A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.
What is the difference between a firewall and a bastion host?
A bastion host is a dedicated server that lets authorized users access a private network from an external network such as the internet. Placed outside the firewall or within a DMZ, the bastion host becomes the only ingress path to those internal resources.
If we want to SSH into a VM on the private subnet from our home/office (or using a development machine), currently we can’t. Our instance has no public IP, it is in a Private Subnet (no direct route from the internet). This is where we can use a Bastion Server or Jump server.
Azure Bastion is deployed to a virtual network and supports virtual network peering.
Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.
Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network.
Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion.
Network Security Group (NSG)
A network security group, or NSG, allows or denies inbound network traffic to your Azure resources. Think of a NSG as a cloud-level firewall for your network.
For example, notice that the a VM allows inbound traffic on ports 22 (SSH) and 80 (HTTP). This VM’s network security group allows inbound traffic over these ports from all sources as default. But we can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust or your local PC IP address.
NSGs can be associated with subnets or individual virtual machine instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all Virtual Machine instances of that subnet.
Bastion Host Setup Architecture:
Deployment of Resources:
Create a Resource group (NSG-RG):
Create a Virtual network (NSG-vnet) [CIDR- 10.0.0.0/16]
Add subnet-1 (NSG-subnet-1) with CIDR value “10.0.1.0/24"
Add subnet-2 (NSG-subnet-2) with CIDR value “10.0.2.0/24”
Create VM-1 (Bastion host in Subnet-1). Allow public IP to it.
In this case NSG is applied to server by default. We can also attach NSG at subnet level. There are two rules i.e, Inbound rules and outbound rules in NSG.
Create another VM (Web-server) inside Subnet-1. We can assign public Ip to the server.
Create DB-server inside Subnet-2. Assign private ip to it.
Inside inbound port there is a RDP port of source any and destination any , this means anyone can RDP into my server.
Now let’s create an inbound rule so that it can only allow my local desktop IP , to do that we have to put our ipv4 ip inside source IP addresses. Delete the previous inbound port security rule.
Add a new inbound port rule with source as your local PC ip address. Select service as RDP and protocol as TCP.
After editing this inbound port rule, NSG will only allow my local server IP to access the Bastion-host server via RDP. We can’t access the bastion-host from any other PC.
If we want to allow multiple PC to be able to access the bastion host, we can edit the inbound port rule and in place of source we can put the respective IP address of the PCs.
Suppose we don’t want a particular IP to access my Virtual machine, then create an inbound port and put that IP inside the source IP addresses and inside the destination IP addresses put this VM IP and select deny option in action.
We cannot directly RDP into our DB-server because it has only private IP, so in order to RDP we need a server that has a public ip and should present in the same network.
So, we use the Bastion-host or Jump-server to access the DB-server as they exist in the same network. Let’s Connect DB-server from inside Bastion-host.
Connection established to DB-server via RDP from Bastion-host.
Similarly, connection to DB-server can be established by WEB-server as they exist in the same network.
Connection established with DB-server from Web-server via RDP.
But our Connection to DB-server should only be restricted to Jump-server only. To solve this, we need to change inbound rule configurations of NSG of DB-server.
First delete the existing rule for RDP.
Add inbound rule as following :
Source: IP address of web-server
Destination: IP address of DB-server
Now let’s try connecting DB-server again from inside WEB-server via RDP. We can see that the connection can’t be established.
If we try connecting internet from DB-server from via Jump server we can see that DB-server has internet access.
To restrict internet access to DB-server we need to edit the Outbound rules of DB-server.
Add Outbound rule as following:
Destination: Service Tag
Destination Service Tag: Internet
Destination port range: 8080
Now our deployment and setup for connecting a database server via bastion host is successfully established.
Drop your views regarding this.