What is a Bastion Host?

Author by Paul Harris

What is a Bastion Host?

While “Bastion” may not be the most common name for this, a Jump box or Jump host is something you have likely heard of and used before. It provides a point of entry for administrative tasks from a public/external network to a private/internal network. This allows you to only need to harden the Bastion machines for remote access, instead of all the machines in the private area of your network.

See  below network diagram for a visual representation of how this looks:

1.png

Azure Bastion Service

Normally the actual Bastion hosts are separate VMs administrators need to create and maintain in Azure. Now, Azure has a fully managed service to take out some of the work. This is very simple to setup. Navigate to the Bastions page in the Azure Portal. To use this with an existing VNet, your network must contain a subnet named AzureBastionSubnet with a prefix of at least /27.

 

2.png

 

Once the deployment is finished, navigate to one of your VMs in a private subnet and click the Connect button. A new slide out opens, and a tab for Bastion appears. Enter your login credentials for your VM and hit connect.

3.png

 

A new window will open in your web browser and you will be provided regular RDP access to your VM! This session is secured via SSL (over port 443) and uses a modern HTML5 web client.

 

Cost and Other Information

-When using this service, the cost is going to be that of the Azure Bastion service at $0.095 per hour and that of Outbound Data Transfer. The first 5GB per month is free.

-When using the Azure Bastion service to connect to your VMs, you do not need to worry about port scanning as you are not exposing any servers to the public internet.

-Since this is a managed service, Azure keeps the Bastion service up to date against the latest threats for you. No need to patch the service however, be sure to keep the VMs you are managing as up to date as possible.   

-File transfer between your computer and the server you are connecting to with Azure Bastion is currently not supported but will be added in the future.

 

For more information please refer to the current Microsoft docs: Azure Bastion.

Tags in this Article