Much awaited, Badly wanted but was missing from long time. It is now Public Preview…Thanks Microsoft for adding it now.
One of the reasons why I was staying away from recommending customers the Azure Bastion primarily because of this missing feature. I think it is the time to change my mind and recommend Azure Bastion as it save lots of dollars now. Because we are moving away from per vNET deployment model to per AAD tenant or as per customer requirement.
The deployment time of Bastion has increased to just over 15 minutes from the initial preview.
This blog is focussing on vNet peering support for Azure Bastion. I request you to read my previous blogs on Azure Bastion for detailed review.
I deployed the Azure Bastion in Hub vNET and Connected a VM in the spoke vNET peered with Hub vNET. It connected with RDP without any problem.
However, I am bit disappointed with it is not alowing to define networking/security restrictions to/from selected environments. It doesn’t allow to create any custom NSG rules or edit existing ones for reducing the attacking surface. When you wanted to deploy Azure Bastion for non-prod and prod seperately, you would really want to have that flexibility to segregate the communication. I hope Microsoft will recognize the need for having these kinds of flexibility in place. I think you can achieve this using your NVA or target NSGs for now.
Points to be noted.
- You deploy Azure Bastion in a vNET and connect to a VM in another vNET peered with this vNET
- It supports connecting to VM in another subscription.
- It does not support connecting to a VM in a subscription part of the different AAD tenant.
- No custom NSGs are allowed on AzureBastionSubnet.
- Make sure that you are applying same Ingress and Egress Rules defined by MSFT.
- Some of the inbound rules using source as ‘Internet’ and Destination as ‘Any’ which is something concerning. So, make sure that you restrict this NSG for Bastion Subnet only.
The below diagram will provide some details about the how the NSGs rules are prepared. You may refer MSFT article to understand this better
In this diagram:
- The Bastion host is deployed to the virtual network.
- The user connects to the Azure portal using any HTML5 browser.
- The user navigates to the Azure virtual machine to RDP/SSH.
- Connect Integration – Single-click RDP/SSH session inside the browser
- No public IP is required on the Azure VM.
In short, I liked the new feature regardless of some these issues I mentioned above. I am happy to see MSFT is ‘slowly’ adding the needed features to the list. I encourage Microsoft to add other feature faster to help the customers and partners.