Announcing the preview of Microsoft Azure Bastion

Posted on 18 June, 2019

Corporate Vice President, Azure Networking

For many customers around the world, securely connecting from the outside to workloads and virtual machines on private networks can be challenging. Exposing virtual machines to the public Internet to enable connectivity through Remote Desktop Protocol (RDP) and Secure Shell (SSH), increases the perimeter, rendering your critical networks and attached virtual machines more open and harder to manage.

RDP and SSH are both a fundamental approach through which customers connect to their Azure workloads. To connect to their virtual machines, most customers either expose their virtual machines to the public Internet or deploy a bastion host, such as jump-server or jump-boxes.

So today, I'm excited to announce the preview of Azure Bastion.

Azure Bastion is a new managed PaaS service that provides seamless RDP and SSH connectivity to your virtual machines over the Secure Sockets Layer (SSL). This is completed without any exposure of the public IPs on your virtual machines. Azure Bastion provisions directly in your Azure Virtual Network, providing bastion host or jump server as-a-service and integrated connectivity to all virtual machines in your virtual networking using RDP/SSH directly from and through your browser and the Azure portal experience. This can be executed with just two clicks and without the need to worry about managing network security policies.

Leading up to the preview, we have worked with hundreds of customers across a wide area of industries. The interest to join the preview has been immense, and similar to other unique Azure services such as Azure Firewall, the feedback has been very consistent: We need an easy and integrated way to deploy, run, and scale jump-servers or bastion hosts within our Azure infrastructure.

For example, what we heard directly from a cloud foundation team manager for a German premium car manufacturer is that they had concerns about exposing cloud virtual machines with RDP/SSH ports directly to the Internet due to the potential of experiencing a number of security and connectivity issues. During the preview of Azure Bastion, they were able to use RDP/SSH over SSL to our virtual machines which allowed them to traverse corporate firewalls effortlessly and at the same time, restrict Azure Virtual Machines to only private IPs.

Deploying a stand-alone dedicated jump-server often entails manually deploying and managing specialized IaaS based solutions and workloads, such as Remote Desktop Services (RDS) gateway, the configuration and managing of authentication, security policies and access control lists (ACLs), as well as managing availability, redundancy, and scalability of the solution. Additionally, monitoring and auditing along with the ongoing requirement to remain compliant with corporate policies can quickly make the setup and management of jump servers an involving, costly, and less desirable task.

Azure Bastion is deployed in your virtual network providing RDP/SSH access for all authorized virtual machines connected to the virtual network.

Top-level Azure Bastion architecture

Key features available with the preview include:

  • RDP and SSH from the Azure portal: Initiate RDP and SSH sessions directly in the Azure portal with a single-click seamless experience.
  • Remote session over SSL and firewall traversal for RDP/SSH: HTML5 based web clients are automatically streamed to your local device providing the RDP/SSH session over SSL on port 443. This allows easy and securely traversal of corporate firewalls.
  • No public IP required on Azure Virtual Machines: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using a private IP, limiting exposure of your infrastructure to the public Internet.
  • Simplified secure rules management: Simple one-time configuration of Network Security Groups (NSGs) to allow RDP/SSH from only Azure Bastion.
  • Increased protection against port scanning: The limited exposure of virtual machines to the public Internet will help protect against threats, such as external port scanning.
  • Hardening in one place to protect against zero-day exploits: Azure Bastion is a managed service maintained by Microsoft. It’s continuously hardened by automatically patching and keeping up to date against known vulnerabilities.

Azure Bastion–The road ahead

Like with all other Azure networking services, we look forward to building out Azure Bastion and adding more great capabilities as we march towards general availability.

The future brings Azure Active Directory integration, adding seamless single-sign-on capabilities using Azure Active Directory identities and Azure Multi-Factor Authentication, and effectively extending two-factor authentication to your RDP/SSH connections. We are also looking to add support for native RDP/SSH clients so that you can use your favorite client applications to securely connect to your Azure Virtual Machines using Azure Bastion, while at the same time enhance the auditing experience for RDP sessions with full session video recording.

We encourage you all to try out the Azure Bastion and look forward to hearing and incorporating your feedback.