The recently announced Azure Bastion service looks like a pretty slick service. It provides a secure way into your VMs without the need to VPN in. It gives you the same authentication that you’d expect from the Azure Portal (MFA, AAD Credentials, etc.) all while giving you a pretty easy to manage way to get into VMs in Azure. Now, this bastion service isn’t going to be for every situation, so it shouldn’t be used for that. But if you need a secure, logged way to connect to VMs in your Azure environment, this looks like a pretty good solution.
What the bastion service does is allow users to log in to the Azure portal, then select the VM that they want to connect to. From there they get an RDP session within their browser that lets them log into the VM that’s running in Azure. From a security perspective, the cool thing about this is that you don’t have to give your VMs public IPs. Because the Azure Bastion service is the bridge between the public internet and your internal VMs, nothing needs a public IP address as nothing is going directly to the Internet.
If your in an environment when you need a way to give users RDP access to servers, this is going to give you a nice secure way of going so.
Like I mentioned earlier, this isn’t going to solve all problems. If you work from home and you need SQL access to VMs, then Azure Bastion isn’t going to help you as it doesn’t just pass traffic like SQL Traffic. You’d need to RDP into a machine, then run the SQL tools from there. So if you wanted to run something locally that could log into SQL Server, you’ll still need a VPN in that case. But for situations where you need to RDP into machines, users that are remote logging into a terminal server for example where you don’t want to have to require that they install VPN software, this could be a good solution for them.
Currently, the Azure Bastion service is in Preview, so you’ll need to sign up for it which you can do from the Microsoft Docs. That doc will also tell you how to use the Azure Bastion service, as you can’t access it from the normal portal URL (yet).
There’s a couple of items to know about Azure Bastion.
- It isn’t available in all the regions yet. Because it’s a preview service isn’t only in a few Azure regions. The lack of regions will change, but while it’s a preview, it’s going to be a limited release. Those regions the service is in today are:
- West US
- East US
- West Europe
- South Central US
- Australia East
- Japan East
- Today Azure Bastion can’t plan vNets. So if you have VMs in two different vNets, you’ll need to bastion services, one in each vNet. Hopefully, this will change by release.