The Enabling Technologies Blog


Mark Brezicky / / Categories: Azure, Cloud

Azure Bastion, Replacement for Jump Box Server

Bastion can be defined as a fortified place used to protect something of value. In technology, a Bastion host is used to securely connect to resources on your network, typically for a single purpose. This host is typically placed in outside your network or security zone to protect against attacks and not expose your internal resources to the public Internet. Some use Bastion and Jump box interchangeably. In some scenarios that may be true depending on how the resource was deployed.

A Jump box server, while very similar to a Bastion host, is slightly different. This server can be on your DMZ or internal network. It is typically more locked down and hardened and only accessible from a trusted network. It is explicitly used to provide a controlled means of access to manage other resources in the network.

Microsoft Azure, being a cloud solution, understands that users cannot expose RDP and SSH to the public internet in most scenarios. Even a jump box exposed to the public Internet has several security risks.

Azure Bastion is the Platform as a Service (PaaS) solution to a jump box in Azure. It enables the use of the Azure Portal to perform the RDP and SSH connection to any virtual machine within the virtual network they are deployed in with a secure, cost effective solution. It provides near-like console access that does not require any public IP address or VPN gateway connectivity to the VMs it connects to.

Map

Azure Bastion will cost ~$140/month per instance (50% off during preview) plus Outbound data transfer charges. This is roughly the cost of a basic, low-level VM that a jump box would be provisioned as. However, you do not have to pay for any storage costs as well as manage a separate server for each managed virtual network.

Azure Bastion can be setup and utilized in minutes. As of this writing, it is currently in Public Preview. The public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

The following steps are required to enable and use Azure Bastion.

Step 1

Connect to Azure PowerShell and run the following commands to register Azure Bastion within the subscription you wish to deploy to. If you have multiple subscriptions, this needs to be registered for each one. It may take up to 15 minutes to complete the registration.

Connect-AzAccount

Select-AzSubscription -SubscriptionName “Name of Subscription”

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

CodeLine1

Register-AzResourceProvider -ProviderNamespace Microsoft.Network

CodeLine2

Get-AzProviderFeature -ProviderNamespace Microsoft.Network

CodeLine3

Step 2

Access Azure Portal (Preview) to deploy Azure Bastion. Go to either https://preview.portal.azure.com or http://aka.ms/BastionHost

Step 3

You will need to use an existing virtual network or create a new virtual network. This vNet will require a subnet called AzureBastionSubnet that is at least a /27 or larger.

Submit

Step 4

Either go to Create a resource or search for bastion in the top middle search options and select Bastions (preview).

DropDown

Step 5

Create a new Azure Bastion Resource. Select your Subscription, resource group, Name, region, vNet and subnet, and public IP address.

Create A Bastion

Step 6

Once deployed, you can go to any VM in the network and now use Bastion as a Connection option. The VM in this example is non-domain joined, no VPN connectivity, or any Public IP address assigned.

Connect to Virtual Machine

All

Azure Bastion is quick, easy, secure, and cost effective way to provide connectivity into Azure resources that you do not want direct connections to. It is an agent-less solution and a true replacement to jump box servers as a PaaS solution. You can configure a dedicated Network Security Group (NSG) to lock down access to Azure Bastion for ingress and egress connections. While only in public preview, Microsoft is still working on extending its capabilities to integrate with Azure AD as well as work with traditional RDP and SSH clients to connect to the service.

Enabling Technologies can help you properly prepare for moving to Azure based on Microsoft Best Practices. You can check out more in the Azure section of our website.

Tags: Azure Cloud

Subscribe to Email Updates

Refine by

To expand the list, please click on the double arrows.

 

Search by Category or Author:

ref:_00D80KtFf._5000y1WwWQD:ref