Secure remote access solution using Azure Bastion Host for entire Azure VMs
What is Azure Bastion Why we should use?
Azure Bastion is replacement of Jump-server (jump-box). By Azure Bastion you can access your Azure VMs over Private IP instead of Public IP using Remote Desktop (RDP) and Secure SHell (SSH) using browser on 443 secure port & SSL Certificate and best part of it you can copy any thing from base machine to connected server.
As of now we use to deeply VM for jump server which is costly and needs to maintain where is Azure Bastion Host is cheaper, effectively more secure and simpler to maintain scalable. It can be use for auditing purpose as well. Microsoft has already invested on more 1 USD billion on it and later you will be getting video recording feature and many more.
Feature of Azure Bastion & Architecture
Lab Exercise for Azure Bastion
(Resource Group LAB in details with Screenshots)
To Create/Implement Resource Group follow below steps-
Step 1- Search for Resource Group in search bar.
Step 2- Click on Create Resource Group
Step 3- Select the Subscription
Step 4- Enter Resource Group Name- e.g. "RG1"
Step 5- Select the Region where you wanted to publish your resource- "EastUS". .
Step 6- Review & Create
(Virtual Network/Subnet LAB in details with Screenshots)
To Create/Implement virtual Network follow below steps-
Step 1- Search for Virtual Network
Step 2- Click Add
Step 3- Enter Name i.e - VNetEast
Step 4- Address Space (IP Range) i.e - 192.168.0.0/16
Step 5- Select Subscription
Step 6- Select Resource Group - RG1
Step 7- Select Location - East US
Step 8- Enter Subnet Name - MySubnet
Step 9- Enter Address Range - 192.168.0.0/24
Step 10- Click Create.
(Virtual Machine LAB in details with Screenshots)
To Setup VM1 follow below steps-
Step 1- Search for Virtual Machine
Step 2- Click Create a Virtual Machine
Step 3- Select Subscription
Step 4- Select Resource Group - RG1
Step 5- Enter Virtual Machine Name - VM1
Step 6- Select Region - EastUS
Step 7- Select Availability - No infrastructure redundancy required
Step 8- Select OS Image- Windows Server 2016 DataCenter Step 9- Select VM Size - Standard DS1v2
Step 10- Enter Administrator Account Name - webadmin & Password as you wanted.
Please note : It would not accept Admin or Administrator
Step 11- Under Network Tab Select VNet- VNetEast
Step 12- Select Subnet - MySubnet
Step 13- Public IP : Select None
Step 13- Select inbound port which you wanted to enable - RDP
Step 14- Management Tab Select Off Boot Diagnostic.
Step 15- Advance Tab - None
Step 16- Tag Tab- None
Step 17- Review and Create and your VM has been deployed.
Your VM Deployed as below without a Public IP
Now lets setup Azure Bastion
Azure Bastion has some basic requirement as additional Subnet Named as - "AzureBastionSubnet"
(Subnet LAB in details with Screenshots)
To Setup Subnet follow below steps-
Step 1- Search for Virtual Network
Step 2- Click on Virtual Network i.e. "VNetEast" open its property.
Step 3- Click Subnet
Step 4- Add Subnet
Step 5- Enter Subnet Name i.e. "AzureBastionSubnet"
Step 6- Enter IP Range i.e. 192.168.1.0/27
We highly recommend that you use at least a /27 or larger subnet (/27, /26, etc.).
Subnet Deployed as below
Now lets connect VM using Azure Bastion
Navigate to your VM, click Connect and then click Bastion – you should now see the following dialog
Step 1- Name: The name of the bastion host you want to create.
Step 2- Subnet: The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name AzureBastionSubnet.
Your VM connected over browser as below
Azure Bastion is replacement of Jump-server (jump-box). By Azure Bastion you can access your Azure VMs over Private IP instead of Public IP using Remote Desktop (RDP) and Secure SHell (SSH) using browser on 443 secure port & SSL Certificate and best part of it you can copy any thing from base machine to connected server.
As of now we use to deeply VM for jump server which is costly and needs to maintain where is Azure Bastion Host is cheaper, effectively more secure and simpler to maintain scalable. It can be use for auditing purpose as well. Microsoft has already invested on more 1 USD billion on it and later you will be getting video recording feature and many more.
Feature of Azure Bastion & Architecture
- RDP and SSH directly in Azure portal.
- Remote Session over SSL and firewall traversal for RDP/SSH.
- No Public IP required on the Azure VM.
- No hassle of managing NSG.
- Protection against port scanning.
- Protect against zero-day exploits. Hardening in one place only.
Lab Exercise for Azure Bastion
Lab 1- Resource Group - RG1
How to Create a Resource Group using Azure Portal (Resource Group LAB in details with Screenshots)
To Create/Implement Resource Group follow below steps-
Step 1- Search for Resource Group in search bar.
Step 2- Click on Create Resource Group
Step 3- Select the Subscription
Step 4- Enter Resource Group Name- e.g. "RG1"
Step 5- Select the Region where you wanted to publish your resource- "EastUS". .
Step 6- Review & Create
LAB 2- Virtual Network -VNetEast & Subnet
How to Setup a Virtual Network using Azure Portal (Virtual Network/Subnet LAB in details with Screenshots)
To Create/Implement virtual Network follow below steps-
Step 1- Search for Virtual Network
Step 2- Click Add
Step 3- Enter Name i.e - VNetEast
Step 4- Address Space (IP Range) i.e - 192.168.0.0/16
Step 5- Select Subscription
Step 6- Select Resource Group - RG1
Step 7- Select Location - East US
Step 8- Enter Subnet Name - MySubnet
Step 9- Enter Address Range - 192.168.0.0/24
Step 10- Click Create.
LAB 3 - VM1 - Server 2016
How to Create/Setup a Virtual Machine (VM) using Azure Portal (Virtual Machine LAB in details with Screenshots)
To Setup VM1 follow below steps-
Step 1- Search for Virtual Machine
Step 2- Click Create a Virtual Machine
Step 3- Select Subscription
Step 4- Select Resource Group - RG1
Step 5- Enter Virtual Machine Name - VM1
Step 6- Select Region - EastUS
Step 7- Select Availability - No infrastructure redundancy required
Step 8- Select OS Image- Windows Server 2016 DataCenter Step 9- Select VM Size - Standard DS1v2
Step 10- Enter Administrator Account Name - webadmin & Password as you wanted.
Please note : It would not accept Admin or Administrator
Step 11- Under Network Tab Select VNet- VNetEast
Step 12- Select Subnet - MySubnet
Step 13- Public IP : Select None
Step 13- Select inbound port which you wanted to enable - RDP
Step 14- Management Tab Select Off Boot Diagnostic.
Step 15- Advance Tab - None
Step 16- Tag Tab- None
Step 17- Review and Create and your VM has been deployed.
Your VM Deployed as below without a Public IP
Now lets setup Azure Bastion
Azure Bastion has some basic requirement as additional Subnet Named as - "AzureBastionSubnet"
LAB 4- Subnet -AzureBastionSubnet
How to Setup a Subnet using Azure Portal (Subnet LAB in details with Screenshots)
To Setup Subnet follow below steps-
Step 1- Search for Virtual Network
Step 2- Click on Virtual Network i.e. "VNetEast" open its property.
Step 3- Click Subnet
Step 4- Add Subnet
Step 5- Enter Subnet Name i.e. "AzureBastionSubnet"
Step 6- Enter IP Range i.e. 192.168.1.0/27
We highly recommend that you use at least a /27 or larger subnet (/27, /26, etc.).
Subnet Deployed as below
Now lets connect VM using Azure Bastion
Navigate to your VM, click Connect and then click Bastion – you should now see the following dialog
Step 1- Name: The name of the bastion host you want to create.
Step 2- Subnet: The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name AzureBastionSubnet.
Your VM connected over browser as below
No comments:
Post a Comment