What is the Azure Bastion?
Azure Bastion is a managed service in Microsoft Azure that provides secure RDP and SSH access to virtual machines without needing public IP addresses. It allows connections directly through the Azure portal using SSL, reducing the attack surface. The service ensures secure, browser-based access while eliminating the need for public exposure of your VMs. Azure Bastion is fully managed by Microsoft, simplifying secure connectivity.
Azure Bastion offers several advantages
- Enhanced Security: It eliminates the need for public IP addresses on VMs, reducing exposure to threats from the internet.
- Simplified Access: Provides seamless RDP and SSH access directly through the Azure portal using SSL without additional client software.
- Platform Managed: Microsoft manages the Bastion service, ensuring high availability and scalability and reducing administrative overhead.
- Consistent Connectivity: Ensures secure, reliable, and consistent connections to VMs from anywhere without needing to configure VPNs or firewalls
Step 1. Create the VNet
In the Azure portal, first, create a resource group named "C2Snetwork-RG." After successfully creating the resource group, proceed to create a virtual network within it. This sets up the foundational network infrastructure for your environment.
Starting a basic configuration. Selecting the correct resource group in the Azure portal; choosing the wrong one will prevent successful completion of your setup. After selecting the right resource group, create the virtual machine. Once the VM setup is initiated, proceed to the next page to configure additional settings.
After creating the virtual machine, select the security options menu and enable Azure Bastion. This action reveals two additional options: the first is the "Bastion-VNET" option, which automatically assigns the Azure Bastion to your virtual network. The second option allows you to customize the Bastion public IP name, giving you control over its naming. Once configured, proceed to the IP address option to continue setting up your virtual machine.
Create your IP address, then add the subnet to your virtual network. Once the subnet is successfully added, select the "Review + Create" option to finalize the setup.
Then click the Create button. Once everything is configured correctly, you'll reach the final wizard. You can now successfully deploy the VNet.
After creating the virtual network (VNet), navigate to the VNet option and check your subnets. You will see two subnets: one for your virtual machine and another for the Bastion host. The Bastion subnet uses a /26 CIDR blocks it's a default subnet, and you cannot change it.
Step 2. Create the virtual machine
After successfully creating the VNet, go to the search bar and type "Virtual Machine" to proceed with creating a VM.
After selecting the Virtual Machine option, proceed to the wizard, where you choose the appropriate resource group and select the VM type. In this scenario, we’ll create a Windows Server 2019. Set up the username and password, ensuring they are secure. It's important to turn off public inbound ports since the connection will be secured without using a public IP. This helps maintain a secure environment.
After completing the basic configuration, move on to the Disks section. There’s no need to change any options here, so proceed directly to the network section. Select the correct VNet, and the VM will automatically receive an IP address. Verify the subnet associated with your VNet. Then, turn off the public IP address by selecting the "None" option, and ensure that public inbound ports are also set to "None." Finally, click on "Review + Create" to complete the setup.
Once the setup is complete, finalize the wizard to successfully create the virtual machine.
Once the virtual machine is successfully created, note that without a public IP address, you won’t be able to download the RDP file or access the VM remotely.
Finally, connect to your virtual machine using Azure Bastion, as it’s the only way to access the VM. Go to the Bastion option on your VM, enter your username and password, and then connect to the VM.
Boom! If you've followed the steps correctly, you can access the VM directly in your default browser tab. Enjoy your secure connection to the virtual machine.
Conclusion
To securely connect to your Azure VMs, use Azure Bastion. It provides seamless RDP/SSH access directly through your browser without exposing public IP addresses. This ensures a secure and efficient connection to your VMs.