaches?

8. Resource
group
Gateway subnet
NSG NSG
Web subnet
Virtual network
Virtual
network
gateway
Local network gatewayConnection
On-premises network
Client
High security through Azure VPN/ExpressRoute…

9. Resource
group
Zone 1
Application
Gateway subnet
Zone 2
Zone 3
NSG NSG NSG
Application
Gateway
NSG
Jumpbox
Management
subnet
Web tier
subnet
Data tier
subnet
DDoS
Protection
Public IP
Public IP
Azure load
balancer
Virtual network
 A controlled entry point in your Azure
environment
 Improves security and reduce attack surface
of your VMs
 Setup inside a separated Virtual Network
(VNet) or subnet (Management VNet or
subnet)
 To allow access from the Internet it uses a
PIP
 From that VM you need to jump to your
other VMs
 Deployed as a very small Linux VM
(tunnel an RDP connection through SSH)
 RDS Gateway as a small VM
(tunnel an RDP connection through SSL)
Jump Box

10. Just-In-Time VM Access (JIT)
 Used to lock down inbound traffic and to limit the time
management ports (RDP/SSH) are open
 Available on the Standard tier of Azure Security Center
 Three states: Configured, Recommended and No
recommendation
 Only supports Azure Resource Manager VMs
 A user needs to request access to a VM
 All requests can be reviewed in the Activity Log

11. “One does not simply walk into my VNet.”
DEM

12. What is Azure Bastion?

13. “Azure Bastion is a PaaS service that you
provision inside your virtual network. It
provides secure and seamless RDP/SSH
connectivity to your virtual machines
directly in the Azure portal over SSL”

14. Azure Bastion Overview
 A PaaS service (jumpbox as-a-service) provisioned inside your VNet
 Secure RDP/SSH connectivity directly in the Azure Portal (SSL)
 No Public IP address (PIP) is required on your Azure virtual machines (VMs)
 Does not require any additional software for RDP/SSH access – agentless
 Internally it is a VM scale set
 Protection against port scanning, zero-day exploits and malware targeting

15. How Azure Bastion works

16. Keep in mind!
for every VNet

17. Azure Bastion Use Cases
 No VPN/Expressroute available
 no S2S / P2S
 Jumpbox does not meet the requirements
 Port 3389 is not allowed
 More expensive?
 Hard requirement for HTTPS (port 443)
 No management  Must be PAAS
 RDS Gateway & Jumpbox is out of the option
 Must be easy deployable/removable when needed
 Temporary access to VM (and only VM) with JIT
 no additional services (like VPN)
 no access to other resources in the ResourceGroup/Vnet

18. € 0.0591 per GB/moNext 100 TB (50 TB – 150 TB)
€ 0.0700 per GB/moNext 40 TB (10 TB – 50 TB)
Pricing
Azure Bastion Scale Unit (Zone 1 - West Europe) € 116.97/month
Outbound Data
Transfer
First 5 GB / month
5 GB – 10 TB
Free
€ 0.0734 per GB/moPrices differ depending on the regions which correspond to Zone 1 and Zone 2
 Zone 1 – West Europe, East US, South Central US, West US
 Zone 2 – Australia East, Japan East
Next 350 TB (150 TB – 500 TB) € 0.0422 per GB/mo
Over 500 TB / month – Contact Azure Sales

19. How to deploy Bastion

20. Deployment steps
 Check if Azure Bastion is available in your Azure public region
 Governance: Use a meaningful naming standard (mc2mc-prod-ba), use
resource tags (VNet: mc2mc-prod-vn) and RBAC
 Create a subnet in your VNet: AzureBastionSubnet (/27 or larger)
Network Security Group (NSG) -> foresee all necessary inbound and
outbound security rules
Azure Firewall -> do not associate the RouteTable
 Bastion requires a static PIP (Standard Public IP SKU)
 Create the Azure Bastion host using the Azure Portal, Azure
PowerShell or an ARM Template

21. AzureBastionSubnet NSG Inbound Rule
 Allow traffic on port 443 from *
 Allow traffic on ports 443 and 4443 from Service tag
GatewayManager
AzureBastionSubnet NSG Outbound Rules
 Allow traffic on ports 3389 and 22 to your VM subnets
 Allow traffic on port 443 for Service tag AzureCloud
Target VM Subnet(s) Outbound Rule
 Allow traffic on ports 3389 and 22 to Azure Bastion
Subnet IP address range
AzureBastionSubnet Network Security Group

22. What about JIT VM Access?

23. To access a VM at least the following roles are required
 Reader role on the VM
 Reader role on the NIC with private IP of the VM
 Reader role on het Azure Bastion resource
Required roles to access a VM

24.  Copy and paste (only text)
 Full screen view
 Currently no file-transfer support
What can you do in a remote session?

25. DEM
“My precious, Cloud.”

26. Future roadmap
 VNet Peering support
 Azure AD SSO with MFA
 Native RDP/SSH clients
 RDP full-session recording for auditing
 Azure AD PIM integration
 Private IP for Bastion host (access through
ExpressRoute or S2S VPN)
Azure Bastion Feedback page

27. Key Takeaways
PaaS service for RDP/SSH to VMs direclty over SSL
No need for a Public IP Address (PIP)
Needed for every VNet
Harden with NSG and JIT
Keep an eye on your Cloud Sp€nd!

28. Azure Bastion Documentation
https://docs.microsoft.com/en-us/azure/bastion/
Azure Architecture Center
https://docs.microsoft.com/en-us/azure/architecture/
Manage virtual machine access using just-in-time
https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
RDP to Azure Virtual machines using Azure Bastion
https://www.youtube.com/watch?v=eLjuWG-L57Q&feature=youtu.be
References

29. Q&A(sk the wizard)