How to start with Microsoft #Azure #Bastion Service, secure VM access #AzureBastion #jumpserver #PaaS #WAC   Leave a comment

In case you may missed this Azure has released a new service called Bastion. So what is the fuzz about this new service and why should you use this ?

Bastion can Manage RDP/SSH to VMs over SSL using private IP on the VM.

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.



So basically it is the old Jump server that you already used to get into the Azure VM’s if needed. It can access all virtual machines within a virtual network through a single hardened access point. Exposing the bastion host as primary exposed public access helps lockdown of public Internet exposure and limit threats such as port scanning and other types of malware targeting your VMs.

A jump server as PaaS services.


This seems nice but as always is it free or is it costly ? Well in the Azure Calculator you can see the Costs.



Ho do we start with Bastion.


First we need to register the new resource in Azure this is always needed to get to work with the new Azure components.

Keep in mind this can take some time to register

Get-AzProviderFeature -ProviderNamespace Microsoft.Network


With the Powershell command below we are registering the Bastion service into our subscription and network.

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network


Now that we triggered to register the Bastion services we need to wait

Check if it is done




Then register the network again. with your subscription and the Microsoft.Network provider namespace

Register-AzResourceProvider -ProviderNamespace Microsoft.Network



Now that this is done we can start with the Configuration, and there a multiple ways on how to get there. by the market place or directly in the VM


In the VM almost all the items are pre defined and ready to go if you want to go with the defaults.



In the marketplace you need to find the bastion and select the new resource.


Select and create the resource. Configure this accordantly and select the proper network.


The starting point is almost the same the first one is already in the VM network and the one from the market place is just a blank one , where you need to select your network.

In this LAB I’ll go for connection directly from the VM.

Lets start in the VM go to connect and select bastion and use Bastion


As I want to move forward quickly I already see some red lines. I need a /27 Subnet.  This is currently not in my network so I need to create a new subnet in the used Azure network.


As shown below the extra subnet is created to connect to the AzureBastion



The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name AzureBastionSubnet. This lets Azure know which subnet to deploy the Bastion resource to. This is different than a Gateway subnet. Click Manage subnet configuration to create the Azure Bastion Subnet. We highly recommend that you use at least a /27 or larger subnet (/27, /26, etc.). Create the AzureBastionSubnet without any Network Security Groups, route tables, or delegations. Click Create to create the subnet, then proceed with the next settings.



Now that the Subnet is added we can creating the Bastion service.


The validation started a it is created.


Now that it is created we can connect to the VM with HTML5 the connection is similar with WVD RDP connection to the VM.


You can see the created subnet.


Connecting With chrome or with Microsoft Edge is no problem you do need to configure the popup blocker



Web based RDP connection keep in mind the background is filtered out.

For connection with the browser you will need to allow the popup showing


image image image

now that the portal has access the connection will proceed. Unless your VM is in the Wrong region


Currently only the following regions are supported :

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

This is a nice feature but if you running already a hybrid site why not using the Windows admin center here you can also connect with the HTML5 browser to the Azure VM. the only thing here is you will need to connect to an external IP with proper NSG or to the internal IP with a S2S VPN connection.



Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Posted June 20, 2019 by Robert Smit [MVP] in Azure

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Twitter

  • RSS Azure and Microsoft Windows Server Blog

  • %d bloggers like this: