Cloud and Automation Blog

Tag: Azure Bastion (page 1 of 1)

Azure Bastion – Automation using ARM Templates

I have given, in my previous article, a quick guide to using the Azure Bastion Service.

In the new article, I will focus on how to automate the deployment on Azure bastion using not only ARM templates but also  Hashicorp Terraform.

So let’s get started with some definitions! 🙂

Azure Bastion, now in preview, is a managed PaaS that connects customers’ VMs via the Remote Desktop Protocol (RDP) and Secure Shell (SSH) network protocols, and it uses Secure Sockets Layer encryption in the process, Microsoft said. It’s inspired by bastion hosts and jump boxes, long a networking staple for companies that want to place dedicated gateways between the public internet and their private networks.

source: https://searchcloudcomputing.techtarget.com/news/252465418/Microsoft-Azure-Bastion-service-seeks-to-secure-VMs

What’s an ARM template?

ARM Templates, stands for Azure Resource Manager templates, are a way to declare the objects you want, the types, names, and properties in a JSON file which can be checked into source control and managed like any other code file. ARM Templates are what gives us the ability to roll out Azure “Infrastructure as code”.

source: https://www.red-gate.com/simple-talk/cloud/infrastructure-as-a-service/azure-resource-manager-arm-templates/

ARM template Syntax

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "",
  "apiProfile": "",
  "parameters": {  },
  "variables": {  },
  "functions": [  ],
  "resources": [  ],
  "outputs": {  }
}

$schema, content version, apiProfile, and resources are required elements. below is a description of different parts of the template

parameters: Values that are provided when deployment is executed to customize resource deployment.

variables: Values that are used as JSON fragments in the template to simplify template language expressions.

functions: User-defined functions that are available within the template.

resources: Yes Resource types that are deployed or updated in a resource group or subscription.

outputs: No Values that are returned after deployment.

For more information take a look at https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authoring-templates

Now, let’s move to the ARM template to build the Azure Bastion.

In my git repository below, I uploaded two files :

https://github.com/makramjenayah/AzBastionARM

The first one is the template file, which containsthe resources that will be created:

1- The public IP address.

2- The virtual network associated with the AZ bastion and its different subnets.

3- The Azure Bastion.

The second one, contains the parameters needed to deploy the resources and which need to be personalized..

Now, let’s deploy the template.

  1. To deploy a customized template through the portal, select Create a resource, search for a template. and then select Template deployment.
  2. Select Create.
  3. You see several options for creating a template choose to Build your own template in the editor: create a template using the portal template editor. The editor is capable to add a resource template schema.
  4. Select the Edit template to explore the portal template editor. The template is loaded in the editor.
  5. Make a minor change to the template. For example, update the  {{changeIT }} by adding your subscription id.
  6. Select Save. Now you see the portal template deployment interface. Notice the two parameters that you defined in the template.
  7. Enter or select the property values:
  • Subscription: Select an Azure subscription.
  • Resource group: Select Create new and give a name.
  • I agree to the terms and conditions stated above: (select)

Finally, click on purchase and your Azure Bastion will be deployed.

I hope this article gives you an overview and a quick-start to deploy ARM template. Stay tuned for my next article, I will focus on how to deploy the Azure Bastion using Terraform.

Azure Bastion – The Guide

You don’t want to assign a public IP to each virtual machine on Azure? You want a secure way to manage your VMS? This article will help you implement the brand new Azure service to get a private and fully managed service which will allow you to access VMS directly from the Azure portal using your browser over the SSL protocol.

So let’s start with some theoretical aspects, the Azure bastion is advantageous in many ways :

  • RDP and SSH sessions over SSL on port 443 via the Azure portal; so from any modern browser you will be able to access your VMS.
  • Azure Bastion is fully managed by Microsoft which means that you will no longer need to manage Network security groups (NSGs) and much more administrative tasks.
  • Your VMs will be protected against port scanning.
  • No need to assign Public IP to your Azure VMs.

The Architecture as designed by Microsoft:

Azure Bastion is currently in public preview and limited to some regions:

  • West Europe
  • West US
  • East US
  • South Central US
  • Australia East
  • Japan East

To participate, you can click on the link below :

https://aka.ms/BastionHost

After the theoretical part, let’s answer the question How to deploy the AZ Bastion?

First, you will need to deploy the service in your virtual network ( a subnet called AzureBastionSubnet with at least /27 must be created) :

Second, since it’s natively integrated, the platform will automatically detect if the Azure Bastion is deployed on the virtual network your virtual machine and in the connect menu you will get Bastion as a connection option.

Now you can enter your username and password to log in. This will open a web-based SSL RDP Session in the Azure Portal.

And as previously mentioned in this article, there is no need to have a Public IP address assigned to your virtual machine.

I hope this article gives you an overview of the azure bastion. If you want to know more check out the Microsoft documentation. If you have any questions or feedback, feel free to leave a comment or contact me.

In my next article, I will explain how to automate the deployment of the Azure Bastion using ARM template and terraform.