Get started with Azure Bastion

As the public cloud matures, it’s becoming clear that we need a new tier of systems and application management tools. Clouds, whether public, private, or hybrid, depend on one thing: the abstraction of the application layer away from the underlying physical infrastructure. Applications don’t need to consider the underlying physical hardware anymore; all that’s necessary is either a managed PaaS environment or an application-specific virtual infrastructure.

That change has already happened, and those new management tools are starting to arrive. Alongside basic management, they deliver a new set of questions: Who are they for and how do we build them into our workflows? They’re important issues, which seem to suggest a new role in our devops teams. It’s one we don’t have a name for yet, a role that lies between the new infrastructure operators and the applications teams, one that’s responsible for managing the PaaS and the virtual infrastructure, more closely aligned with the applications than traditional system administrators.

Virtual infrastructures are a significant problem, as they require as much management and monitoring as an on-premises infrastructure. On-premises you’re able to go down into the data center and use an in-rack KVM switch to quickly hook a keyboard and screen to a server or use built-in lights-out management tools to quickly access your server’s configuration. You may even have a dedicated management network with servers configured to only allow terminal access to users inside your organization.

How do we securely manage Azure infrastructures?

In a public cloud like Azure those tools are no longer available. Your entire infrastructure is virtual machines and virtual appliances. The Azure Portal gives you some management capabilities, with remote desktop access to servers in the browser when you need to quickly manage a single virtual server. At a larger scale, you can use Azure’s VNet tool to get access to your servers, but there’s always the risk of accidentally exposing a public IP address for a management VPN or for SSL access to Windows Server or Linux management tooling.

We’ve taken the tools and methods we’ve used for decades in the data center and simply lifted and shifted them to the cloud. Even the virtual machine tools in Azure Portal are best thought of as a refresh of familiar desktop management services. So how can we take a more cloud-focused approach to working with cloud infrastructures?

Microsoft has started thinking about this, and tools like Azure Arc are one answer to the problem, using cloud tools to manage on-premises. Its support for HashiCorp and others in the public cloud Kubernetes distributed application space is another answer. Another option is Azure Bastion, a VPN-less connection to virtual machines that means you don’t have to expose a public management IP address to the world.

Described as a “managed PaaS service” for both Microsoft’s own Windows Remote Desktop Protocol and the more widely used SSL, Azure Bastion provides a bridge between Azure virtual networks and your browser, using it to host management applications. Once in place, you get direct access to your virtual infrastructure in much the same way as you would with an SSH client or Remote Desktop on your PC or laptop.

To the outside world, an Azure Bastion connection looks like an SSL connection to the Azure Portal, routed to a hardened virtual appliance running in the same VNet as your virtual machines. This has access to the private IP addresses you’ve assigned to your servers, without exposing their public IP addresses to the outside world. All connections are negotiated through the Azure Portal. You only need to set up a Bastion once per virtual infrastructure, with Azure handling all updates. There’s no need to manage a Bastion install once you’ve got it up and running, so you can concentrate on managing your application’s virtual machines.

Setting up Azure Bastion

Getting started with Azure Bastion is relatively simple. From the Azure Marketplace create a new resource using the Microsoft Bastion service in the networking section of the catalog. This opens the configuration page for your Bastion instance, where you can add it to an existing subscription and to a resource group. Then set the virtual network it’s going to be used with, creating a named subnet at the same time. Finally, configure a single public IP address that will be used for the SSL connection to the Bastion virtual appliance.

The Azure Bastion subnet is an important part of the service, as it’s the only service that can deploy in that network. If you’re using Azure Firewall be careful not to associate it with the firewall’s route table, otherwise you could block access to the service. As you’re using Azure Bastion to control management connections to your servers, it reduces the complexity of your firewall rules and routing, letting you focus on securing server-to-server and server-to-Internet traffic.

If you already have a virtual machine you want to manage via Azure Bastion, setup gets a lot easier. All you need to do is set up a Bastion connection to your server, giving it a name and a subnet name, as well as a public IP address. Once you’ve filled in the details, wait five minutes or so for Azure to finish configuring your Bastion and then make a connection from the Azure Portal.

Connecting to Linux and Windows with Azure Bastion

There are a lot of Linux virtual machines on Azure, so it’s not surprising to see that Azure Bastion offers SSH connections to Linux VMs. There’s no additional configuration needed for the Azure Bastion appliance. You only need the appropriate Azure roles to connect to a VM: on the VM, on its network connections, and on your Bastion. With those roles in place, you can connect using a user name and password or with SSH keys. If you’re planning on using an SSH key to connect you need to ensure that it’s provisioned on your virtual machines, otherwise you’re limited to using usernames and passwords.

Using a username and password with SSH is easy enough. Hit connect in the Azure Portal and it opens up an SSH client in your browser. There’s no need to install client software; Microsoft’s in-browser terminal experience is as good as a desktop app and works well with Linux systems. Windows systems are managed via an in-browser version of the Windows Remote Desktop.

Some features are still missing in Bastion. Currently there’s support only for basic SSH and RDP connections, so you’re unable to take advantage of file transfers or newer systems management tools such as Windows Admin Center. That’s not as much of a problem as it might seem if you’re deploying applications as complete infrastructures from your build system and only need to use Bastion for basic administrative and monitoring tasks.

Azure Bastion is a useful tool for quick-fix systems management when you need a command line to check an application configuration and where you can’t use the Azure Portal directly. With support for SSH and for RDP, you’re covered for most basic operations. It’ll be interesting to see if Microsoft extends Azure Bastion to provide support for tooling outside the Azure Portal, giving you a more secure route to using more than the terminal or a remote desktop.