Traditional management of Jump severs in cloud is painful and it involves lots of tasks to setup and for on-going management.
To avoid potential attacks from external threats, Jump servers need to be completely locked-down and hard, like enabling aggressive block-list of apps and IPs, implement 2FA, zero admin mode, auditing and if possible re-build jump server every alternative days using automation tools to make it more secure in cloud.
I know a lot of you out there rely on “jump servers.” and not much serious about Jump server day to day operation management tasks. Many SMB segment companies were attacked because of exploits through poorly managed jump servers and in order to overcome those problems and make security more controlled, Microsoft introduced Bastian host last year as a replacement for traditional jump server architecture.
Azure bastion is a fully managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the azure portal over SSL. This eliminates the need to expose the Virtual Machines RDP and SSH ports to the internet. After the initial release, the solution is being adopted by various azure customers and received great feedback.
Moreover, bastion hosts are very easy to setup with few clicks and the service will be ready within few minutes after deployment. Bastian type services are also available in other clouds with different feature sets.
Azure Bastian key characteristics and what it can offer to azure customers:
- No public required for VMs in Azure.
- Remote Session over TLS and firewall traversal for RDP/SSH.
- Agent-less and no additional software’s required on VMs.
- Internally it’s a VM scale set and it can expand based on connections requirement.
- Centrally hardened and protects against port scanning, zero-day exploits and malware.
- Additional security layer can be leveraged using NSG on top of bastion host
- Access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.
- As the name implies “Bastian” , it will act as true source of strength to enter into azure VM world.
High-level architecture:
This figure shows the architecture of an Azure Bastion deployment aligning to above listed characteristics.
Whats planned next – feature updates (not sure when but its under the pipeline):
- Bastian host required to deployed under each vNet and currently doesn’t support vNet peering options. However, in upcoming product updates it should soon start supporting the peering options.
- Azure AD SSO integration
- Currently Bastian can only accessed through azure portal (via HTM5 browser) and its expected to start support of native RDP/SSH clients soon.
- RDP full session recording for auditing usage.
Sources:
Bastian Overview – https://docs.microsoft.com/en-us/azure/bastion/bastion-overview
Bastian Pricing – https://azure.microsoft.com/en-us/pricing/details/azure-bastion/
Create an Bastian Host – https://docs.microsoft.com/en-us/azure/bastion/bastion-create-host-portal