Administrative access to session hosts in Microsoft Azure Virtual Desktop is a critical aspect of managing and maintaining a secure and efficient environment. The two primary methods, Azure Bastion and Just-in-Time (JIT), offer distinct advantages in this regard.
Azure Bastion
Azure Bastion is a new fully managed PaaS service that you provision within your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL.
The following steps outline how you can configure Azure Bastion for administrative access to session hosts:
-
In the Azure portal, go to your virtual network (VNet) configuration, from there, select ‘Bastion hosts’.
-
Click ‘+Add’, fill in your chosen name, resource group, region, and subnet, then click next.
-
Allow Azure to create a Public IP address for you, specify the name of the address, then click ‘Next’.
-
Finally, review + create, then click ‘Create’ to deploy the Azure Bastion host.
With these steps, you’re now able to securely connect to and manage your Azure Virtual Machines from the Azure portal using Azure Bastion. No public IP is needed on your VM, which significantly enhances security by reducing the exposure to the public internet.
Just-In-Time Access (JIT)
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. When you’re ready to connect to a VM, you request access for a specific amount of time.
To configure Just-In-Time VM access the following steps should be followed:
-
In Azure Security Center, select ‘Just in time VM access’ from the main menu.
-
Choose the VM you want to enable JIT on and then click ‘Enable JIT on VMs’.
-
Review the ports and default configurations then click ‘Save’.
Now, whenever you wish to initiate RDP or SSH into the VM, you need to request access through the Azure Security Center. Your request triggers a workflow that, upon completion, enables a rule in the Network Security Group (NSG) allowing inbound entry to the VM from your originating IP address for the duration approved in your access request.
Comparing Azure Bastion and JIT
| Aspect | Azure Bastion | Just-In-Time |
|---|---|---|
| Accessibility | Directly through the Azure Portal | Via Azure Security Center |
| Security | Does not need public IP; limits exposure | Limits exposure by restricting inbound entry |
| Flexibility | RDP/SSH over SSL | Access request workflow |
| Service Type | Fully managed PaaS service | Security Center Feature |
Each method carries its own pros and cons, and the ultimate decision between Azure Bastion or JIT for administrative access would depend on your specific use case and needs around accessibility, security, and flexibility. Both methods contribute to a stronger, safer, and more efficient administration of your Microsoft Azure Virtual Desktop session hosts, substantially aiding your preparation for the AZ-140 exam.
Practice Test
True/False: Azure Bastion is a fully managed PaaS solution that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal.
Answer: True
Explanation: Azure Bastion is a fully managed PaaS solution that does indeed provide safe and seamless RDP and SSH access to your VMs directly through the Azure Portal.
What is the primary purpose of Azure’s Just-in-Time VM Access?
- a) To prevent unauthorized data access
- b) To minimize the exposure of VMs to network vulnerability
- c) To increase the speed of data processing
- d) To enhance computational capabilities
Answer: b) To minimize the exposure of VMs to network vulnerability
Explanation: The purpose of Just-in-Time VM Access is to help manage the incoming traffic to Azure VMs, reducing exposure to attacks.
True/False: Just-in-time virtual machine (VM) access can be used with Azure DevOps pipelines.
Answer: False
Explanation: As of now, Azure JIT VM access does not support DevOps pipelines.
True/False: With Azure Bastion, you don’t need any client software or special client configuration.
Answer: True
Explanation: Azure Bastion is a fully managed PaaS service that provides seamless RDP and SSH connectivity to your VMs over SSL directly through the Azure portal, without requiring any client software or special client configuration.
What can Azure Bastion protect you from?
- a) DDOS attacks
- b) Zero-day exploits
- c) Public IP exposure
- d) All of the above
Answer: c) Public IP exposure
Explanation: One of the core benefits of Azure Bastion is protection from public IP exposure, minimizing threat vectors.
True/False: You can configure Azure Bastion on a per-subscription basis.
Answer: True
Explanation: Azure Bastion is deployed at the Virtual Network level and can be configured on a per-subscription basis.
What does Azure’s Just-In-Time VM access primarily protect VMs from?
- a) Power Outages
- b) Network attacks
- c) Server Overloads
- d) Data loss
Answer: b) Network attacks
Explanation: Azure’s JIT VM Access is a protection measure against network attacks by restricting access to Azure VMs.
True/False: Configuring Azure Bastion requires shutting down your VMs.
Answer: False
Explanation: Azure Bastion can be configured without any downtime; it does not require shutting down VMs.
Which Azure service can you use to coordinate access and permissions for virtual machines?
- a) Azure Active Directory
- b) Azure Bastion
- c) Azure Traffic Manager
- d) Azure Automation
Answer: a) Azure Active Directory
Explanation: Azure Active Directory (Azure AD) service principal allows Azure DevOps to coordinate access and permissions for your Azure resources.
True/False: Configuring Azure Bastion does not require anyjumpbox VM.
Answer: True
Explanation: Azure Bastion eliminates the need of a jumpbox as it provides RDP and SSH access directly through the Azure portal.
Interview Questions
Can you explain what Azure Bastion is?
Azure Bastion is a fully managed PaaS service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to your virtual machines directly from the Azure portal.
What is the purpose of Just-In-Time (JIT) VM Access?
Just-In-Time VM Access is used to lock down the inbound traffic to Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
How is Azure Bastion different from Just-in-time (JIT) VM access?
Azure Bastion provides secure remote desktop or SSH access to your Azure VMs, while JIT VM access provides controlled access to VMs only when needed.
How does Azure Bastion protect administrative access to VMs?
Azure Bastion provides secure access to VMs via Remote Desktop Protocol or Secure Shell over SSL directly from the Azure portal, eliminating the need to expose VMs to public IP addresses and minimizing the risk of attacks.
How can we enable Just in Time (JIT) VM access on Azure?
To enable JIT VM access, go to Azure Security Center, select the desired VM, and then enable JIT on that VM.
What is the process of configuring Azure Bastion for administrative access?
To configure Azure Bastion, you need to provide a name, a resource group, a location, a VNet, and a subnet with the name AzureBastionSubnet.
What security benefits does Azure Bastion offer?
Azure Bastion offers several security benefits including avoiding public IP exposure on VMs, integrating with Azure Active Directory for authentication and uses Secure Sockets Layer (SSL) encryption for all data.
Can Azure Bastion and JIT VM access be used together?
Yes, Azure Bastion and JIT VM access can be used together for double-layered security. Bastion provides secure RDP/SSH and the JIT solution controls when these connections are allowed.
Do I need a Public IP for using Azure Bastion?
Yes, Azure Bastion needs a public IP but the individual VMs don’t need a public IP, this limits exposure to the public internet and enhances security.
Is there any prerequisite particular subnet needed for Azure Bastion Deployment?
Yes, Azure bastion requires an AzureBastionSubnet.
How do you access VMs using Azure Bastion?
VMs can be accessed via Azure Bastion by navigating to the Azure portal, selecting the desired VM, and using the ‘Connect’ button with the ‘Bastion’ tab to initiate the remote session.
How does Just In Time (JIT) access enhance VM security?
JIT access enhances security by limiting the exposure of VM management ports to the Internet, requiring requests for access and providing access only for an approved amount of time.
What protocols does Azure Bastion support?
Azure Bastion supports Remote Desktop Protocol (RDP) and Secure Shell (SSH) protocols.
Are there any limitations when using Azure Bastion and JIT VM access together?
Currently, there is a limitation that you need to allow the entire Azure Bastion service tag in your JIT policy when JIT VM access and Azure Bastion are used together.
How can I monitor access requests controlled by JUST In Time (JIT) VM Access?
You can monitor access requests for JIT VM Access from the Azure activity log, which includes details such as who requested access, what was accessed, and when it was accessed.
extutorials.com