Azure Bastion Configuration Guide for Azure Virtual Network

To configure Azure Bastion for your Azure Virtual Network, you'll need to create a Bastion host in the same region as your virtual network. This host will serve as the entry point for remote access.

Azure Bastion supports both Azure Resource Manager (ARM) and classic virtual networks. However, if your virtual network is classic, you'll need to upgrade it to ARM before proceeding.

You can create a Bastion host using the Azure portal, PowerShell, or Azure CLI. The Azure portal is a great option if you're new to Azure Bastion, as it provides a user-friendly interface for configuration.

Azure Bastion requires a public IP address to function, which you can assign during creation. This public IP will be used for remote access to your virtual network.

To get started with Azure Bastion configuration, you need to meet some prerequisites. Azure Bastion requires a dedicated subnet on the VNet it's connecting to. You must use the link https://aka.ms/BastionHost to access the preview portal. This is because Azure Bastion is not available through the regular portal or the preview portal.

Azure Bastion is currently in public preview, so you need to be aware of the limitations. The preview is limited to the following regions: West US, East US, West Europe, South Central US, Australia East, and Japan East. This means you can only use Azure Bastion in these regions for now.

To connect to a virtual machine using the native RDP client, you need to have the latest version of the CLI commands installed. This means you should have version 2.32 or later of the CLI commands. You can update your CLI for Bastion using az extension update –name bastion.

Here are the regions where Azure Bastion is currently available in public preview:

You also need to have Azure Bastion deployed and configured for your virtual network. This is a crucial step before you can use the native RDP client. For steps on how to do this, see the Azure documentation.

To create a Virtual Network in Azure Bastion, you'll need to create a subnet with the name AzureBastionSubnet and a minimum size of /26.

This is a requirement for Azure Bastion to function properly.

Azure Bastion requires a subnet with the name AzureBastionSubnet to be created and it must be of size /26 as a minimum.

A Network Security Group (NSG) is crucial for Azure Bastion configuration. It helps restrict network connections to only what's absolutely necessary.

In the testing scenario, the NSG includes specific rules to allow RDP and SSH traffic from the Azure Bastion subnet. This allows Azure Bastion to connect to virtual machines.

General inbound and outbound network traffic is denied, except for the specified rules. This ensures that only necessary traffic is allowed.

To further secure the native client connection, you can limit port access by only providing access to port 22/3389. This can be achieved by creating a new NSG and associating it with the Azure Bastion Subnet.

Inbound security rules should allow access to port 443 on the public IP for ingress traffic. Port 3389 and 22 are not required to be opened on the AzureBastionSubnet.

Outbound security rules should allow traffic to the VM subnet, so that VMs within the subnet can communicate.

Here are the key NSG rules for Azure Bastion:

Accessing VMs is a crucial part of Azure Bastion configuration. You can access your virtual machines through Azure Bastion using the Azure Portal, where you can log in to the corresponding VM through Azure Bastion via a web browser.

To connect to a Windows Virtual Machine via Bastion, you can use either a browser session or the native RDP client. The native RDP client requires the latest version of the CLI commands, Azure Bastion to be deployed and configured for your virtual network, and a virtual machine in the virtual network.

To connect to a Linux Virtual Machine via Bastion, you can use the native client feature, which lets you connect to your target VMs via Bastion using Azure CLI. This expands your sign-in options to include local SSH key pair and Microsoft Entra ID.

To connect to a Linux Virtual Machine, you need to gather the resource ID of the virtual machine you want to connect to, which can be found on the Overview page of the VM. You can then use the Azure CLI to connect to the virtual machine using SSH.

To connect to a Linux Virtual Machine using the Azure Bastion Host, you need to add the ssh extension in Azure CLI and then use the Azure CLI to connect to the virtual machine using SSH.

Here are the prerequisites for using the native RDP client:

You can access Windows through the web browser, but it's only possible to use a username and password to login.

Connections to Windows are attempted using public IP addresses, but this is not successful due to a restrictive Network Security Group (NSG) in place.

However, connections to 168.63.129.16 are always successful, as this is a virtual public IP address used for communication with Azure platform resources.

The connection is coming from the Azure Bastion node as expected, making it a secure way to access your Windows VM.

To use the native RDP client, you'll need to follow a few prerequisites, which include having the latest version of the CLI commands installed, Azure Bastion deployed and configured, and a virtual machine in the virtual network.

Here are the specific steps to gather the resource ID of the virtual machine:

1. Go to the Overview page for your VM.

2. Click on the JSON View link.

3. Copy the Resource ID from the top of the page.

4. Use this Resource ID when connecting to your VM.

SSH into Linux is a straightforward process. You'll need to supply your private key via a file or through Azure Key Vault on the login page of Azure Bastion.

Once logged-in, you'll notice that only one private network connection from the Azure Bastion Node 10.40.2.5 is established against port 22 of the Ubuntu VM.

To connect through the command line, you'll need to install the SSH CLI extension by executing a specific command. This extension is required for creating a tunnel and establishing an SSH connection natively.

The tunnel can be created and SSH connection can be established natively once the extension is installed. This should result in a successful login.

Upon verifying the active network connections, you'll see that only private connections from Bastion into the Ubuntu VM are established.

If you need to upload files from your local computer to the target VM, you'll need to use other native clients like Putty. However, this requires a port forwarding from the local machine against Azure Bastion.

To establish the port forwarding, use the following command.

To configure Azure Bastion, you'll first need to decide on a SKU, specifically the Standard SKU, which provides tunneling capabilities for using native clients. For this purpose, you should configure it with a minimum of 2 scale units, as the ability to scale up to 50 scale units is not relevant for testing.

A Public IP address is also required, which the Azure Portal will connect incoming requests to. You can find a full diagram of the connectivity flow for Azure Bastion in the Azure Bastion Networking documentation.

To create the Azure Bastion service, you'll need to add a VNet subnet, which must be /27 or larger with no NSGs or routes attached to it. The subnet must also have the name AzureBastionSubnet, as per the Microsoft documentation.

Here's a step-by-step guide to creating the Azure Bastion service:

The Developer SKU is a free, lightweight option ideal for Dev/Test users who want to securely connect to their VMs without additional features or host scaling.

This SKU allows you to connect to one Azure VM at a time directly through the virtual machine connect page.

The deployment requirements for the Developer SKU are different from other SKUs, as a dedicated bastion host isn't deployed to your virtual network.

Instead, the Developer SKU bastion host is part of a shared pool, which means features are limited.

You can always upgrade the Developer SKU to a higher SKU if you need to support more features.

Here are the regions where the Developer SKU is currently available:

VNet peering isn't currently supported for the Developer SKU, so you can't connect to target VMs in peered virtual networks.

Downgrading a SKU is not supported, so you'll need to delete and recreate Azure Bastion if you want to downgrade.

To configure Azure Bastion, you need to create a dedicated subnet named AzureBastionSubnet. This subnet must be /26 or larger in size, and it can't contain other resources. The subnet must be in the same virtual network and resource group as the bastion host.

The AzureBastionSubnet size has changed to /26 or larger starting from November 2, 2021. If you have existing AzureBastionSubnets of size /27, they are unaffected by this change, but it's recommended to increase their size to /26 for future host scaling.

You can create the AzureBastionSubnet using the Azure portal, Azure PowerShell, or Azure CLI. The steps for creating the subnet are as follows:

Here is a summary of the required subnet configuration:

Remember to name the subnet AzureBastionSubnet and set its size to /26 or larger. This will ensure that your Azure Bastion service is configured correctly.

To connect to your virtual machine, you can use the native RDP client via Bastion, but you'll need to use the Azure CLI.

First, ensure you're using the Standard SKU, as this is a requirement for native client support. You can change the tier on the Bastion Azure blade under Settings -> Configuration.

To enable native client support on the Bastion host, follow the instructions mentioned above.

You can also specify a custom port to use when connecting to your VMs. This is supported for the Standard SKU or higher.

Just remember to specify the custom port value when you connect to the VM, as it won't default to the standard port.

To set up your SCCM primary server, you'll first need to log in to the Azure Portal at portal.azure.com. From there, search for your SCCM|ConfigMgr Virtual Machine – CMMEMCM.

You can connect to your SCCM server using Azure Bastion by clicking on the Connect button from the left-side menu, then selecting BASTION and clicking Use Bastion.

Azure will create a new Bastion connection for your SCCM server, which you can verify by waiting for the setup process to complete.

Once connected, you'll be able to access your ConfigMgr | SCCM primary server using Azure Bastion.

Azure Bastion connections use SSL and do not expose public IP addresses, making your SCCM infrastructure in Azure more secure.

Here's a step-by-step guide to setting up Azure Bastion for your SCCM server: