Azure Bastion Step-by Step Guide

How Azure Bastion Works?
Before explaining how Azure Bastion works, I like to first talk about how things works before and why you might want to use this service. I always like to explain the Why before going to the How part of the story.
Usually you have a VNET inside Azure, and you have your resources in one or more subnets. You may have a management subnet with one or more jumpboxes or bastion hosts that you use to do your administrative tasks and it contains all your remote administration tools.
You might also have some sort of hybrid connectivity with your on-premises network and when you are outside the office, you use point to site VPN to securely access your VNET, which is the ideal situation.

But you might for some reasons have your jumbox host configured with a public IP that is exposed to the internet and you connect to the jumbox using RDP and SSH. Once you connect to the jumbox host, you then use it to connect internally to other resources.
Now this mean, a malicious user can use port scanning to discover this public IP and use brute force attack to compromise your jumbox. As a best practice, you should have a network security group to restrict what ports and source IP addresses are allowed to connect or even better, you are using Azure Just-in Time Access (JIT).

But you still have this public IP address exposed. A better solution would be to remove this public IP address so that you don’t expose both RDP and SSH into your VNET, and reduce the attack surface in your VNET.
Now your jumbox host does not have any public IP addresses, and you implement Azure bastion solution, which sits in its own managed subnet and expose a public IP address. This IP address however does not accept RDP or SSH connections. It only accept SSL connections.

So here is how the connectivity works:
- You connect to the Azure management portal over https using any browser, then you select a virtual machine to connect to.
- Now the Azure portal connects to the Azure Bastion service using the public IP on port 443.
- You get a new session in your browser and you can browse the desktop of the virtual machine and any other VMs inside your network using RDP or SSH.
Think about the Azure bastion as a proxy, it receives connections from the internet using SSL and connects you back to your VMs using RDP and SSH. It also looks like Remote Desktop Gateway solution or the RDP Web Access. You connect from a browser to a gateway that gives you back your RDP session in the browser.

Now keep in mind that the bastion host is attached to a virtual network, so for each VNET, you need a bastion host. If you have multiple VNETs that you want to RDP or SSH into from the Azure management portal, then you should deploy Azure bastion for each of those VNETs,
Create Azure Bastion Host
Here is a step-by-step guide to create your first Azure Bastion host:
Step 1: Register for the preview
You need first to register for the preview by running the following PowerShell commands. The best way to run these commands if you receive any errors, is to deploy a new Windows 10 Machine (Clean installation), open PowerShell ISE as an administrator, and run the commands in order.
#Connect your subscription using PowerShell
# — — — — — — — — — — — — — — -
Install-Module AzureRM — AllowClobber
Set-ExecutionPolicy Unrestricted
Import-Module AzureRM
Connect-AzureRmAccount
# — — — — — — — — — — — — — — —
#Register for the preview
# — — — — — — — — — — — — — — -
#Enrollment
Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
#Register your subscription with the Microsoft.Network provider namespace
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
#Verify that the AllowBastionHost feature is registered with your subscription
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network
# — — — — — — — — — — — — — — — — — — — —
# — — — — — THE END — — — — — —
Step 2: Create Azure Bastion resource
Now go to this URL http://aka.ms/BastionHost which will redirect you to the Azure portal with preview features enabled. It looks something like the below picture.

Now add a new resource and search for Bastion. Click Create to start the deployment wizard.

Now choose a resource group to host the bastion resource, give it a name and pick a region. Now keep in mind that the Azure Bastion is deployed in a VNET, so there is one-to-one relation between your VNETs and your Azure bastion resources.
I already have a VNET called vnet-production that is hosted my production workloads. I am going to choose it. Now the wizard is telling me I have to create a subnet in that VNET with an exact name of AzureBastionSubnet and with an IP prefix of at least /27. Now this is the same as when you deploy the managed VPN gateway in Azure as it is host in its own gateway subnet.

Now I will go to my vnet-production VNET and create a new subnet. Keep in mind that the name of this subnet MUST be AzureBastionSubnet. Now for the IP address range, I will choose 10.0.200.0/27

Now go back to the Azure Bastion deployment wizard, and now you can see we don’t have errors when we picky our virtual network, and the wizard detects the subnet we’ve just created
Next, you can see that the Azure bastion host requires creating a public IP address that will be used for SSL connectivity only from the internet. This means you are paying for the public IP resource. Now this IP is not going to be attached to your VMs in anyway.

Now we are done. It takes couple of minutes for the deployment to complete and now you have an Azure Bastion resource as you see in the below figure. You can see that this resources has:
- Public DNS Name
- Public IP Address
- Attached to a VNET
Step 3: Connect to a virtual machine
Now let me browse to my jumbox device inside my vnet-producion VNET and this can be any of your virtual machines inside your VNET. I already have a virtual machine called ManagementVM (my jumbox vm).
Now notice that this VM does not have a public IP address, which means I can’t connect to it from the internet.

Now if I click Connect, you can see I have a new option called Bastion. I will then type the admin credentials for my ManagementVM virtual machine and click Connect.

Now a new browser Window opens and I am getting my profile loading

Now I can access my ManagementVM desktop directly from my browser, without having a Public IP on my ManagementVM.

Now this is not a normal RDP session, so I cannot (as per today) copy files from my local machine to the desktop of my management VM, but I can however copy text.
I will open Notepad on my machine, copy a text, and then you can see here two small arrows, I will click here and it will show me the text I just copied from my local machine

Step 4: Create Network Security Group for the AzureBastionSubnet
Now the final thing I want to show you is how to apply a network security group to the Azurebastionsubnet if you want to harden it.
I already configured a network security group called nsg-bastion at this subnet and here is the three inbound security rules you need to configure:
- Allow https from internet
- Allow any traffic from a service tag called AzureCloud
- Allow any traffic from a service tag called Gateway manager.
The rest of the rules are the default ones.

To better understand the network security group requirement for the AzureBastionSubnet, the Azure portal and the AzureBastionSubnet use the Azure GatewayManager to facilitate such connectivity.

So for your AzureBastionSubnet NSG, you need to allow ingress or inbound traffic from the GatewayManager, and also from AzureCloud, which are both available as service tags in the network security group interface, and also you need to allow inbound https from the internet for this to work.

