Remember the way we used to login to VMs hosted in our cloud platforms.
We open RDP ports (3389) from the interface and indefinitely allow users to RDP.
We might limit the source of the IP, but we have directly opened connectivity to our VMs over the internet.
What are the risks associated with the traditional approach?
- Malicious parties can get access to VMs as RDP ports and protocol is well known
- There is no audit of the activity users are performing
- VM is directly opened to the internet
So, what were the work arounds we have being using so far?
- Change the RDP port to a custom port
- RDP jump box (Users RDP to jump box server and again RDP to desired VM)
Is there any permanent solution? Azure Bastion is the way to go
What is Azure Bastion?
Azure Bastion is a managed service provided by Microsoft Azure. We can add Bastion to our Virtual Network. Then it will work as a Network Virtual Appliance (NVA).
This solution allows users to RDP or SSH to virtual machines without exposing those VMs to the internet. So they will not require public IPs.
Azure Bastian will provide RDP or SSH sessions within the Azure Portal itself over HTTPS.
How it works?
When you create a Azure Bastian service, it will create a Virtual Machine Scale Set (VMSS) in a predefined subnet (AzureBastianSubnet). Since we have a VMSS, it can scale itself based on the RDP requests it needs to cater.
When a user selects to connect to a VM using Azure Bastian
- It will receive the request over HTTPS
- Bastian will create RDP/SSH session internally to the desired VM (uses Private IP of the VM)
- Response is sent over HTTPS to the user
No comments:
Post a Comment