When managing cloud-based virtual machines, ensuring secure access is critical. Exposing RDP/SSH ports over the internet introduces potential security vulnerabilities. Azure Bastion provides a secure, fully managed solution to connect to Azure VMs without needing to expose these ports to the public internet.
What is Azure Bastion?
Azure Bastion is a PaaS service that allows you to securely connect to your Azure Virtual Machines (VMs) using RDP or SSH, directly from the Azure Portal without the need to expose these ports via a public IP.
Minimum Required RBAC Roles for Azure Bastion Access
To connect to a VM using Azure Bastion, the user must have the appropriate permissions. At a minimum, they will need the following role assignments:
- Reader role on the target VM: This grants read access to the VM, allowing the user to see the VM’s configuration but not modify it.
- Reader role on the network interface (NIC) associated with the VM’s private IP address: This ensures the user can read network information for the VM.
- Reader role on the Azure Bastion resource: This grants access to the Bastion host itself, allowing the user to initiate connections through Bastion.
If the VM is in a peered virtual network (cross-VNet connections), the following additional role assignment is required:
- Reader Role on the virtual network (VNet) of the target VM: This is necessary if you are connecting to a VM across VNet peering.
Continue reading “How to Implement Azure Bastion to Securely Access Azure Virtual Machines”
Get Practical 