Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal or via native client. When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
A sample setup from Microsoft Learn
In basic the main purpose is get a RDP session to a VM without any VPN direct from the portal.
Bastion SKUs
Azure Bastion has two available SKUs, Basic and Standard and the big difference between hub spoke or singel network is that you will need the standard for a Azure virtual wan. only for this option : Connect to VMs via IP address.
don’t forget the IP based connection checkbox. copy past is just as you want this.
thats all nice but on https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
Deploying Azure Bastion within a Virtual WAN hub is not supported. You can deploy Azure Bastion in a spoke VNet and use the IP-based connection feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub.
So in basic it might be supported and it will work.
what is needed for the bastion ?
What I did is create a new network just for bastion, I used a /26 network use the Subnet
With the default Azure provided DNS I used the NSG, all just as you would do this in any other network.
Here you can see it is part of my virtual wan just as the other networks
A quick overview of the Bastion NSG keep in mind this is important wrong configuration means no connection. This is all by the Microsoft book.
inbound bastion NSG rules
outbound bastion NSG rules
As I used a secure hub, this network need to be peered into the secure hub just as all your other networks in the virtual wan. my vnet remote is peered
A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection
Here you can see the vnet-remote is connected to the secure hub
In this step there are a few things different as the default route is disabled and the static route is set to no. this can be changed later or just be configured at creation. our net step is setting the security configuration in the secure hub.
As the entry is not the firewall but we create a extra entrance for the bastion in our secure hub virtual network. where I made sure that the internet traffic is unsecured and protected by NSGs.
Well Done all this but I still don’t get connection well there is also a firewall in place right it is a secure hub.
just create a Firewall rule open port 3389 or 22 or both if you need it. I use Ip groups so much easier and quicker to update you firewall.
In the destination you can add your destinations (vnets)
Now that the configuration is done it is time to test this.
Keep in mind you have to go to bastion and use the IP number, the bastion option in the VM won’t work and will tell you there is no bastion.
So used my IP to the Azure VM and username and password and got a web based connection.
Keep in mind Always use MFA to the Azure portal connection.
Hope it was helpful thanks for visiting my blog.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit
