Microsoft recently announced new SKUs for its Azure Bastion service: a Developer SKU that is now generally available (GA) after its public preview last year and a premium SKU being rolled out in a public preview.
Microsoft Azure Bastion is a fully managed Platform as a Service (PaaS) that offers seamless RDP and SSH connectivity to virtual machines accessed directly in the Azure portal. The Developer SKU is designed for Dev/Test users who need secure VM connections without requiring extra features, configuration, or scaling. The new premium SKU offers advanced recording, monitoring, and auditing capabilities for customers managing highly sensitive workloads.
With the Bastion Developer SKU, there's no need to allocate dedicated resources to your customer VNET. Instead, it uses a shared pool of resources managed internally by Microsoft, ensuring secure connectivity to their VMs. Users can access their VMs directly through the connect experience on the VM blade in the portal, with support for RDP/SSH on the portal and SSH-only for CLI sessions.
Isabelle Morris, a product manager of Azure Networking, explains in a Tech Community blog post:
This service is designed to simplify and enhance the process of accessing your Azure Virtual Machines by eliminating the complexities, high costs, and security concerns often associated with alternative methods.
Overview of the Azure Bastion Developer SKU Architecture (Source: Microsoft Learn)
Aaron Tsang, product manager, Microsoft, writes about the public preview of the premium SKU:
Our first set of features will focus on ensuring private connectivity and graphical recordings of virtual machines connected through Azure Bastion.
Azure Bastion's private-only enables inbound connections using a private IP address, which is beneficial for customers seeking to minimize public endpoints or adhere to strict organizational policies. This allows private connectivity from on-premises to Azure virtual machines when using ExpressRoute private peering.
Overview of the Azure Bastion Private Only Deployment (Source: Microsoft Learn)
The private-only deployment feature received positive feedback from the community. Joe Parr comments:
A key feature for me is the private-only mode—no more internet-routable deployments of Bastion.
The graphical session recording in Azure Bastion visually records all virtual machine sessions, storing them in a customer-designated storage account for direct viewing in the Azure Bastion resource blade. This feature provides added monitoring for virtual machine sessions, allowing customers to review recordings if any anomalies occur. According to Aquib Qureshi, a technology specialist at Microsoft, the feature was one of the most requested.
Lastly, Azure Bastion pricing is based on hourly rates determined by SKUs, instances (scale units), and data transfer fees. Hourly pricing commences upon Bastion deployment, irrespective of outbound data usage. The pricing page provides more details.