Azure Bastion – Concepts

What is Azure Bastion?

Azure Bastion is a fully managed Platform-as-a-Service (PaaS) that provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL, without exposing public IP addresses.

Key Benefits

• Zero exposure of VMs to the public internet.
• Integrated with Azure role‑based access control (RBAC) and Azure AD.
• Built‑in protection against port scanning and brute‑force attacks.
• Seamless experience through the Azure portal – no client software required.

Architecture Overview

Azure Bastion consists of a managed service deployed into a dedicated subnet (AzureBastionSubnet) within your virtual network. It establishes a secure tunnel between the user’s browser session and the target VM.

Virtual Network (VNet)
│
├─ AzureBastionSubnet (Host Azure Bastion)
│   └─ Azure Bastion Service (Managed)
│
├─ Subnet‑A
│   └─ VM‑01 (Private IP)
│
└─ Subnet‑B
    └─ VM‑02 (Private IP)

Data Flow

1. User initiates RDP/SSH from the Azure portal.
2. Portal creates a TLS connection to the Azure Bastion service.
3. Azure Bastion proxies the connection to the target VM over the VNet.
4. All traffic stays within Azure’s backbone; no inbound rules are required.

Security Model

Azure Bastion adheres to a zero‑trust approach. It leverages Azure AD for authentication and supports network security groups (NSGs) on the AzureBastionSubnet for additional controls.

Supported Controls

• Azure AD Multi‑Factor Authentication (MFA).
• Conditional Access policies.
• Just‑In‑Time (JIT) access via Azure Policy.
• Integration with Azure Monitor and Azure Sentinel for logging.

Typical Usage Scenarios

• Secure remote administration of production VMs.
• Development and test environments without public exposure.
• Isolated compliance workloads requiring strict network isolation.

Frequently Asked Questions