Create an RDP connection to a Windows VM using Azure Bastion

• 
  

This article shows you how to securely and seamlessly create an RDP connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using SSH. For information, see Create an SSH connection to a Windows VM.

Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see What is Azure Bastion?

Prerequisites

Before you begin, verify that you've met the following criteria:

• A VNet with the Bastion host already installed.

  • Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network.
  • To set up an Azure Bastion host, see Create a bastion host. If you plan to configure custom port values, be sure to select the Standard SKU or higher when configuring Bastion.

• A Windows virtual machine in the virtual network.

Required roles

• Reader role on the virtual machine.
• Reader role on the NIC with private IP of the virtual machine.
• Reader role on the Azure Bastion resource.
• Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).

Ports

To connect to the Windows VM, you must have the following ports open on your Windows VM:

• Inbound port: RDP (3389) or
• Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)

 

Rights on target VM

When a user connects to a Windows VM via RDP, they must have rights on the target VM. If the user isn't a local administrator, add the user to the Remote Desktop Users group on the target VM.

See the Azure Bastion FAQ for additional requirements.

Connect

1. In the Azure portal, go to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown to open the Bastion page. You can also select Bastion from the left pane.

   

2. On the Bastion page, enter the required authentication credentials, then click Connect. If you configured your bastion host using the Standard SKU, you'll see additional credential options on this page. If your VM is domain-joined, you must use the following format: username@domain.com.

   

3. When you click Connect,the RDP connection to this virtual machine via Bastion will open in your browser (over HTML5) using port 443 and the Bastion service. The following example shows a connection to a Windows 11 virtual machine in a new browser tab. The page you see depends on the VM you're connecting to.

   

   When working with the VM, using keyboard shortcut keys may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

 

What Is Azure Bastion ?

Azure is a cloud service which is provided by Microsoft. It allows companies to use Microsoft’s powerful computers and storage over the internet instead of having their own. This helps the companies to run their applications and store their data easily and in a secure way. With the help of Azure, users can create virtual computers, store files, build websites, manage databases, and much more. It provides services to users for machine learning and artificial intelligence too which means users can train computers to recognize images, understand speech, and make smart decisions.

Azure’s strength is its Kubernetes service, which helps the user manage and scale applications that run in containers. Azure also has advanced tools for developing, testing, and deploying software, making it easier for teams to work together. We can say that it provides a wide range of cloud services that help businesses to work more efficiently and are cost-effective as well.

What Is Azure Bastion?

Azure Bastion is a fully managed PaaS service that you provision to securely connect to virtual machines via private IP address. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal, or via the native SSH or RDP client already installed on your local computer. When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software. Bastion service opens the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network.

• Direct connection for RDP and SSH sessions in the Azure Portal and native client with a single click
• Support without the need for an agent in your VM or additional software on your browser
• Integration of existing firewalls and security perimeters using a modern HTML5-based web client and standard TLS ports
• Scalability with Bastion Standard to manage additional concurrent SSH and RDP connections

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network for which it’s provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

    Architecture Of Azure Boston  

• This section applies to all SKU tiers except the Developer SKU, which is deployed differently. Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.
• RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn’t desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.
• Currently, by default, new Bastion deployments don’t support zone redundancies. Previously deployed bastions might, or might not, be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.

This figure shows the architecture of an Azure Bastion deployment. This diagram doesn’t apply to the Developer SKU. In this diagram:

• The Bastion host is deployed in the virtual network that contains the Azure Bastion Subnet subnet that has a minimum /26 prefix.
• The user connects to the Azure portal using any HTML5 browser.
• The user selects the virtual machine to connect to.
• With a single click, the RDP/SSH session opens in the browser.
• No public IP is required on the Azure VM.

Setting Up Azure Bastion: A Step-By-Step Guide

Step 1: Sign in to Azure Portal your azure portal and search for Azure bastion.

Step 2: Create a Azure bastion and then set up a subnet for Azure bastion.

Step 3: Create a VM & Deploy your VM carefully. It might take 5-7 minutes to complete the setup.

Step 4: Configure your Azure Bastion and Connect your VM Via Azure Bastion.

Step 5: Now Configure the Network Security Groups Rules and Verify the Connectivity properly.

Step 6: Clean it Up And Optimize it very carefully.

Advantages Of Azure Bastion

• There are several benefits we have to opt the Azure Boston to set up virtual machines via private IP address. Following table illustrates some main key benefits of using Azure Boston:

Benefit	Description
RDP and SSH through the Azure portal	You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience.
Remote Session over TLS and firewall traversal for RDP/SSH	Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This enables the traffic to traverse firewalls more securely. Bastion supports TLS 1.2. Older TLS versions aren’t supported.
No Public IP address required on the Azure VM	Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don’t need a public IP address on your virtual machine.
No hassle of managing Network Security Groups	you don’t need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
No need to manage a separate bastion host on a VM	Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.
Protection against port scanning	Your VMs are protected against port scanning by rogue and malicious users because you don’t need to expose the VMs to the internet.
Hardening in one place only	Azure Bastion sits at the perimeter of your virtual network, so you don’t need to worry about hardening each of the VMs in your virtual network.
Protection against zero-day exploits	The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

Disadvantages Of Azure Bastion

The following are the disadvantages of Azure Bastion:

• Distance to Azure data centers could cause slow performance.
• Local Boston data laws might be complicated to follow on Azure.
• Using Azure can get expensive depending on how much you use it.
• Azure depends on good internet access, which can be unstable in some areas.
• With Azure, Microsoft manages the infrastructure instead of you. This means you have less control, which some may see as a drawback.

Conclusion

In summary, Azure Bastion provides a secure and easy way for organizations to access their Azure virtual machines over the internet. It offers enhanced security, simplified management, and can help meet compliance rules. This makes Azure Bastion a helpful service for many companies using Azure. However, organizations need to evaluate if Azure Bastion fits their particular needs before deploying it. Aspects like cost, ability to scale, and how it integrates with current systems should be considered. Though it has many benefits, Azure Bastion may not be suitable for every organization.

Azure Bastion – FAQ’s

What Do You Mean By Azure Bastion?

Azure Bastion is a fully managed PaaS service that you provision to securely connect to virtual machines via private IP address. It provides secure and seamless RDP/SSH connectivity to your virtual machines.

Why Is There A Need Of The Azure Bastion?

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network for which it’s provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

How To Build The Azure Bastion?

Sign in to Azure Portal your azure portal and search for Azure bastion. Create a Azure bastion and then set up a subnet for Azure bastion.

Explain Any Two Features Of Azure Bastion.

• You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience.
• Your VMs are protected against port scanning by rogue and malicious users because you don’t need to expose the VMs to the internet.

What Are The Limitations Of The Azure Bastion?

Using Azure can get expensive depending on how much you use it and it also depends on good internet access, which can be unstable in some areas.

Overview And Steps to Create

Wondering about what Azure Bastion Host is and how to configure it? Well, you’ve come to the right platform.

In this blog, you’ll learn what Azure Bastion is, get a high-level overview of its architecture, and learn how to create your first Azure Bastion host.

What is Azure Bastion Host?

Azure Bastion is a fully platform-managed PaaS service that provides RDP/SSH over TLS i.e. port 443 to all the VMs in the network. Think of this as a managed Jump Box or Jump Server service provided by Microsoft.

Before we move on to Azure Bastion, let’s first understand what a Jump Box or Jump Host is. Jump Box is a virtual machine that sits over a virtual network and prevents all the other Virtual Machines from being exposed to the public.

This means that Jump Box acts as the doorway to all the RDP connections made to your VMs. Furthermore, while using a Jump Box, only a single port will be exposed instead of multiple ports that are exposed when we don’t use it.

Now, let’s come back to Azure Bastion. Azure Bastion is a managed Jump Box. What does managed means? It means that we can configure our Jump Box according to our needs. Remember, you cannot interact with it directly, but you can configure it. It supports both RDP (Remote Desktop Protocol) & SSH connections, and you can also play with its NSG (Network Security Group) to make your connection even more secure.

Well, I guess you’re stuck, aren’t you? No, not at all–relax. In this post, I’ll show you how to use Azure Bastion as well.

Azure Bastion Architecture

Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.

So here is how the connectivity works:

• You connect to the Azure management portal over HTTPS using any browser, then you select a virtual machine to connect to.
• Now the Azure portal connects to the Azure Bastion service using the Private IP on port 443.
• You get a new session in your browser and you can browse the desktop of the virtual machine and any other VMs inside your network using RDP or SSH.

Key benefits of Azure Bastion

RDP and SSH through the Azure portal : You can access RDP and SSH sessions directly from the Azure portal, using a seamless one-time experience.

Remote Session over TLS and firewall traversal for RDP/SSH : Azure Bastion uses an HTML5-based web client that automatically streams to home devices. Your RDP/SSH session happens over TLS on port 443. This allows traffic to pass through the firewall more securely. Bastion supports TLS 1.2 and higher.

No Public IP address required on the Azure VM : Azure Bastion opens an RDP/SSH connection to an Azure VM using the VM’s IP address. Your virtual machine does not need a public IP address.

No hassle of managing Network Security Groups (NSGs) : There is no need to use NSG for Azure Bastion subnet. Because Azure Bastion connects to the virtual machine via a private IP, you can configure NSG to only allow RDP/SSH from Azure Bastion. This takes the hassle out of managing NSGs when you need to securely connect to a virtual machine. For more information about NSGs, see NSGs. Network Security Groups.

No need to manage a separate bastion host on a VM : Azure Bastion is an Azure managed platform PaaS service with built-in power to provide you with secure RDP/SSH connections.

Host scaling

Azure Bastion supports hosting. The number of hosts (volumes) can be configured to control the number of RDP/SSH connections Azure Bastion can support. Increasing the number of hosts allows Azure Defense to handle more traffic. Reducing the number of events will reduce the number of supported integrations. Azure Bastion supports up to 50 hosts.
This feature is only available for Azure Bastion Standard SKU.

Azure Bastion Use Cases

Now let’s list some possible use-cases. Azure Bastion can be very useful (but not limited) to these scenarios:

1. Your Azure-based VMs are running in a subscription where you’re unable to connect via VPN, and for security reasons, you cannot set up a dedicated Jump-host within that VNet.
2. You want to give developers access to a single VM without giving them access to additional services like a VPN or other things running within the VNet.
3. You want to implement Just in Time (JIT) Administration in Azure. You can deploy and enable Bastion Host on the fly and as you need it.

Azure Bastion Pricing and Features

1. Secure and seamless RDP and SSH access to your virtual machines.
2. No Public IP exposure on the VM.
3. Help limit threats such as port scanning and other types of malware targeting your VMs.
4. Uses a modern HTML5-based web client and standard SSL ports. This makes Firewall and other security rules very easy to manage.
5. Fixed charge for the service. This is the charge billed hourly for deploying the service. E.g. in an East US location, this charge is around $0.19 per hour.
6. Outbound data transfer charges. This is the charge based on the total outbound data transfer. This is further tiered into various categories based on the total consumption.

How to Configure Azure Bastion?

1. Log into your Azure Portal and head to the search area. In the search box, search for Bastion. Go through the results and click on the Create button as soon as you see Bastion with Microsoft as its publisher.

2. Enter your usual details such as Subscription, Resource Group, Instance name, Region, and Virtual Network as well.

3. Once you reach the Subnet option, click on Manage Subnet Configuration.

4. Now, click on Add Subnet and create a subnet with the name AzureBastionSubnet and a prefix of /27 or larger. Make sure you use this name only.

5. Head back over and select your Subnet on the Bastion creation page. Now you can opt to create a new Public IP address or use an existing one.

6. If you create a new one then provide a name and use Standard SKU.

7. Then click on Review+Create. Then click on Create after validation passes.

Viola! Your Azure Bastion is ready.

Connect to the Virtual Machine

1. You can go to the Virtual Machines and select your newly created Bastion one and then click on Connect>Bastion, in the Overview section.

2. Now click on Use Bastion and enter your credentials.

You’re now logged in! Now a new browser window opens with the Virtual Machine on that tab.

Also, you can add NSGs to both your Bastion subnet as well as your VM subnets to further enhance security. Read the Azure documentation article “Working with NSG access and Azure Bastion” to get a leg up on which ports and protocols you need to allow to and from the Bastion subnet.