Azure Bastion is a fully integrated Platform as a Service (PaaS) that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to your virtual machines directly from the Azure portal. It provides an extra layer of security through its integration with Azure Active Directory and multifactor authentication.
Understanding Azure Bastion Architecture
Azure Bastion is a solution that gets provisioned directly in your Virtual Network (VNet). It contains its own subnet, known as AzureBastionSubnet. The service is reachable from the Azure portal and supports a vast range of browsers and devices.
The standard architecture involves a Bastion host, Target virtual machines, and Azure portal users. The Bastion host is a virtual machine within your cloud network with two network interfaces: one connected to the public network and the other connected to your private network. It serves as a gateway that the users connect to via Azure portal over SSL which then brokers connections to your private network virtual machines using RDP/SSH.
Implementing Azure Bastion
To implement Azure Bastion in your Azure environment, follow these steps:
- First, create your virtual network. Go to the Azure portal, click on ‘Virtual networks’ under ‘Networking’, and create a new virtual network.
- Now it’s time to create a subnet for your Bastion host. This subnet must be named ‘AzureBastionSubnet’ and the minimum size recommended is /27.
- Now, create your Bastion Host by selecting ‘Bastion hosts’ under ‘Networking’ in the Azure portal, and then click ‘Create’. You’ll be prompted to select a name, the Region, resource group, and the virtual network where your Bastion host will reside.
- Once you’ve filled in all the required information, click ‘Create’ to deploy your Bastion host.
- Check the status of your deployment under ‘Bastion hosts’. Once it’s deployed, you can connect to your virtual machines directly from the Azure portal.
- To connect to a VM, go to the VM you want to connect to and Select the ‘Connect’ button and the ‘Bastion’ tab. Fill in the username and password for your VM and click on ‘Connect’.
Limitations
Even though Azure Bastion provides secure RDP/SSH connections, it has a few limitations:
- Azure Bastion currently supports only Azure Resource Manager Virtual Machines and not Classic VMs.
- The AzureBastionSubnet must be at least /27 or larger in size.
- If you’re using Azure Private DNS Zones, it won’t work with Azure Bastion.
- Azure Bastion doesn’t support VNet Peering.
Conclusion
Azure Bastion is a major step forward in terms of bolstering the security posture of Azure when connecting to virtual machines. It protects your virtual machines against port scanning, reduces exposure to public network, and provides an integrated and seamless connection experience. It does come with a few limitations but nothing that cannot be managed with the right understanding and implementation. It is recommended to prepare thoroughly for the AZ-104 Microsoft Azure Administrator exam by doing deep dives into topics like Azure Bastion implementation among others.
Practice Test
True or False: Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines.
- True
- False
Answer: True
Explanation: Azure Bastion is indeed a fully managed PaaS service that provides secure and seamless RDP and SSH access directly from the Azure portal.
What is Azure Bastion Host?
- a) A subnet in your VNet
- b) A type of VPN
- c) A database engine
- d) A Azure backup server
Answer: A
Explanation: An Azure Bastion host is a fully managed PaaS service that you provision inside your virtual network. It provides secure RDP and SSH access to your VMs.
True or False: Azure Bastion supports only RDP for Windows VMs and not SSH for Linux VMs.
- True
- False
Answer: False
Explanation: Azure Bastion supports both RDP for Windows VMs and SSH for Linux VMs, providing comprehensive access and management capabilities.
In which Azure service can you find Azure Bastion?
- a) Virtual Machines
- b) Security Center
- c) Azure Active Directory
- d) Networking
Answer: D
Explanation: To implement Azure Bastion, you would navigate to the Azure portal, then to the Networking section where you can find Azure Bastion.
True or False: You don’t need to assign a public IP address to your VM to connect using Azure Bastion.
- True
- False
Answer: True
Explanation: Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL, so you don’t need to assign a public IP address to your VM.
Using Azure Bastion, can you maintain a high level of security without exposing your Virtual Network to the public internet?
- a) Yes
- b) No
Answer: A
Explanation: Azure Bastion Host helps you to securely connect to a VM using a browser and the Azure portal, allowing you to maintain a high level of security without opening more ports on your virtual machines, and therefore limiting exposure to the public internet.
True or False: Azure Bastion is available in all Azure regions.
- True
- False
Answer: False
Explanation: As of now, Azure Bastion is not available in all Azure regions.
Can you use Azure Bastion with peered virtual networks?
- a) Yes
- b) No
Answer: A
Explanation: Yes, you can use Azure Bastion Host with peered virtual networks to enable secure administrative access to virtual machines across networks.
True or False: Azure Bastion can be used with both Windows and SQL Server.
- True
- False
Answer: False
Explanation: Azure Bastion is primarily for managing virtual machines, providing RDP and SSH access. It is not primarily designed for use with services like SQL Server.
What is the name of the subnet that Azure Bastion uses?
- a) Azure Virtual Network
- b) BastionSubnet
- c) BastionHost
- d) Azure Bastion Subnet
Answer: B
Explanation: The subnet that Azure Bastion uses must be named “BastionSubnet”. This subnet must be at least /27 or larger.
True or False: Azure Bastion requires an Azure ExpressRoute or VPN connection.
- True
- False
Answer: False
Explanation: Azure Bastion does not require an Azure ExpressRoute or VPN connection. You can use Azure Bastion directly from the Azure portal.
Is it possible to integrate Azure Bastion host with Azure Private Link?
- a) Yes
- b) No
Answer: A
Explanation: The integration of Azure Bastion with Azure Private Link allows internal users to access Azure Bastion over a private endpoint in their virtual network.
True or False: Azure Bastion doesn’t support multi-factor authentication (MFA).
- True
- False
Answer: False
Explanation: Azure Bastion does support multi-factor authentication (MFA) providing an additional layer of security during the authentication process.
Is Azure Bastion highly available on its own, or do you need to create more than one within the same Azure region for availability?
- a) Highly available on its own
- b) Requires more than one for availability
Answer: A
Explanation: Azure Bastion is a PaaS service built inside of Azure, and it is highly available on its own. You do not need to create multiple bastion hosts for availability.
Which protocol does Azure Bastion use to connect to servers?
- a) SSL
- b) FTP
- c) SCP
- d) SFTP
Answer: A
Explanation: Azure Bastion utilizes Secure Sockets Layer (SSL) protocol to connect to servers via RDP/SSH.
Interview Questions
What is Azure Bastion?
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal.
What are the benefits of using Azure Bastion?
Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL. When you connect via Azure Bastion, your virtual machines do not need a public IP address.
How can I implement Azure Bastion?
Azure Bastion is a PaaS service that you provision within your virtual network. It provides secure RDP and SSH access to your virtual machines directly through the Azure portal.
How does Azure Bastion work?
Azure Bastion works by deploying a VM in your virtual network with the role of a ‘jump-server’. This VM is locked down without public IP and is accessible only through the Azure portal. This provides a secure way to access VMs in the VNet.
How do I connect to the Azure Bastion service?
You can connect to the Azure Bastion service directly from the Azure portal. You would select the VM you want to connect to, and then select the option “Bastion” for the type of connection.
Which protocols are used by Azure Bastion for secure connections?
Azure Bastion uses Remote Desktop Protocol (RDP) for Windows and Secure Shell Protocol (SSH) for Linux systems.
Can I use one Bastion host to connect to VMs in a different Virtual Network?
No, currently the Azure Bastion host is deployed in the Virtual Network and is available only to the VMs within that Virtual Network.
How many public IP addresses does Azure Bastion require?
Azure Bastion requires only one public IP address regardless of the number of VMs you need to connect to.
How does Azure Bastion handle scaling?
Azure Bastion is a scalable and redundant platform service that is designed to handle and scale based on the number of Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) connections.
Can I customize the Azure Bastion host?
No, customizations are not available on Azure Bastion and it cannot be resized or updated unlike regular VMs.
What does Azure Bastion need to be enabled?
Azure Bastion Host is a premium feature, hence you need a Virtual Network and a Public IP aside from having the necessary funds to support the feature.
Can Azure Bastion access on-premises networks?
No, Azure Bastion is limited to providing access to VMs within the same Virtual Network in Azure.
Can Azure Bastion be accessed through a VNet peering?
No, Azure Bastion is limited to the Virtual Network in which it was deployed.
Does Azure Bastion support multi-factor authentication?
Yes, Azure Bastion supports Azure multi-factor authentication to further enhance security.
Can Azure Bastion be accessed from any browser?
Yes, as long as the browser supports HTML5 and SSL, Azure Bastion can be accessed.
extutorials.com