How to deploy an Azure Bastion host in an existing VNet
Hello everyone, in this post, I want to show you how to deploy an Azure bastion host to connect securely, directly from the Azure portal, to all your virtual machines within your virtual network without the need to expose the RDP or SSH ports to the internet. This is an excellent alternative if you do not want to establish a Site-to-Site or Point-to-site VPN connection to establish a connection with your virtual machines. During the bastion host deployment process, you will need to create two resources: a dedicated subnet in your virtual network with the following characteristics:
- The name of the dedicated subnet must be AzureBastionSubnet.
- You must use a subnet of at least /27 or a larger subnet.
and a public IP that must meet the following characteristics:
- The public IP address must be in the same region as the Bastion resource.
- Azure Bastion supports only the Standard Public IP SKU.
Prerequisites
- You created a Resource Group for these resources, and the new ones deployed in this tutorial will join that group. If you want to know how to create a Resource Group, check out this link.
- You already created the necessary Virtual Network and subnet. If you want to know how to create a Virtual Network, check out this link.
Azure PowerShell Workaround #
If you want to know how to install the PowerShell Azure module on your machine, check out this link. The simplest way to get started is to sign in interactively at the command line.
Connect-AzAccount
This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account. If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:
Get-AzSubscription
Select-AzSubscription -Subscription "My Subscription"
Once you set your default subscription, you’re ready to start.
Set the variables #
Here, we define the characteristics of our environment and the resource’s properties.
$resourceGroupName = "RG-DEMO-WE"
$location = "westeurope"
$vnetName= "VNET-DEMO-WE"
$bastionSubnetname = "AzureBastionSubnet"
$bastionAdressPrefix = '172.16.2.0/27'
Add a dedicated subnet in the existing VNET #
You should create a new subnet in your network configuration, and it must be called “AzureBastionSubnet”. To do this, use the Add-AzVirtualNetworkSubnetConfig cmdlet with the following syntax.
$vnet = Get-AzVirtualNetwork `
-Name $vnetName `
-ResourceGroupName $resourceGroupName
Add-AzVirtualNetworkSubnetConfig `
-Name $bastionSubnetname `
-AddressPrefix $bastionAdressPrefix `
-VirtualNetwork $vnet
$vnet | Set-AzVirtualNetwork
Important: AzureBastionSubnet does not support User Defined Routes but does support Network Security Groups.
Request a Public IP address #
One of the resources you need to configure your bastion host is a public IP. To create this resource, you should use the New-AzPublicIpAddress cmdlet with the following syntax.
$bastionpip = New-AzPublicIpAddress `
-name "PIP-BASTION-WE" `
-ResourceGroupName $resourceGroupName `
-location $location `
-AllocationMethod Static `
-Sku Standard `
-Tag @{environment="www.jorgebernhardt.com"}
Deploy an Azure Bastion host #
Once the above steps have been successfully completed, you are ready to deploy your Bastion host on your virtual network. To do this, you should use the New-AzBastion cmdlet with the following syntax.
New-AzBastion `
-Name 'BASTION-WE' `
-ResourceGroupName $resourceGroupName `
-PublicIpAddress $bastionpip `
-VirtualNetworkId $vnet.Id `
-Tag @{environment="www.jorgebernhardt.com"}
Now you can connect to your virtual machines from the Azure portal. To do this, click on the connect option and select the bastion option; you will be asked to enter the credentials of your VM. By clicking connect, an RDP connection to this virtual machine via Bastion will open directly in your browser (over HTML5) via port 443.
Azure CLI Workaround #
In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.
resourceGroupName="RG-DEMO-WE"
location="westeurope"
vnetName="VNET-DEMO-WE"
bastionSubnetname="AzureBastionSubnet"
bastionAdressPrefix='172.16.2.0/27'
Add a dedicated subnet in the existing VNET #
You should create a new subnet in your network configuration, and it must be called “AzureBastionSubnet”. To do this, use the following commands.
az network vnet subnet create \
-n $bastionSubnetname \
-g $resourceGroupName \
--vnet-name $vnetName \
--address-prefixes $bastionAdressPrefix
Important: AzureBastionSubnet does not support User Defined Routes but does support Network Security Groups.
Request a Public IP address #
To create a public IP address for Azure Bastion, you should use the following command.
az network public-ip create \
-n "PIP-BASTION-WE" \
-g $resourceGroupName \
--sku Standard \
--allocation-method Static \
--tags "Environment": "www.JorgeBernhardt.com"
Deploy an Azure Bastion host #
Once the above steps have been completed successfully, you are ready to deploy your Bastion host on your virtual network. To do this, you should use the following command.
az network bastion create \
-n "BASTION-WE" \
-g $resourceGroupName \
--public-ip-address "PIP-BASTION-WE" \
--vnet-name $vnetName \
--location $location
Now you can connect to your virtual machines from the Azure portal. To do this, click on the connect option and select the bastion option; you will be asked to enter the credentials of your VM. By clicking connect, an RDP connection to this virtual machine via Bastion will open directly in your browser (over HTML5) via port 443. Thanks for reading my post. I hope you find it useful. If you want to know more about Azure bastion, check out this link: https://docs.microsoft.com/en-us/azure/bastion/bastion-overview