Introduction
Microsoft Azure is one of the leading cloud service providers that comes with numerous services and features. In this article, we will discuss how we can leverage Azure Bastion Host to securely access the Azure VM’s hosted in different VNet’s using the global VNet peering approach.
Azure Bastion
Azure Bastion can securely access the Azure VMs in- browser over a secure link without publishing RDP or SSH ports over the internet. The Azure Bastion service is a PaaS (Platform-as-a-Service) that we provision inside our virtual network. Virtual machines which are connected through Bastion service use secure RDP/SSH service over TLS. When we connect via Azure Bastion, our virtual machines do not need a public IP address, and it acts as a virtual IP. Virtual machines uses bastion service will be accessed by RDP/SSH over the port number 443.
VNet Peering
VNet Peering is used to enable communication with other virtual networks in Azure. VNet Peering allows us to set up communication between two virtual networks hosted in any region and any subscription.
Scenarios
Create a Hub-and-Spoke Topology on Microsoft Azure with Virtual Network Peering and Azure Bastion.
To connect VMs hosted in different virtual networks, either we need to provision Azure Bastion host for each Virtual Network or leverage Virtual network Peering to use a single Bastion host to access VM's hosted in other Virtual networks.
Navigate to Virtual Networks and add the virtual network name as VNet-Hub for Azure Bastion.
Adding subnet (AzureBastionSubnet)10.0.0.0/24 to VNet-Hub and create VNet.
Now your VNet-Hub deployment has been completed.
After the deployment, you need to navigate to Azure Bastion and add the bastion name as AzureBastionService.
Once the name is created, you need to review and create Azure Bastion.
This will complete the Azure Bastion Service deployment.
In the next step, you need to create a Virtual Network for Spoke1 titled Spoke1-VNet1.
Now you will add subnet (default) 10.1.0.0/24 to the VNet-Hub to create it.
As you can see, the Soke1-VNet1 deployment has been completed.
Let’s provision a Virtual Machine in Spoke1-VNet1 name as VM-WindowsServer2019.
Adding credentials for accessing the VM.
Add VM to the Spoke1-VNet1
VM-WindowsServer2019 deployment has been completed.
Now create a Virtual Network for Spoke2 name Spoke2-VNet2.
Adding subnet (default) 10.2.0.0/24 to VNet-Hub and create VNet.
Soke2-VNet2 deployment has been completed.
Let’s provision a Virtual Machine in Spoke2-VNet2 name as VM-Linux.
Adding credentials for accessing the VM.
Add VM to the Spoke2-VNet2.
VM-Linux deployment has been completed.
Navigate to VNet-Hub where Bastion has deployed, go to peering and add peering for connectivity to others VNet’s.
Add peering for Spoke1-VNet1.
The same process is followed to add Spoke2-Vnet2 peering in VNet-Hub. Both VNet’s having virtual machines are connected with Hub V-Net having Azure Bastion host.
Navigate to the VM-WindowsServer2019 and click on connect through Bastion. Now connect by adding the credentials.
The VM-WindowsServer2019 is successfully connected through Bastion, and is running over SSL/TLS on port 443.
Similarly, you need to navigate to the VM-Linux and click on connect through Bastion. Add the credentials to proceed.
The VM-Linux is successfully connected through Bastion, and is running over SSL/TLS on port 443.
Conclusion
Azure Bastion provides a secure way to access Azure VM’s without exposing VM’s RDP or SSH port over the internet or requiring a Public IP address for each VM. With Global VNet Peering, we can significantly reduce the cost and complexity and use a single bastion host to access VM’s across different virtual networks. If you have any questions regarding Azure VM, feel free to leave a comment below! We will be happy to answer your questions.