Azure offers an affordable and secure option for hosting servers in the cloud. Accessing Azure servers over a private connection such as Express Route or VPN avoids exposing common management ports to the public internet. Without private connections, however, remote access is limited to opening RDP or SSH ports to the public Internet. Exposing these ports to the internet goes against most security best practices.
Just-in-time (JIT) access
One solution is just-in-time (JIT) access. JIT Access dynamically enables remote access ports when requested by an administrator for a specified amount of time. JIT access can also limit connections to management ports from specified source IP addresses. This is a good start, but it still requires opening ports to a public network, although limited by time and source addresses.
Just-in-time access is included with the Standard tier of Azure Security Center. The Standard tier of Security Center offers many features above the Free tier. The price, however, may be prohibitive if an organization does not intend to use all the features. Azure Bastion offers a different solution for securely accessing Azure Servers.
Bastion Hosts, improved by Azure
Bastion Hosts have been around for a long time. The idea is to put a computer between two networks. Sometimes referred to as a “jump box”, this computer provides a gateway between less secure environments like the internet and a private network.
Azure Bastion takes the Bastion Host idea a step further. Azure Bastion is a PaaS offering that allows RDP and SSH access to VM’s on an Azure Virtual Network. It leverages the Azure Portal session and an HTML 5 client to connect to a server from any network without exposing the servers port or IP address to the public internet.
Public preview available
Azure Bastion is in public preview and with some limitations and considerations to keep in mind until it becomes generally available.
- Azure Bastion is in public preview. Azure Bastion is billed at a reduced rate while in preview, but there is no SLA for preview services.
- Enabling and accessing VM’s with Azure Bastion requires logging into a preview portal for Azure. The link is https://aka.ms/BastionHost
- Azure Bastion is limited to the regions below
while in preview:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East