Azure Bastion Best Practices

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to your virtual machines directly through the Azure portal over TLS. This document outlines best practices for deploying and managing Azure Bastion to maximize security, performance, and cost-effectiveness.

Deployment and Network Configuration

Subnet Naming and Configuration

• Always name the Bastion subnet AzureBastionSubnet. This naming convention is mandatory for the service to function correctly.
• The AzureBastionSubnet must not contain any other resources besides the Azure Bastion host.
• Ensure the subnet has a minimum address range of /26 (64 IP addresses) to accommodate potential future scaling needs and ensure sufficient IP addresses for the service.
• Do not delegate the AzureBastionSubnet to any Azure service.

NSG Rules

Apply Network Security Groups (NSGs) to the AzureBastionSubnet to control inbound and outbound traffic. Essential rules include:

• Inbound: Allow TCP traffic on ports 443 (HTTPS) and 3389 (RDP) or 22 (SSH) from the AzureBastionHost's service tag (VirtualNetwork).
• Outbound: Allow outbound traffic to the Azure Virtual Network and to the internet on specific ports required for RDP/SSH and any necessary service updates. Restrict outbound traffic to only what is strictly needed.
• Do not associate NSGs with the virtual network gateway or other subnets in your virtual network.

Security Recommendations

Authentication and Authorization

• Leverage Azure Active Directory (Azure AD) for authentication to the Azure portal.
• Use Role-Based Access Control (RBAC) to grant users the minimum necessary permissions to connect to virtual machines. The Virtual Machine User Login role is typically sufficient.
• Implement conditional access policies in Azure AD for enhanced security, such as requiring multi-factor authentication (MFA) or limiting access based on location.

Session Security

• Regularly audit connection logs to monitor access patterns and detect suspicious activities.
• Configure session timeouts to automatically disconnect idle sessions.
• Ensure your virtual machines have up-to-date operating systems and security patches installed.

Use Cases

Azure Bastion is ideal for:

• Securing RDP and SSH access to VMs without exposing them directly to the public internet.
• Providing quick and easy access for administrators and support personnel.
• Meeting compliance requirements that mandate hardened remote access solutions.

Performance and Scalability

SKU Selection

Choose the appropriate SKU for your Azure Bastion deployment based on your performance and feature requirements. The Standard SKU offers advanced features like session recording, scaling, and private IP connections.

Scaling

For high-demand scenarios, consider scaling your Bastion deployment. The Standard SKU supports autoscaling, which can automatically adjust the number of instances based on traffic load.

Cost Management

Resource Group and Tagging

Deploy Azure Bastion within a dedicated resource group for easier management and cost tracking. Use consistent tagging strategies to categorize costs by environment, application, or team.

Monitoring Costs

Regularly review your Azure Bastion costs in the Azure Cost Management and Billing section. Optimize SKU usage and consider scaling down during periods of low demand if manual control is preferred over autoscaling.

By following these best practices, you can ensure that your Azure Bastion deployment is secure, efficient, and cost-effective, providing a robust solution for remote VM access.