DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Cover image for Bastion Host Setup In Azure Console
Ashutosh Mallick
Ashutosh Mallick

Posted on

Bastion Host Setup In Azure Console

Bastion Host

A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.

What is the difference between a firewall and a bastion host?

A bastion host is a dedicated server that lets authorized users access a private network from an external network such as the internet. Placed outside the firewall or within a DMZ, the bastion host becomes the only ingress path to those internal resources.

If we want to SSH into a VM on the private subnet from our home/office (or using a development machine), currently we can’t. Our instance has no public IP, it is in a Private Subnet (no direct route from the internet). This is where we can use a Bastion Server or Jump server.

Azure Bastion is deployed to a virtual network and supports virtual network peering.
Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.

Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network.

Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion.

Network Security Group (NSG)

A network security group, or NSG, allows or denies inbound network traffic to your Azure resources. Think of a NSG as a cloud-level firewall for your network.

For example, notice that the a VM allows inbound traffic on ports 22 (SSH) and 80 (HTTP). This VM’s network security group allows inbound traffic over these ports from all sources as default. But we can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust or your local PC IP address.

NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all Virtual Machine instances of that subnet.

NSG Architecture:

Image description
Image description

Bastion Host Setup Architecture:

Image description

Deployment of Resources:

Image description

Create a Resource group (NSG-RG):

Image description

Create a Virtual network (NSG-vnet) [CIDR- 10.0.0.0/16]

Image description

Add subnet-1 (NSG-subnet-1) with CIDR value β€œ10.0.1.0/24"

Image description

Add subnet-2 (NSG-subnet-2) with CIDR value β€œ10.0.2.0/24”

Image description

Create VM-1 (Bastion host in Subnet-1). Allow public IP to it.

Image description

Image description

In this case NSG is applied to server by default. We can also attach NSG at subnet level. There are two rules i.e, Inbound rules and outbound rules in NSG.

Image description

Create another VM (Web-server) inside Subnet-1. We can assign public Ip to the server.

Image description

Image description

Create DB-server inside Subnet-2. Assign private ip to it.

Image description

Image description

Inside inbound port there is a RDP port of source any and destination any , this means anyone can RDP into my server.

Image description

Now let’s create an inbound rule so that it can only allow my local desktop IP , to do that we have to put our ipv4 ip inside source IP addresses. Delete the previous inbound port security rule.

Image description

Add a new inbound port rule with source as your local PC ip address. Select service as RDP and protocol as TCP.

Image description

After editing this inbound port rule, NSG will only allow my local server IP to access the Bastion-host server via RDP. We can’t access the bastion-host from any other PC.

If we want to allow multiple PC to be able to access the bastion host, we can edit the inbound port rule and in place of source we can put the respective IP address of the PCs.

Suppose we don’t want a particular IP to access my Virtual machine, then create an inbound port and put that IP inside the source IP addresses and inside the destination IP addresses put this VM IP and select deny option in action.

Image description

We cannot directly RDP into our DB-server because it has only private IP, so in order to RDP we need a server that has a public ip and should present in the same network.

So, we use the Bastion-host or Jump-server to access the DB-server as they exist in the same network. Let’s Connect DB-server from inside Bastion-host.

Image description

Connection established to DB-server via RDP from Bastion-host.

Image description

Similarly, connection to DB-server can be established by WEB-server as they exist in the same network.

Image description

Connection established with DB-server from Web-server via RDP.

Image description

But our Connection to DB-server should only be restricted to Jump-server only. To solve this, we need to change inbound rule configurations of NSG of DB-server.

First delete the existing rule for RDP.
Add inbound rule as following :
Source: IP address of web-server
Destination: IP address of DB-server
Service: RDP
Protocol: Any
Priority: 210(say)
Name: 3389_port_block
Action: Deny

Image description

Image description

Image description

Now let’s try connecting DB-server again from inside WEB-server via RDP. We can see that the connection can’t be established.

Image description

If we try connecting internet from DB-server from via Jump server we can see that DB-server has internet access.

Image description

To restrict internet access to DB-server we need to edit the Outbound rules of DB-server.
Add Outbound rule as following:
Source: Any
Destination: Service Tag
Destination Service Tag: Internet
Destination port range: 8080
Action: Deny
Priority: 200(say)
Add rule.

Image description

Image description

Now our deployment and setup for connecting a database server via bastion host is successfully established.

Drop your views regarding this.
Thank you!!

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Sorry, it's true.