When managing cloud-based virtual machines, ensuring secure access is critical. Exposing RDP/SSH ports over the internet introduces potential security vulnerabilities. Azure Bastion provides a secure, fully managed solution to connect to Azure VMs without needing to expose these ports to the public internet.
What is Azure Bastion?
Azure Bastion is a PaaS service that allows you to securely connect to your Azure Virtual Machines (VMs) using RDP or SSH, directly from the Azure Portal without the need to expose these ports via a public IP.
Minimum Required RBAC Roles for Azure Bastion Access
To connect to a VM using Azure Bastion, the user must have the appropriate permissions. At a minimum, they will need the following role assignments:
- Reader role on the target VM: This grants read access to the VM, allowing the user to see the VM’s configuration but not modify it.
- Reader role on the network interface (NIC) associated with the VM’s private IP address: This ensures the user can read network information for the VM.
- Reader role on the Azure Bastion resource: This grants access to the Bastion host itself, allowing the user to initiate connections through Bastion.
If the VM is in a peered virtual network (cross-VNet connections), the following additional role assignment is required:
- Reader Role on the virtual network (VNet) of the target VM: This is necessary if you are connecting to a VM across VNet peering.
Assigning Roles at Different Scopes
Azure RBAC roles can be assigned at various levels, and you can scope these roles depending on the organizational need:
- Management Group: Grants access at a broad level across multiple subscriptions.
- Subscription: Grants access across all resources within a specific Azure subscription.
- Resource Group: Restricts access to all resources within a specific resource group.
- Resource: Grants access to individual resources like a specific VM, NIC, or VNet.
Best Practices for Role Assignment
- It’s recommended to apply roles at the Subscription or Resource Group level, which makes it easier to manage access without over-provisioning permissions.
- Always follow the least privilege principle: Only give users the access they need to perform their tasks.
Step-by-Step Guide to Implement Azure Bastion
Prerequisites:
- Azure Subscription.
- A Virtual Network (VNet) where your virtual machines are deployed.
- An Azure Virtual Machine (Windows/Linux) in the same VNet that you want to connect to.
Step 1: Create a Virtual Network and Deploy Azure Bastion
- In the Azure Portal, search for “Virtual Networks” and click “Create”.
- Fill in the required fields:
- Subscription: Select your subscription.
- Resource Group: Choose an existing resource group or create a new one.
- Name: Provide a name for the virtual network.
- Region: Select the region where you want to deploy the VNet.
- Navigate to the Security tab:Enable Azure Bastion.
- You will be prompted to:
- Provide a Name for the Bastion Host.
- Choose whether to create a new public IP or select an existing public IP.
- You will be prompted to:
- In the IP Addresses tab, define the Address Space for your network (e.g., 10.0.0.0/16).
- Add a Subnet for your VMs (e.g., VM-Subnet with an IP range like 10.0.1.0/24).
- Azure will automatically create the AzureBastionSubnet with the required /27 subnet and associate the Bastion Host with the VNet.
- Click Review + Create, and then Create.
Step 2: Assign RBAC Roles for Azure Bastion Access
- Assign the Virtual Machine User Login Role:
- Go to the Virtual Machine you want to grant access to.
- In the left-hand menu, click Access Control (IAM).
- Click Add, then select Add role assignment.
- In the Role dropdown, select Virtual Machine User Login.
- Assign the role to the appropriate Azure AD user or group.
- Important: For the least privilege model, assign these roles at the Resource Group level containing the VMs, NICs, and Bastion.
- Assign Reader Roles:
- Reader Role on the VM: Follow the same steps as above to assign the Reader role on the VM.
- Reader Role on the Network Interface (NIC): Assign the Reader role on the NIC resource associated with the VM.
- Reader Role on the Azure Bastion Host: Assign the Reader role on the Azure Bastion resource itself.
- If peered VNets are involved, assign the Reader Role on the VNet of the target VM.
Step 3: Connect to Your Virtual Machine Using Bastion
Once all the necessary permissions are assigned, the user can securely connect to the VM via Azure Bastion.
- Navigate to the Virtual Machine you want to connect to in the Azure Portal.
- Click Connect, and from the drop-down menu, select Bastion.
- Click Use Bastion.
- Enter your VM’s login credentials.
- Click Connect.
Leveraging the Public DNS Entry for Bastion
Azure automatically generates a public DNS entry for your Bastion host. The DNS name is in the format:
<your-bastion-name>.<region>.azurebastion.net
This DNS entry can be used in automation scripts or tools outside of the Azure Portal to access the Bastion host and manage connections.
Best Practices
- Always assign RBAC roles to Azure AD groups instead of individual users. This simplifies management and helps in adhering to the least privilege principle.
- Regularly review group memberships and role assignments to ensure access is up-to-date and secure.
- Follow the least privilege principle by granting users the minimum necessary access to perform their tasks, particularly when managing critical resources like VMs and VNets.
Conclusion
Azure Bastion is a powerful tool for securing access to your Azure VMs. By assigning the appropriate RBAC roles and adhering to best practices like least privilege and group-based role assignments, you can ensure a secure and efficient system. Always ensure that the required Reader roles are assigned to both the VMs, network interfaces, and Bastion resources to allow users to connect without giving them unnecessary administrative access.
Feel free to leave a comment if you have any questions or need additional guidance on implementing Azure Bastion!
Get Practical 