Using Azure Bastion for Secure Access to Virtual Machines

Using Azure Bastion for Secure Access to Virtual Machines

04/01/2025

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in implementing and configuring Azure Bastion for secure access to virtual machines (VMs) in Azure. In a cloud environment, security of access to VMs is essential to protect resources and data. Traditionally, accessing VMs via RDP (Remote Desktop Protocol) or SSH (Secure Shell) required exposing public ports to the internet, which significantly increased the attack surface. Azure Bastion offers a robust and secure solution to eliminate this exposure by providing secure access without the need for VPNs or public IPs [1].

Introduction

Migrating infrastructures to the cloud has brought numerous benefits in terms of scalability and flexibility. However, security remains a top concern. Access to virtual machines is a critical point, as they are often the heart of many applications and services. Exposing RDP (3389) or SSH (22) ports directly to the internet is an ill-advised security practice, as it makes them easy targets for brute force attacks and other exploits [2].

Azure Bastion is a fully managed Platform as a Service (PaaS) service that you provision in your virtual network. It allows you to connect to virtual machines in your virtual network directly from the Azure portal, using RDP and SSH, without the need for public IPs on the VMs, agents installed on the VMs, or special clients/configurations on your local machine. Bastion acts as a secure proxy, routing RDP/SSH traffic through a secure TLS (Transport Layer Security) connection to the user's browser, protecting VMs from direct exposure to the internet [3].

This how-to guide will cover prerequisites, how to provision and configure Azure Bastion, how to connect to Windows and Linux VMs using RDP and SSH, how to manage sessions, and how to test and validate secure access. Step-by-step instructions, practical examples, and concise explanations will be provided so that the reader can implement, test, and validate these features. In addition, security tips, compliance checks and best practices will be discussed to ensure safe and efficient remote access to your virtual machines, in an autonomous, professional and reliable way.

Why is Azure Bastion crucial for VM access?

  • Enhanced Security: Eliminates the need for public IPs on VMs, protecting them against direct attacks from the internet. Access is via TLS through the browser.
  • Simplified Access: Connects to VMs directly from the Azure portal, without the need for native RDP/SSH clients or VPNs.
  • Zero Trust: Aligns with the principles of Zero Trust, ensuring that access is always verified and authorized, regardless of the user's location.
  • Audit and Monitoring: Allows you to monitor and manage sessions, with the option of session recording (available on the Premium SKU) for audit and compliance purposes.
  • Reduced Cost and Complexity: As a fully managed PaaS service, it eliminates the need to manage your own jump boxes or complex VPNs.
  • Port Scanning Protection: VMs do not have public IPs, making them invisible to port scanners and malicious bots on the internet.

Prerequisites

To implement Azure Bastion, you will need the following items:

  1. Active Azure Subscription: An Azure subscription to create and manage resources.
  2. Administrative Access: An account with the role of Owner or Contributor on the subscription or resource group where the VMs are located.
  3. Azure Virtual Network (VNet): An existing virtual network that contains the VMs you want to connect to.
  4. Dedicated Subnet for Azure Bastion: A subnet within your VNet with the name AzureBastionSubnet and a prefix of at least /27 (ex: 10.0.2.0/27). This subnet is exclusive to Bastion and cannot be used for other resources [4].
  5. Virtual Machines (VMs): Existing Windows or Linux VMs in the same VNet (or peered VNets) that you want to connect to.

Step by Step: Configuring Azure Bastion

Let's provision Azure Bastion and use it to connect to a VM.

1. Creating the AzureBastionSubnet Subnet

Beforeand deploy Bastion, you need to create a dedicated subnet.

  1. Open your browser and navigate to the Azure portal: https://portal.azure.com.
  2. Log in with an account that has the necessary permissions.
  3. In the top search field, type Virtual networks and select it from the results.
  4. Select the virtual network where your VMs are located.
  5. In the left navigation pane, under Settings, select Subnets.

  6. Click +Subnet.

  7. Add Subnet:

    • Name: Enter AzureBastionSubnet (this name is required).
    • Subnet Address Range: Provide an address range with a prefix of at least /27 (e.g. 10.0.2.0/27).
    • Leave other settings as default.

  8. Click Save.

    • Explanation: The AzureBastionSubnet is where the Azure Bastion service will be deployed. It is crucial that the name is exactly AzureBastionSubnet so that the service can be provisioned correctly.

2. Provisioning Azure Bastion

Now that the subnet is ready, we can deploy the Bastion service.

  1. In the Azure portal, in the top search field, type Bastion and select it from the results.

  2. Click + Create.

  3. Basics:

    • Subscription: Select your subscription.
    • Resource Group: Select the same resource group as your VNet.
    • Name: Give your Bastion instance a name (e.g. myBastionHost).
    • Region: Select the same region as your VNet.
    • Tier: Select Basic (for basic RDP/SSH) or Standard (for additional features like session recording, link sharing, etc.). For this guide, we will use Basic.

  4. Virtual network:

    • Virtual network: Select the VNet where you created the AzureBastionSubnet.
    • Subnet: The AzureBastionSubnet will be selected automatically.
    • Public IP address: Click Create new. Give the public IP a name (e.g. myBastionPublicIP). This public IP is for the Bastion service and is not exposed to your VMs.

  5. Click Review + create and then Create.

    • Explanation: Azure Bastion provisioning can take 5 to 10 minutes. Once deployed, it will be ready to be used to access your VMs.

3. Connecting to a Windows VM via RDP

Let's connect to a Windows VM without exposing its RDP port.

  1. In the Azure portal, navigate to your Windows VM.
  2. In the left navigation pane, select Connect.
  3. Select Bastion.
  4. Enter your Windows VM user credentials and password.

  5. Click Connect.

    • Expected Action: A new browser tab will open, and you will see your Windows VM desktop. The connection is completely based on HTML5 in the browser.

4. Connecting to a Linux VM via SSH

Let's connect to a Linux VM without exposing its SSH port.

  1. In the Azure portal, navigate to your Linux VM.
  2. In the left navigation pane, select Connect.
  3. Select Bastion.
  4. Choose the Authentication Type: Username and Password or SSH Private Key.
    • If Username and password, enter your Linux VM credentials.
    • If SSH Private Key, upload your private key file (.pem or .ppk).

  5. Click Connect.

    • Expected Action: A new browser tab will open, and you will see your Linux VM's terminal, allowing you to execute SSH commands.

Validation and Testing

It is crucial to validate that access via Azure Bastion is working as expected and that the VMs are not accessible in other ways.

1. Checking Bastion Connectivity

  1. Scenario: Try accessing your Windows and Linux VMs using Azure Bastion, as per steps 3 and 4 above.
  2. Expected Action: RDP and SSH connections should be successfully established through the browser.
  3. Verification:
    • Confirm that you can interact with the Windows VM desktop and execute commands in the Linux VM terminal.

2. Checking Direct Inaccessibility of VMs

  1. Scenario: Try accessing your VMs directly from the internet using an RDP or SSH client, pointing to the VM's public IP (if there is one) or private IP (if you are outside the VNet).
  2. Expected Action: Direct connection attempts should fail as RDP/SSH ports should not be publicly exposed.
  3. Verification: *If your VMs have public IPs, check the Network Security Group (NSG) Rules associated with the VM's network interface or VM's subnet. Make sure ports 3389 (RDP) and 22 (SSH) are not open to Any or Internet.
    • Ideally, VMs accessed via Bastion should not have associated public IPs.

3. Bastion Session Monitoring (Standard SKU)

If you provisioned Bastion with the Standard SKU, you can monitor active sessions.

  1. In the Azure portal, navigate to your Azure Bastion resource (myBastionHost).
  2. In the left navigation pane, under Monitoring, select Sessions.
  3. You will see a list of active RDP and SSH sessions, including the user, source IP, and destination VM.

Security Tips and Best Practices

  • Remove Public IPs from VMs: After configuring Azure Bastion, remove any public IPs from your VMs. This is the main security benefit of Bastion.
  • Configure NSGs Appropriately: Ensure that the Network Security Groups (NSGs) of your VM subnets and AzureBastionSubnet are configured correctly to allow only necessary traffic. Bastion needs access to VMs' private RDP/SSH ports, but VMs don't need public inbound access.
  • Principle of Least Privilege: Assign only the necessary permissions so that users can connect to VMs via Bastion. Azure RBAC can be used to control who can use Bastion.
  • Strong Authentication: Always use strong authentication for your VM credentials. Combine with Azure AD for authentication and, if possible, Conditional Access to require MFA for access to the Azure portal, which in turn controls access to Bastion.
  • Session Recording (Premium SKU): For environments that require strict compliance and auditing, consider using the Azure Bastion Premium SKU to record RDP and SSH sessions. This provides a visual record of what has been done on the VMs.
  • Log Monitoring: Monitor Azure activity logs for Bastion and security logs for your VMs to detect suspicious activity or unauthorized access attempts.
  • Updates and Patches: Keep your VMs up to date with the latest security patches to mitigate internal vulnerabilities.

Common Troubleshooting

  • I can't see the Bastion option when trying to connect to the VM:
    • Verify that Azure Bastion has been provisioned in the same VNet (or peered VNet) as the VM.
    • Ensure that the AzureBastionSubnet exists and has the correct address prefix (/27 or greater).
    • Check if Bastion is in Running state in the Azure portal.
  • RDP/SSH connection error via Bastion:
    • Invalid credentials: Verify that the user and password credentials (or SSH key) are correct for the VM.
    • NSG issues: Confirm that the VM subnet's NSG allows inbound traffic on ports 3389 (RDP) or 22 (SSH) of the AzureBastionSubnet.
    • VM Firewall: Check that the VM's internal firewall is not blocking RDP/SSH connections.
    • RDP/SSH service is not running: Make sure the RDP (for Windows) or SSH (for Linux) service is running on the VM.
  • Slow performance or disconnections:
    • Check your internet connection bandwidth. Bastion streams the session video to your browser.
    • Consider using Bastion's Standard or Premium SKU, which offer better performance and additional features.
    • Check for high CPU or memory utilization on the target VM, which may affect session performance.
  • I can't access internal VM resources via Bastion:
    • Azure Bastion provides connectivity to the VM. Once connected to the VM, access to other internal resources of the VNet will depend on the VM's own network configurations and applicable NSG rules.

Conclusion

Azure Bastion is an essential component for the security of cloud environments, providing a secure and simplified method for accessing virtual machines. By eliminating direct exposure of RDP/SSH ports to the internet, it significantly reduces the attack surface and strengthens the overall security posture. Careful implementation, integration with security best practices, and continuous monitoring are critical to maximizing the benefits of Bastion. With this gWith this hands-on approach, security professionals and IT administrators will be well-equipped to configure, validate, and manage Azure Bastion, ensuring that access to their virtual machines is always secure and compliant.

References:

[1] Microsoft Learn. What is Azure Bastion?. Available at: https://learn.microsoft.com/pt-br/azure/bastion/bastion-overview [2] Microsoft Learn. Design and planning considerations for using Azure Bastion to enable secure remote access to virtual machines in Azure. Available at: https://learn.microsoft.com/pt-br/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-virtual-machine-remote-access [3] Microsoft Learn. Connect to a Windows VM using RDP - Azure Bastion. Available at: https://learn.microsoft.com/pt-br/azure/bastion/bastion-connect-vm-rdp-windows [4] Microsoft Learn. Configure a Bastion host. Available at: https://learn.microsoft.com/pt-br/azure/bastion/tutorial-create-host-portal [5] Microsoft Learn. Connect to a Linux VM using SSH - Azure Bastion. Available at: https://learn.microsoft.com/pt-br/azure/bastion/bastion-connect-vm-ssh-linux [6] Microsoft Learn. Azure Bastion session monitoring and management. Available at: https://learn.microsoft.com/pt-br/azure/bastion/session-monitoring [7] Microsoft Learn. Configure Bastion session recording. Available at: https://learn.microsoft.com/pt-br/azure/bastion/session-recording