A few weeks ago, I wrote about upgrading my local network edge device with one capable of connecting to my Azure virtual network using a site-to-site VPN. I also mentioned that I would cover many other services and capabilities that this site-to-site VPN configuration enables for hybrid work and management.
This week I’m covering the ability to connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion over ExpressRoute or a VPN site-to-site connection using a specified private IP address over RDP and SSH.
Over the years I have seen and heard many ITPros struggles to figure out a way to deploy and maintain a VPN infrastructure that would allow them to access the servers in their remote environments easily and cheaply without having to mess around with routing and remote access roles or port forwarding. And without having to manage VPN clients on their PC.
Furthermore, the option of exposing the RDP port to the internet is a really bad idea. As mentioned in the Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute fo…,
“Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.”
Azure Bastion is a service you can deploy and use to securely connect to a virtual machine using your browser and the Azure portal. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. That way your virtual machines don’t need a public IP address, agent, or special client software.
Before you can take advantage of this feature, verify that you have the following environment set up:
- A VNet with Bastion already deployed.
- Make sure that you have deployed Bastion to the virtual network. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM deployed in any of the virtual networks that is reachable from Bastion.
- To deploy Bastion, see Quickstart: Deploy Bastion with default settings.
- A virtual machine in any reachable virtual network. This is the virtual machine to which you’ll connect.
Now you need to configure the bastion host.
- In the Azure portal, go to your Bastion deployment.
- IP-based connection requires the Standard SKU tier. On the Configuration page, for Tier, verify the tier is set to the Standard SKU. If the tier is set to the Basic SKU, select Standard from the dropdown
- To enable IP based connection, select IP based connection
Once you completed the changes, simply click apply.
That’s it. You can now connect to any VM that is connected to your virtual network. Like any VM running in a network connected by site-to-site VPN.
On your edge device, you may have to add a route to your AzureBastionSubnet. On my own edge device (a Ubiquiti Dream Machine Pro) I had to manually add the AzureBastionSubnet address space to my configuration.
If you do not add the route, you may end up with an error stating “the network connection to the Bastion Host appears unstable.” when trying to establish the RDP connection.
When connecting to the vm, you need to provide an IP address, fully qualified domain names are not supported.
Now, I can securely connect to all my servers, from anywhere using a simple browser and the Azure portal.
Try it out!
P.S. please leave feedback in the comments below. It really helps make the product better.