Azure Virtual Desktop and Bastion
I am playing around with my setup and currently have a Azure Virtual Desktop Environment setup. There are concurrent sessions setup on our Windows 10 instances as to facilitate staff working. I am looking to make it more secure and include Bastion in the process. Does Bastion facilitate multiple concurrent user sessions or is it restricted to one user per VM? I am trying to weigh the pros and cons of it
azure-virtual-machinesazure-virtual-desktopazure-bastionComment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
PierreLucGiguere-5297 answered • Sep 24, '21 | JevonDavis-1810 commented • Sep 24, '21
Hi Davis,
It can support multiple connections to the same host.
Bastion connectivity to Azure Virtual Desktop is not supported.
Source: //docs.microsoft.com/en-us/azure/bastion/bastion-faq#peering
Bastion is aimed toward administration of IaaS VMs and not to facilitate end users work.
When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances. [...] Each instance can support 10-12 concurrent RDP/SSH connections. The number of connections per instances depends on what actions you are taking when connected to the client VM. For example, if you are doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit [instance] is required.
source: //docs.microsoft.com/en-us/azure/bastion/configuration-settings#instance
I do not believe that this is the product you are looking for.
You might want to consider using Azure Firewall and App Locker. May I suggest an excellent Learning Path : Deliver remote desktops and apps with Azure Virtual Desktop
//docs.microsoft.com/en-us/learn/paths/m365-wvd/
Don't forget to mark this answer if it helped you.
Comment
Comment · Show 3
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
JevonDavis-1810 · Sep 24, 2021 at 08:29 PM
Thank you! The alternative is welcomed also. Also is load balancers the nest option for my Virtual Machines within AVD to have one public IP? Trying to just use the private IPs for connections.
0 Votes 0 ·
AlanKinane JevonDavis-1810 · Sep 24, 2021 at 08:38 PM
Take a look at RDP Shortpath for AVD, still in preview currently however. //docs.microsoft.com/en-us/azure/virtual-desktop/shortpath
1 Vote 1 ·
JevonDavis-1810 AlanKinane · Sep 24, 2021 at 08:40 PM
Thanks! This helps
0 Votes 0 ·
AlanKinane answered • Sep 24, '21
Azure Bastion is only used for administrative purposes, you can't use it to provide user access to Azure Virtual Desktop - //docs.microsoft.com/en-us/azure/bastion/bastion-faq#does-bastion-support-connectivity-to-azure-virtual-desktop
In terms of administrative access, you can have 10-12 concurrent sessions per instance of Azure Bastion across all of your VMs - //docs.microsoft.com/en-us/azure/bastion/configuration-settings#instance
Comment
Comment Show 0
Comment
5 |1600 characters needed characters left characters exceeded
▼
- Visible to all users
- Visible to the original poster & Microsoft
- Viewable by moderators
- Viewable by moderators and the original poster
- Advanced visibility
Attachments: Up to 10 attachments [including images] can be used with a maximum of 3.0 MiB each and 30.0 MiB total.
Microsoft Azure – RDP to Azure Virtual Machines using Azure Bastion
In this article, we will learn how to do RDP[Remote Desktop Protocol] / SSH[Secure Shell] Connection to an Azure VM using Azure Bastion. First, let’s discuss Azure Bastion.
The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. Once it is deployed in a virtual network, it can be used to RDP/SSH to their VMs without exposing those VMs to public IPs. Internally, Azure Bastion is a VM scale set and it has the capability to resize itself as more sessions come in. Azure Bastion always give an RDP/SSH session on target VMs private IP address.
To set up this bastion service, we need to create a Linux or Windows Virtual Machine. Since Public IP addresses and ports are not required. Therefore, there is no need to create a public IP address and open public inbound ports. Let’s start with Linux virtual machine.
Prerequisite:
- Azure account
- A Virtual Machine on Azure Portal
Steps to use Bastian in Linux VM:
Step 1: Go to portal.azure.com and sign in. Also, create a Linux VM with SSH public key. I have created ‘Test-VM-Linux-00’ where Image is Ubuntu Server 20.04 LTS- Gen 1. On the overview tab, click on connect and select ‘Bastion’.
Step 2: Click on ‘Use Bastion’. First, we will set up Bastion.
Step 3: On the next page. it will show the address space and we can choose the respective address space. I choose default address space. Then create a Bastion Subnet. Choose Address space for Bastion subnet and select NSG[Network Security Group] if needed.
Step 4: On the next page, create Bastian and give it a name. Select Tier, Public IP address name, and Resource group. Click on ‘Create Azure Bastion using defaults’. To customize the default settings of Azure Bastion, use the other option ‘ I want to configure Azure Bastion on my own’
Step 5: Once the Provisioning state is Succeeded, log in into the VM with Username and downloaded the private key. Click on Connect.
Step 6: The Linux Virtual machine will open in the next tab.
Azure Bastion on Windows VM:
- Go to portal.azure.com and sign in. Also, create a Windows Virtual Machine. I have created “Test-VM-00” where the image is Windows 10 Pro, Version 20H2 – Gen 1. On the overview tab, click on connect and select ‘Bastion’.
- Similarly, repeat steps 2-5 for the windows machines too. The windows machine will open in the next tab.
Article Tags :
Blogathon
Microsoft Azure
Blogathon-2021
Cloud-Computing
Read Full Article
RDP using a Private IP address across a Site to Site VPN
The ideal form of RDP connection is RDP across a Site to Site VPN connection. This keeps your communication with the Virtual Machine off the public internet granting protection against port scanning, brute force and DdoS attacks. With a VPN gateway from the Azure network to the on premises network Azure VMs can be RDP’ed using a private IP address – protected from the prying eyes of the public internet.
The public IP address can be removed all together if you don’t need it. If you do need to use it for something, the RDP port [usually 3389] will be closed. This is an effective and seamless approach to connect to Azure VM without public IP addresses, reducing the threat of attacks.
However, if you don’t have a Site to Site VPN to your Azure network, there are other options.
Lock down RDP to a source IP or IP Range
The default RDP port – 3389 – allows RDP connection from any IP in the world. When enabled it is therefore a security risk. You can mitigate this by restricting RDP access to a specified source IP address or range with Azure NSG’s [Network Security Groups].
Every Virtual Machine will have its own NSG when deployed through Azure. You should apply these two Inbound Port rules:
- Allowing RDP from a specific IP address or range
- Denying all other RDP traffic
Pros: This effectively reduces outside threats by only allowing the specified on premises machines to RDP into the Azure Virtual Machines.
Cons: The port is still visible on the internet. This method is best suited for smaller organizations and also involves management of Network Security Group Port rules
Just-in-time VM access:
Brute force attacks can take days and even weeks to complete. An astounding number of attempts need to be made to connect through the RDP/SSH ports. So if you only have the port open when you need it, you reduce the vulnerability. Just-in-time [JIT] VM access only opens the ports when you need them and locks them down to your IP address / range. After you have finished what you were doing on the VM, it closes the port again.
You can enable JIT easily from Azure Security Center, configure it through an Azure Virtual Machine blade or configure a JIT policy on a VM programmatically.
Pros: Reduces the risk of succesfull brute force attacks as the port is only open when you need it
Cons: You still need to open port 3389 to public internet leaving you vulnerable within the allotted time frame.