Microsoft Azure Bastion and VNet Peering- A Guide

Introduction 

Microsoft Azure is one of the leading cloud service providers that comes with numerous services and features. In this article, we will discuss how we can leverage Azure Bastion Host to securely access the Azure VM’s hosted in different VNet’s using the global VNet peering approach  

 

Learn more about our Azure DevOps Services!

Azure Bastion 

Azure Bastion can  securely access the Azure VMs in- browser over secure link without publishing RDP or SSH ports over the internet.  The Azure Bastion service is a PaaS (Platform-as-a-Service) that we provision inside our virtual network. Virtual machines which are connected through Bastion service use secure RDP/SSH service over TLS. When we connect via Azure Bastion, our virtual machines do not need a public IP address, and it acts as a virtual IP. Virtual machines uses bastion service will be accessed by RDP/SSH over the port number 443. 

VNet Peering 

VNet Peering is used to enable communication with other virtual networks in Azure. VNet Peering allows us to set up communication between two virtual networks hosted in any region and any subscription.  

Scenarios 

Create a Hub-and-Spoke Topology on Microsoft Azure with Virtual Network Peering and Azure Bastion. 

image001

To connect VMs hosted in different virtual networks, either we need to provision Azure Bastion host for each Virtual Network or leverage Virtual network Peering to use a single Bastion host to access VM's hosted in other Virtual networks.   

Navigate to Virtual Networks and add the virtual network name as VNet-Hub for Azure Bastion. 

image002

 

image004

Adding subnet (AzureBastionSubnet)10.0.0.0/24 to VNet-Hub and create VNet. 

image006

Now your VNet-Hub deployment has been completed. 

image008

After the deployment, you need to navigate to Azure Bastion and add the bastion name as AzureBastionService.

image010

Once the name is created, you need to review and create Azure Bastion. 

image012

This will complete the Azure Bastion Service deployment.

image014

In the next step, you need to create a Virtual Network for Spoke1 titled Spoke1-VNet1. 

image016

Now you will add subnet (default) 10.1.0.0/24 to the VNet-Hub to create it.

image018

As you can see, the Soke1-VNet1 deployment has been completed. 

image020

Let’s provision a Virtual Machine in Spoke1-VNet1 name as VM-WindowsServer2019. 

image022

Adding credentials for accessing the VM.

image024

Add VM to the Spoke1-VNet1 

image026

VM-WindowsServer2019 deployment has been completed. 

image028

Now create a Virtual Network for Spoke2 name Spoke2-VNet2.

image030

Adding subnet (default) 10.2.0.0/24 to VNet-Hub and create VNet. 

image032

Soke2-VNet2 deployment has been completed. 

image034

Let’s provision a Virtual Machine in Spoke2-VNet2 name as VM-Linux. 

image036

Adding credentials for accessing the VM. 

image038

Add VM to the Spoke2-VNet2. 

image040

VM-Linux deployment has been completed. 

image042

Navigate to VNet-Hub where Bastion has deployed, go to peering and add peering for connectivity to others VNet’s. 

image044

Add peering for Spoke1-VNet1. 

image046

image048

The same process is followed to add Spoke2-Vnet2 peering in VNet-Hub. Both VNet’s having virtual machines are connected with Hub V-Net having Azure Bastion host. 

image050

Navigate to the VM-WindowsServer2019 and click on connect through Bastion. Now connect by adding the credentials. 

image052

The VM-WindowsServer2019 is successfully connected through Bastion, and is running over SSL/TLS on port 443. 

image054

Similarly, you need to navigate to the VM-Linux and click on connect through Bastion. Add the credentials to proceed.

image056

The VM-Linux is successfully connected through Bastion, and is running over SSL/TLS on port 443. 

image058

 

Learn more about Managed IT Services!

Conclusion 

Azure Bastion provides a secure way to access Azure VM’s without exposing VM’s RDP or SSH port over the internet or requiring Public IP address for each VM. With Global VNet Peering, we can significantly reduce the cost and complexity and use a single bastion host to access VM’s across different virtual networks. If you have any questions regarding Azure VM, feel free to leave a comment below! We will be happy to answer your questions. 

 

Leave a Reply

Your email address will not be published. Required fields are marked *