Azure Bastion Premium was announced as generally available at the Microsoft Ignite event on November 19, 2024.
At Microsoft Azure, we are unwavering in our commitment to providing robust and reliable networking solutions for our customers. In today’s dynamic digital landscape, seamless connectivity, uncompromising security, and optimal performance are non-negotiable. As cyber threats have grown more frequent and severe, the demand for security in the cloud has increased drastically. As a response to this, we are announcing a new SKU for Microsoft Azure Bastion—Azure Bastion Premium. This service, now in public preview, will provide advanced recording, monitoring, and auditing capabilities for customers handling highly sensitive workloads. In this blog post, we’ll explore what Azure Bastion Premium is, the benefits this SKU offers, and why it is a must-use for customers with highly regulated security policies.
What is Azure Bastion Premium?
Azure Bastion Premium is a new SKU for customers that handle highly sensitive virtual machine workloads. Its mission is to offer enhanced security features that ensure customer virtual machines are connected securely and to monitor virtual machines for any anomalies that may arise. Our first set of features will focus on ensuring private connectivity and graphical recordings of virtual machines connected through Azure Bastion.
Two key security advantages
- Enhanced security: With the existing Azure Bastion SKUs, customers can protect their virtual machines by using the Azure Bastion’s public IP address as the point of entry to their target virtual machines. However, Azure Bastion Premium SKU takes security to the next level by eliminating the public IP. Instead of relying on the public IP address, customers can now connect to a private endpoint on Azure Bastion. As a result, this approach eliminates the need to secure a public IP address, effectively reducing one point of attack.
- Virtual machine monitoring: Azure Bastion Premium SKU allows customers to graphically record their virtual machine sessions. Customers can retain virtual machine sessions in alignment to their internal policies and compliance requirements. Additionally, keeping a record of virtual machine sessions allows customers to identify anomalies or unexpected behavior. Whether it is unusual activity, security breaches, or data exfiltration, having a visual record opens the door to investigations and mitigations.
Features offered in Azure Bastion Premium
- Graphical session recording
Graphical session recording allows Azure Bastion to graphically record all virtual machine sessions that connect through the enabled Azure Bastion. These recordings are stored in a customer-designated storage account and can be viewed directly in the Azure Bastion resource blade. We see this feature as a value add to customers that want an additional layer of monitoring on their virtual machine sessions. With this feature enabled, if an anomaly within the virtual machine session happens, customers can go back and review the recording to see what exactly happened within the session.
For other customers that have data retention policies, session recording will keep a complete record of all recorded sessions. Customers can maintain access and control over the recordings within their storage account to keep it compliant to their policies.
Setting up session recording is extremely easy and intuitive. All you need is a designated container within a storage account, a virtual machine, and Azure Bastion to connect to. For more information about setting up and using session recording, see our documentation.
- Private Only Azure Bastion
In Azure Bastion’s current SKUs that are generally available, inbound connection to the virtual network where Azure Bastion has been provisioned is only available through a public IP address. With Private Only Azure Bastion, we are enabling customers to connect inbound to their Azure Bastion through a private IP address. We see this offering as a must-have feature for customers who want to minimize the use of public endpoints. For customers who have strict policies surrounding the use of public endpoints, Private Only Azure Bastion ensures that Azure Bastion is a compliant service under organizational policies. For other customers that have on-premises machines trying to connect to Azure, utilizing Private Only Azure Bastion with ExpressRoute private peering will enable private connectivity from their on-premise machines straight to their Azure virtual machines.
Setting up Private Only Azure Bastion is very easy. When you create a Azure Bastion, under Configure IP address, select Private IP address instead of Public IP address and then click Review + create.
Note: Private Only Azure Bastions can only be created with net-new Azure Bastions, not with pre-existing Azure Bastions.
Feature comparison of Azure Bastion offerings
Features | Developer | Basic | Standard | Premium |
---|---|---|---|---|
Private connectivity to virtual machines | Yes | Yes | Yes | Yes |
Dedicated host agent | No | Yes | Yes | Yes |
Support for multiple connections per user | No | Yes | Yes | Yes |
Linux Virtual Machine private key in AKV | No | Yes | Yes | Yes |
Support for network security groups | No | Yes | Yes | Yes |
Audit logging | No | Yes | Yes | Yes |
Kerberos support | No | Yes | Yes | Yes |
VNET peering support | No | No | Yes | Yes |
Host scaling (2 to 50 instances) | No | No | Yes | Yes |
Custom port and protocol | No | No | Yes | Yes |
Native RDP/SSH client through Azure CLI | No | No | Yes | Yes |
AAD login for RDP/SSH through native client | No | No | Yes | Yes |
IP-based connection | No | No | Yes | Yes |
Shareable links | No | No | Yes | Yes |
Graphical session recording | No | No | No | Yes |
Private Only Azure Bastion | No | No | No | Yes |
How to get started
- Navigate to the Azure portal.
- Deploy Azure Bastion configured manually to include Premium SKU.
- Under Configure IP Address, there is the option to enable Azure Bastion on a public or private IP address (Private Only Azure Bastion).
- In the Advanced tab, there is a checkbox for Session recording (Preview).
Stay updated on the latest
Our commitment extends beyond fulfilling network security requirements; we are committed to collaborating with internal teams to integrate our solution with other products within our security portfolio. As upcoming features and integrations roll out in the coming months, we are confident that Azure Bastion will seamlessly fit into the “better together” narrative, effectively addressing customer needs related to virtual machine workload security.