Secure Remote Administration of Azure VMs with Azure Bastion

Over the last few months, IT professionals have more often managed servers from living rooms and bedrooms than offices and data centers. COVID–19 has made remote workers of us all, amplifying a trend also accelerated by the spread of cloud computing. Why go into the office when you manage virtual servers in a remote data center you will never visit?

But remote administration poses a security problem. To give admins access to a server, you have to open a port and run a service, which will become the focus of attacks. There are various solutions to hiding resources from the internet while allowing secure inbound connections, including RDP Gateways and Point-to-Site VPNs, but each has limitations. RDP Gateways are useless for managing Linux servers, and Point-to-Site VPNs require a lot of upfront planning, management, and support.

Consider a company that has completed a “lift and shift” migration to Azure. Their applications run on Azure VMs with the same architecture they had when they ran on on-premises physical servers. An employee needs to log in to the servers to administer them, but the company sensibly wants to avoid opening SSH or RDP ports on business-critical infrastructure.

One popular solution is a bastion server, also known as a jump server. On Azure, users can take advantage of Azure Bastion, a managed Bastion-Server-as-a-Service solution without the complexity of alternative remote management solutions.

What is a Bastion Server?

Bastion servers get their name from a feature of military architecture. In a fortification, the bastion is an exposed structure that projects out from the main defensive walls, often protected by a ditch in front and a mound of earth behind to absorb cannon balls that pass through the walls. Bastion servers fulfill much the same role in the protection of cloud infrastructure.

It is a bad idea to give a public IP address and an open SSH or RDP port to application servers, database servers, and other critical infrastructure. SSH becomes the focal point of attacks. A software vulnerability or a lapse in certificate security or password selection gives an attacker a beachhead into your network. RDP is notoriously prone to vulnerabilities, and the FBI recommends against exposing it on servers with a public IP.

A bastion server or jump server is a relay or proxy. It is located outside of the private network’s firewall with a public IP address and is hardened to minimize the likelihood of a successful attack. Remote administrators log in via the bastion server, which acts as a gateway into the private network. It is a deliberate weak point in the network’s security, but also a point at which security precautions, logging, and monitoring can be maximized.

What is Azure Bastion?

Azure Bastion is a managed cloud bastion service. It allows authorized external users to access Azure VMs over SSH and RDP via the Azure Portal without exposing public IPs for VMs on a virtual network.

It works like this: a user logs-in to Azure Portal, which connects them over SSL to Azure Bastion, which runs on a subnet. They can then connect to their servers with SSH and RDP via a private IP that is never exposed to the internet.

There are several benefits to this approach:

  • It’s a managed service that can be deployed in a few minutes in Azure Portal, making it easier to deploy and configure than a standalone bastion server.
  • Microsoft takes care of security hardening and scaling.
  • Servers behind the bastion server are not accessible from the internet: they can’t be port-scanned or directly attacked.
  • Servers in the virtual network do not have to run an agent or similar software.
  • Users can connect from anywhere, on any device that supports a modern web browser.

Because Azure Bastion is accessed via the Azure Portal, it benefits from its authentication and security. For example, if you protect the Portal with multi-factor authentication, you extend MFA to include VMs too.

Azure Bastion isn’t right for every business or every scenario, but if you’re looking for a quick and inexpensive way to provide secure access to system administrators from outside of your network, Azure Bastion should be a leading candidate.

To discover how we can help your business to secure its Azure infrastructure, contact us for a free initial consultation or learn about the health of your Azure infrastructure with a free Azure Snapshot health check.

VIAcode provides services for migration, optimization and management for Azure.