\n\nThis page has been machine-translated from the original page.
\n
While studying for AZ-500, I learned that Azure Bastion lets you remotely access Azure VMs over RDP or SSH without assigning them a public IP address.
\nI also learned that Azure Bastion lets you operate them from the Azure portal without connecting the host directly to the VM, so I felt I had to try building it right away.
\nIn this article, I summarize my notes from setting up an environment that allows remote access with Azure Bastion.
\n\nAzure Bastion is a fully managed service that is deployed into a virtual network and enables RDP and SSH connections to Azure VMs.
\nWith Azure Bastion, you can securely access Azure VMs through Bastion without assigning a public IP address to the VMs themselves.
\nAnother very nice point is that you can remotely control a virtual machine from the Azure portal without making an RDP or SSH connection from the host machine.
\nReference: Azure Bastion - Fully Managed RDP/SSH | Microsoft Azure
\nReference: About Azure Bastion | Microsoft Learn
\nTo use Bastion, you need a virtual network for deploying Bastion and virtual machines deployed in a subnet within it.
\nSo first, create a virtual network for a lab environment.
\nI created the virtual network with the address space 172.16.0.0/20, and created one subnet, 172.16.1.0/24.
After waiting about 20 minutes, Bastion is deployed automatically to the virtual network.
\nHowever, Bastion configured this way uses the default settings, and the enabled plan is Basic.
\nSo if you want to use features that are only available in the Standard plan, such as remote access to a virtual machine with a native client, note that you need to create Bastion with the custom configuration.
\nOnce Bastion deployment is complete, confirm that the virtual machines you created earlier appear in the VM list.
\nThe virtual machine information is based on information shared within the virtual network, so if inbound communication from the vNet is not allowed on the subnet containing the virtual machine or on the NSG attached to the virtual machine, you will not be able to select that virtual machine from Bastion.
\nAfter selecting the virtual machine, connect to it using a password or private key.
\nAt this point, besides a password or a certificate in a local file, you can also use a private key managed in Key Vault.
\nThis opens a new browser window, allowing remote SSH access to the virtual machine in the subnet.
\nOf course, you can also make an RDP connection to the Windows machine in the browser.
\nTo deploy a custom Bastion, open the resource page for the virtual network and click [Configure manually] from [Bastion].
\nSince I wanted to use a native client for remote access this time, I selected the Standard tier.
\nThat completes creation of Bastion with the custom configuration.
\nUsing Bastion for remote access from a browser is very convenient, but sometimes you may want to connect directly from the host machine using RDP or SSH.
\nIn that case, use Azure CLI.
\nIf Azure CLI is not installed yet, install it using the steps below.
\nReference: Install the Azure CLI for Windows | Microsoft Learn
\nReference: Install the Azure CLI on Linux | Microsoft Learn
\nUsing winget makes the installation easy.
winget install -e --id Microsoft.AzureCLIOnce the installation is complete, run one of the following commands from Command Prompt or similar to authenticate Azure CLI.
\naz login\naz login --use-device-codeAfter Azure CLI authentication is complete, you can use the following command to connect to the Windows machine through Bastion with the native RDP client.
\naz network bastion rdp --name \"<BastionName>\" --resource-group \"<BastionResourceGroupName>\" --target-resource-id \"<VMResourceId>\"Reference: Upload or download files using native client connections - Azure Bastion | Microsoft Learn
\nHere, if you know the resource group and the virtual machine name, you can also obtain the VM ID to specify in --target-resource-id with the following command.
az vm list --show-details --resource-group EPLab --query \"[?name == 'Win2012R2'].id\"When I ran the command using the virtual machine ID obtained here, the RDP client launched automatically and I was able to connect to the virtual machine over RDP through Bastion.
\naz network bastion rdp --name \"EPBastion\" --resource-group \"EPLab\" --target-resource-id \"<VMResourceId>\"Now that I have built an Azure Bastion environment, it feels like my lab environment has leveled up once again.
\nBeing able to operate VMs from the Azure portal also seems very useful for cases where you want to keep them completely separated from your local machine at the network level.
\nThe Azure Bastion environment I built this way was very comfortable to use, but it cost about 1,000 yen per day, which made it difficult to run personally, so I ended up deleting it.
\nUnfortunately.
","fields":{"slug":"/azure-bastion-tutorial-en","tagSlugs":["/tag/azure-en/","/tag/security-en/","/tag/備忘録/","/tag/az-500-en/","/tag/english/"]},"frontmatter":{"date":"2023-05-05","description":"Build an environment where you can securely access Azure VMs remotely with Azure Bastion.","tags":["Azure (en)","Security (en)","備忘録","AZ-500 (en)","English"],"title":"Use Azure Bastion to build an environment for secure remote access to Azure VMs","socialImage":{"publicURL":"/static/b8469c310f081fd58309a6836fce9b5c/azure-bastion-tutorial.png"}}}},"pageContext":{"slug":"/azure-bastion-tutorial-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}