Bastion can be defined as a fortified place used to protect something of value. In technology, a Bastion host is used to securely connect to resources on your network, typically for a single purpose. This host is typically placed in outside your network or security zone to protect against attacks and not expose your internal resources to the public Internet. Some use Bastion and Jump box interchangeably. In some scenarios that may be true depending on how the resource was deployed.
A Jump box server, while very similar to a Bastion host, is slightly different. This server can be on your DMZ or internal network. It is typically more locked down and hardened and only accessible from a trusted network. It is explicitly used to provide a controlled means of access to manage other resources in the network.
Microsoft Azure, being a cloud solution, understands that users cannot expose RDP and SSH to the public internet in most scenarios. Even a jump box exposed to the public Internet has several security risks.
Azure Bastion is the Platform as a Service (PaaS) solution to a jump box in Azure. It enables the use of the Azure Portal to perform the RDP and SSH connection to any virtual machine within the virtual network they are deployed in with a secure, cost effective solution. It provides near-like console access that does not require any public IP address or VPN gateway connectivity to the VMs it connects to.
Azure Bastion will cost ~$140/month per instance (50% off during preview) plus Outbound data transfer charges. This is roughly the cost of a basic, low-level VM that a jump box would be provisioned as. However, you do not have to pay for any storage costs as well as manage a separate server for each managed virtual network.
Azure Bastion can be setup and utilized in minutes. As of this writing, it is currently in Public Preview. The public preview is limited to the following Azure public regions:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
The following steps are required to enable and use Azure Bastion.
Connect to Azure PowerShell and run the following commands to register Azure Bastion within the subscription you wish to deploy to. If you have multiple subscriptions, this needs to be registered for each one. It may take up to 15 minutes to complete the registration.
Select-AzSubscription -SubscriptionName “Name of Subscription”
Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.Network
Get-AzProviderFeature -ProviderNamespace Microsoft.Network
You will need to use an existing virtual network or create a new virtual network. This vNet will require a subnet called AzureBastionSubnet that is at least a /27 or larger.
Either go to Create a resource or search for bastion in the top middle search options and select Bastions (preview).
Create a new Azure Bastion Resource. Select your Subscription, resource group, Name, region, vNet and subnet, and public IP address.
Once deployed, you can go to any VM in the network and now use Bastion as a Connection option. The VM in this example is non-domain joined, no VPN connectivity, or any Public IP address assigned.
Azure Bastion is quick, easy, secure, and cost effective way to provide connectivity into Azure resources that you do not want direct connections to. It is an agent-less solution and a true replacement to jump box servers as a PaaS solution. You can configure a dedicated Network Security Group (NSG) to lock down access to Azure Bastion for ingress and egress connections. While only in public preview, Microsoft is still working on extending its capabilities to integrate with Azure AD as well as work with traditional RDP and SSH clients to connect to the service.
Enabling Technologies can help you properly prepare for moving to Azure based on Microsoft Best Practices. You can check out more in the Azure section of our website.