Azure Bastion news
In that short Blogpost, I’m describing the different SKUs of Azure Bastion and also the different functionalities. I also describe the new features for the “standard” SKU like
!Important! booth features are in preview.
Azure bastion is the most important service when we speak about remote connections without the ability to use a VPN connection or something else. Azure Bastion works as a reverse proxy and is fully implemented into the Azure Portal. You can connect to VMs (Port 3389 or 22) hosted in Azure and connected in the same vNet directly or connected over vNet peering.
I love that feature and often implement it into my customer environments because it’s
But there is also a bad thing too, Azure bastion is not the cheapest service, for the basic SKU you have to pay around 140€/Month excluding the egress traffic. But from the other perspective, it’s a fully managed service and you pay for a service with the criteria above.
Okay, let’s cover the new preview features. Before we start, we have to think about the different SKUs which are available. Azure bastion came with two different SKUs the
Here is a short overview of the difference between booth SKUs.
|Feature ||Basic SKU||Standard SKU|
|Connect to target VMs in peered virtual networks||Available||Available|
|Access Linux VM Private Keys in Azure Key Vault (AKV)||Available||Available|
|Specify custom inbound port||N/A||Available|
|Connect to Linux VM using RDP||N/A||Available|
|Connect to Windows VM using SSH||N/A||Available|
Today we want to have a look at the new two preview features present above. Those features are in preview and available for the “Standard SKU” Okay so let’s start with the first one.
IP based connection
A cool new feature. In the past and with the “basic” SKU you only can connect to VMs hosted in Azure and connected into the same or peered vNet. With the new SKU and the new preview feature, you are now able to connect to VMs that are reachable by the Azure Bastion Host. Huge investment and for my point of view, the perfect way to bring the Azure Bastion host into a hybrid cloud scenario. The next preview feature is also very interesting.
Native client support
Okay, so let’s start with the past. In the past and with the “basic” SKU you only can connect to VMs in Azure over an HTML compatible browser, which all current browsers are. But with the “standard” SKU you are now able to connect over the native Windows client (MSTSC) to the VM over the private IP.
Private IP, how should that work without a VPN?.
It will trust me. But before we can do this, we have to enable that feature during the installation or on existing “standard” SKU environments. You can find the setting when you open the “Configuration” section of Azure Bastion.
Then we have to install the latest Azure CLI version. You can find it here.
When everything is installed and configured, we use the Azure CLI to the VM over the private IP. To do this open the command line and execute the following command first
az login az account list az account set --subscription "<subscription ID>"
The command above logs you in into Azure AD, get all subscriptions and select the right subscription where the Azure Bastion service is installed. With the following command, you can connect to a Linux us Windows VM over their private IP.
Connect to Linux VM:
az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "AAD"
Connect to Windows VM:
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
There are some other requirements. To connect to a VM you need one of the following RBAC permissions.
As mentioned above, I love the Azure Bastion service, and now there are different SKUs available. For the foundation, the basic SKU is for my point of view enough, but for enterprise environments, you have to think about the “standard” SKU because you have much more features and auto-scaling options in place.
Get more information’s on my channels
Feel free to write me an E-Mail or ping me on the social channels listed below.