In a recent blog post, Microsoft announced the preview of a secure remote desktop solution, called Azure Bastion, which does not require organizations to expose virtual machines using public IP Addresses. The platform as a service (PaaS) extends virtual machine connectivity using Remote Desktop Protocol (RDP) and Secure Shell (SSH) inside a modern web browser.
Enterprise organizations encounter competing forces when it comes to providing remote connectivity and a good experience to their users. Organizations either need to reduce security measures or force users to create multiple remote connections as they traverse multi-level networks. Yousef Khalidi, corporate vice president of Azure Networking, explains how Azure Bastion addresses remote connectivity challenges:
Azure Bastion is a new managed PaaS service that provides seamless RDP and SSH connectivity to your virtual machines over the Secure Sockets Layer (SSL). This is completed without any exposure of the public IPs on your virtual machines. Azure Bastion provisions directly in your Azure Virtual Network, providing a bastion host or jumpbox server as-a-service and integrated connectivity to all virtual machines in your virtual networking using RDP/SSH directly from and through your browser and the Azure portal experience. This can be executed with just two clicks and without the need to worry about managing network security policies.
Secure remote connectivity is important for manufacturing and asset-intensive industries where servers need to be segregated across lower-level networks. Microsoft already has organizations from these industry segments previewing this technology, Khalidi explains:
A German premium car manufacturer had concerns about exposing cloud virtual machines with RDP/SSH ports directly to the Internet due to the potential of experiencing a number of security and connectivity issues. During the preview of Azure Bastion, they were able to use RDP/SSH over SSL to our virtual machines which allowed them to traverse corporate firewalls effortlessly and at the same time, restrict Azure Virtual Machines to only private IPs.
Image source: https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-microsoft-azure-bastion/
The core capabilities in Azure Bastion include:
- RDP and SSH from the Azure Portal
- Remote session over SSL and firewall traversal for RDP/SSH
- No public IP address required on Azure Virtual Machines
- Simplified secure rules management
For organizations which may have their existing jumpbox(es) exposed over the internet, their machines may be subject to port scans by malicious users. This is another scenario that is covered by Azure Bastion. Ammar Hasayen, a Microsoft MVP and blogger, explains why this is important:
A malicious user can use port scanning to discover this public IP and use brute force attack to compromise your jumpbox.
Another capability included in Azure Bastion is virtual machine hardening which protects against zero-day exploits. This is possible since Azure Bastion is a managed service which includes automatic patching and keeping up to date against known vulnerabilities.
From a roadmap perspective, Microsoft is focusing on adding additional security measures, including Azure Active Directory identities and Azure Multi-Factor Authentication, Khalidi explains:
The future brings Azure Active Directory integration, adding seamless single-sign-on capabilities using Azure Active Directory identities and Azure Multi-Factor Authentication, and effectively extending two-factor authentication to your RDP/SSH connections. We are also looking to add support for native RDP/SSH clients so that you can use your favorite client applications to securely connect to your Azure Virtual Machines using Azure Bastion, while at the same time enhance the auditing experience for RDP sessions with full session video recording.
Organizations can sign up for the public preview for Azure Bastion from the Azure Portal.