How can we securely connect to the Azure VMs from Internet without assigning the Public IP to a VM. It is not recommended at all to use Public IP. So, I think Azure BastionHost is a welcome move from Microsoft to help their customer especially for administrators. I am not sure how many of you like using Point to Site.
Note: There are many secured way of connecting to Azure by using different services including market place solution. I am not doing comparison of those in this blog.
I do not want to write the same stuff available in the Microsoft documentation in this blog. However, I would like to talk about my findings and how useful it would be based on my trail run.
Bastion Host MS documentation can be found here.
I think MS have removed the need for registering Bastion resource in the subscription which was the case with initial release. MS has removed that section from their documentation now.
You must use the this Bastion Host Preview Azure portal URL today to deploy and get the BastionHost option when you try to connect a VM. Microsoft is working on moving this to usual preview portal and production portal as well.
You can find the pricing from this URL, remember that you are getting 50% discount during the preview.
Some of the points when you deploy it.
- You must use name of the subnet as ‘AzureBastionSubnet’ with prefix /27. The deployment will not detect a subnet otherwise.
- You must deploy Bastion Host in each vNETs with dedicated subnets in it.
- Public Ip Address must be Standard Static. You can either use an existing one or new.
- Deployment options are easier than VM as you need to input only less information.
In First deployment it took 3 minutes 12 seconds but second time it was 3 minutes 56 seconds. It is pretty fast deployment I think. Unlike VM, it does not ask any further configuration related information.
You need to use the portal to connect to the VMs today, I guess that is a limitation which can be changed with GA. However, we can provide read only access to the portal so others can use the bastion host to access the VM.
It is running with two VMSS instances in my deployment. I guess this will be scale out if there are more sessions. However, you cannot manage those VMSS from portal as it is not listed , and it is fully managed by Microsoft. You can see this from vNET’s connected devices. I wish I had an option to Stop the BastionHost to save the cost.
- Easy to set up the Bastion Host.
- Secure as there is no internet inbound traffic to workload VMs.
- Workload VMs do not need to have public IP assigned.
- It is better than P2S which is bit troublesome.
- Bastion host can be created on-demand to save cost as it takes only less than 4 minutes to create.
- The communication can be restricted using NSGs.
- Can be used as Plan B access for the large enterprises.
- Combination of Just-in Access should provide good level of security.
What is lacking
- Integration with log analytics to monitor.
- No option to power off. I think MS is unlikely to add this option as it is considered as PaaS.
- Can only be accessed via Azure portal.
- Support for vNET peering.
- Option to power off when it is not required. It is also secured thought because it reduces the attack surface and as well as the cost.
- Allowing users to connect to Bastion without connecting to Azure portal.
- Integrate it with Azure AD so that above requirement can be met.
- Integrate it with Azure sentinel for the auditing.
- Support for vNET peering.
Introducing BastionHost is a good move from Microsoft but it is lacking many features today. Microsoft needs to take customer feedback and improve the features to encourage the customers to use it. Let’s hope that they will improve the feature when it is Generally Available.