Azure Bastion

Azure Bastion: Complete Guide for SC-900 Exam

Azure Bastion is a fully managed Platform-as-a-Service (PaaS) that provides secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) connectivity to your virtual machines directly through the Azure portal, over TLS (Transport Layer Security).

Why Azure Bastion is Important

In traditional environments, administrators often expose virtual machines to the internet by assigning public IP addresses and opening RDP or SSH ports. This creates a significant attack surface, making VMs vulnerable to brute-force attacks, port scanning, and other exploits. Azure Bastion eliminates these risks by providing a secure gateway that acts as an intermediary between the user and the target VM.

Key reasons Azure Bastion matters:
- Eliminates public IP exposure: VMs no longer need public IP addresses for remote management, drastically reducing the attack surface.
- Protection against port scanning: Since VMs are not exposed to the public internet, they are shielded from external port scanning and zero-day exploits.
- Centralized hardening: Because Azure Bastion sits at the perimeter of your virtual network, you only need to harden this single entry point rather than each individual VM.
- Defense against zero-day exploits: Microsoft manages and keeps Azure Bastion up to date, protecting against zero-day vulnerabilities without any action required from you.

What Azure Bastion Is

Azure Bastion is a service you deploy inside your Azure Virtual Network (VNet). Once provisioned, it provides RDP and SSH access to all VMs within that VNet (and peered VNets, depending on the SKU) without the need for public IP addresses, agents, or special client software.

Key characteristics:
- PaaS service: Fully managed by Microsoft — no need to manage or patch a bastion host VM yourself.
- Browser-based access: You connect to your VMs directly from the Azure portal using an HTML5-based web client. No special VPN client or software is required.
- Deployed per VNet: Azure Bastion is deployed in a dedicated subnet called AzureBastionSubnet within your VNet.
- TLS encryption: All sessions from your browser to Azure Bastion are encrypted using TLS (port 443), ensuring secure transit of data.
- No public IP on VMs: Target VMs only need private IP addresses. Azure Bastion connects to them using their private IPs internally.
- NSG management simplified: You only need to allow traffic from Azure Bastion to your VMs. No inbound rules from the internet are required on VM network security groups for RDP/SSH.

How Azure Bastion Works

Here is a step-by-step breakdown of how Azure Bastion operates:

1. Deployment: You create an Azure Bastion resource and deploy it into a dedicated subnet named AzureBastionSubnet (minimum subnet size of /26 or larger) within your VNet. The Bastion host receives a public IP address, but your VMs do not.

2. User Initiates Connection: An administrator navigates to the Azure portal, selects a virtual machine, and clicks Connect → Bastion. The user provides credentials (username and password or SSH key).

3. Secure TLS Session: The Azure portal establishes a secure TLS connection (over port 443) from the user's browser to the Azure Bastion service. This means the session is encrypted end-to-end from the browser to Bastion.

4. Internal Connection to VM: Azure Bastion then initiates an RDP or SSH session to the target VM using the VM's private IP address within the VNet. The VM never needs to be exposed to the internet.

5. Session Delivery: The RDP or SSH session is streamed back to the user's browser as an HTML5 session. The user interacts with the VM as if they were using a traditional RDP or SSH client, but entirely within the browser.

Key Architecture Points:
- Azure Bastion is the only resource that needs a public IP — the VMs remain entirely private.
- Traffic between Bastion and VMs travels over the Azure backbone network, never traversing the public internet.
- Azure Bastion integrates with Azure RBAC and Azure Active Directory for identity and access control.
- It supports multiple SKUs (Basic and Standard), with the Standard SKU offering additional features like native client support, IP-based connections, and VNet peering support.

Azure Bastion SKUs

- Basic SKU: Supports browser-based RDP/SSH access to VMs in the same VNet. Limited to 2 instances.
- Standard SKU: Adds support for native client connections (using Azure CLI), host scaling (up to 50 instances), IP-based connections, connections to VMs in peered VNets, and shareable links.

Benefits Summary
- No public IP addresses required on VMs
- No agent or special software required on VMs
- No NSG rules needed for inbound RDP/SSH from the internet
- Protection against port scanning and brute-force attacks
- Platform-managed and always up to date
- Seamless HTML5 browser experience through the Azure portal
- Integrated with Azure RBAC and identity management

---

Exam Tips: Answering Questions on Azure Bastion

1. Remember the core purpose: Azure Bastion provides secure RDP and SSH access to VMs without requiring public IP addresses on those VMs. If a question asks how to securely connect to a VM without exposing it to the internet, Azure Bastion is almost always the correct answer.

2. Know the key differentiator: Unlike a VPN Gateway or ExpressRoute (which provide network-level connectivity), Azure Bastion specifically provides remote management access (RDP/SSH) through the browser. If the question is about remote desktop or SSH access specifically, think Bastion.

3. PaaS, not IaaS: Azure Bastion is a fully managed PaaS service. You do not need to deploy, manage, or patch a VM to act as a jump box. If a question contrasts Bastion with a traditional jump server or bastion host VM, the advantage of Azure Bastion is that it is managed by Microsoft.

4. Subnet requirement: Azure Bastion must be deployed in a subnet named exactly AzureBastionSubnet. This is a commonly tested detail.

5. TLS over port 443: Azure Bastion uses TLS encryption over port 443 for browser-to-Bastion communication. This is important for questions about encryption and secure connectivity.

6. No public IP on VMs: This is the most frequently tested concept. Azure Bastion connects to VMs via private IP addresses only. If an exam question mentions eliminating public IPs from VMs while still allowing RDP/SSH, Azure Bastion is the answer.

7. Do not confuse with other services:
- Azure Firewall = network traffic filtering and threat protection
- VPN Gateway = site-to-site or point-to-site encrypted tunnels
- NSGs = network-level access control lists
- Azure Bastion = secure RDP/SSH access without public IPs

8. HTML5 browser-based: No special client software or VPN connection is needed. Access is provided through a standard web browser via the Azure portal. Questions may test whether additional software is required — the answer is no.

9. Scenario-based questions: Look for keywords like "securely connect to a VM," "without exposing to the internet," "no public IP," "remote management," or "RDP/SSH through the portal." These are strong indicators that Azure Bastion is the intended answer.

10. Scope of protection: Azure Bastion protects against brute-force attacks, port scanning, and zero-day exploits targeting the OS of VMs because the VMs are never directly reachable from the internet. Remember this for questions about threat mitigation.

Quick Memory Aid: Think of Azure Bastion as a secure, managed front door that lets administrators into VMs through the Azure portal, while keeping all other doors (public IPs, open ports) completely closed.