Azure Virtual Network-to-Network Connectivity with Azure Bastion

Introduction

Azure Bastion is a fully managed PaaS service that you provide security and virtual network capabilities without any exposure of the public IP address for your virtual machines. Bastion is a jump box service that you connect to directly through the Azure portal over TLS/SSL. This service is available in specific Azure regions. For the most current information, see Azure product availability by region.

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure portal over TLS/SSL. Bastion is deployed directly into your virtual network (VNet). This network security feature enables you to connect to your VMs in a virtual network without exposing RDP or SSH ports directly to the public internet, thereby protecting your virtual machines from potential threats.

This document outlines how to leverage Azure Bastion for secure network-to-network connectivity, allowing access to resources in one virtual network from another, or even from on-premises environments, through a centralized, secure jump host.

Understanding Azure Bastion

Azure Bastion is designed to provide a secure and efficient way to manage access to your Azure resources. Key features include:

• Browser-based access: Connect via RDP or SSH directly from your web browser through the Azure portal.
• No public IP for VMs: Your virtual machines do not require a public IP address for RDP/SSH access, significantly reducing your attack surface.
• Network-level isolation: Bastion is deployed within your VNet, providing an additional layer of security.
• Managed service: Azure handles the underlying infrastructure, patching, and updates.
• SKU options: Available in Developer and Standard SKUs, offering different features and scalability.

Use Cases for Network-to-Network Connectivity

Azure Bastion is particularly useful for scenarios involving:

• Hybrid Cloud Connectivity: Securely access resources in Azure VNets from on-premises networks connected via VPN or ExpressRoute.
• Multi-VNet Architectures: Connect to VMs in a peered VNet or a VNet connected via VNet-to-VNet VPN.
• Development and Test Environments: Provide secure access for developers and testers to isolated environments without public exposure.
• Security Compliance: Meet strict security requirements by eliminating direct internet exposure for management ports.

Scenario: Connecting to VMs in a Remote VNet

Let's consider a scenario where you have two virtual networks: VNet-A (where Bastion is deployed) and VNet-B (containing the target VMs). These VNets are connected via VNet peering.

Prerequisites

• An Azure subscription.
• An existing Azure Bastion host deployed in VNet-A.
• VNet peering configured between VNet-A and VNet-B.
• Target virtual machines deployed in VNet-B without public IP addresses.
• Appropriate Network Security Group (NSG) rules to allow traffic from Bastion to the target VMs.

Steps to Configure and Connect

1. Verify VNet Peering:

   Ensure that VNet-A and VNet-B are peered correctly and that traffic can flow between them. Check the peering settings in the Azure portal for both VNets. For inbound and outbound traffic, ensure that "Allow Virtual Network access" and "Allow Gateway transit" (if applicable) are enabled.

2. Configure NSGs:

   On VNet-B, ensure that the Network Security Group applied to the subnet containing your target VMs allows inbound RDP (3389) or SSH (22) traffic from the subnet where your Azure Bastion host is deployed. The source IP address range for the Bastion subnet will be used.

   Example NSG Rule (Inbound RDP)

   
   Protocol: TCP
   Source port ranges: *
   Destination port ranges: 3389
   Source: VirtualNetwork
   Destination: Any
   Action: Allow
   Priority: [Choose an appropriate priority, e.g., 300]
                       

3. Access Bastion from Azure Portal:

   Navigate to your Azure Bastion resource in VNet-A through the Azure portal.

4. Connect to the VM:

   On the Bastion overview page, click the "Connect" button. Select the virtual machine in VNet-B that you want to connect to. Enter the username and password (or SSH private key) for the target VM.

   Bastion will establish a secure connection to the VM in VNet-B via the VNet peering. You will be able to interact with the VM directly within your browser tab.

Advanced Configuration and Considerations

Subnet Requirements for Bastion

Your Azure Bastion host requires a dedicated subnet named AzureBastionSubnet. This subnet must be at least /27 in size to accommodate the Bastion service resources. Do not deploy any other Azure resources in this subnet.

Security Best Practices

• Use strong authentication methods, such as Azure AD authentication for Bastion connections where supported.
• Implement least privilege principles for user access to Bastion.
• Regularly review NSG rules and Azure RBAC assignments.
• Consider using Azure Policy to enforce security configurations for Bastion deployments.

Troubleshooting

If you encounter connection issues:

• Double-check VNet peering configurations and ensure it's healthy.
• Verify that NSG rules on both the Bastion subnet and the target VM subnet are correctly configured to allow traffic.
• Ensure that the target VMs are running and accessible within their VNet.
• Check Azure network diagnostics for potential connectivity problems.

Conclusion

Azure Bastion provides a robust and secure solution for managing network-to-network connectivity to your Azure virtual machines. By eliminating the need for public IP addresses on your VMs and offering a centralized, browser-based access point, Bastion significantly enhances your security posture and simplifies remote management operations.