Microsoft recently revealed a service called Azure Bastion that allows customers a more secure way to connect and access virtual machines (VMs). It uses Remote Desktop Protocol (RDP) and Secure Shell (SSH) network protocol alongside Secure Sockets Layer (SSL) encryption.
Bastion connects VMs, your local computers, and cloud resources without exposing them to public network connections. As a Platform as a Service, it simplifies the process of setting up and administrating bastion hosts or jumpboxes in your cloud environment.
But what are bastion hosts or jumpboxes? And why would you use them, or a service like Azure Bastion?
Both bastion hosts and jumpboxes function similarly: they segregate between one private network or server group and external traffic. Usually you connect to them through SSH or RDP. They each create a single point of entry to a cluster, but their intended purpose and architecture are subtly different in practice.
A jump server is a virtual machine that is used to manage other systems. It is sometimes called a “pivot server” for this reason: once you are logged in, you can “pivot” to the other servers. It is usually security hardened and treated as the single entryway to a server group from within your security zone, or inside the overall network. A jump server is a “bridge” between two trusted networks. The two security zones are dissimilar but both are controlled.
A bastion host is also treated with special security considerations and connects to a secure zone, but it sits outside of your network security zone. The bastion host is intended to provide access to a private network from external networks such as the public internet. Email servers, web servers, security honeypots, DNS servers, FTP servers, VPNs, firewalls, and security appliances are sometimes considered bastion hosts.
In both cases, the connecting server can be treated as a single audit point for logging access to the subnetworks. Both jump servers and bastion hosts are considered weak points and careful attention must be given to keep them up to date and monitored.
Diagram of a bastion host between the public internet and internal network from O'Reilly DNS and BIND.
If both jump servers and bastion servers serve as a gateway of sorts, their application in public cloud should be apparent: you can remove the public IP while still maintaining remote access to your servers.
Azure Bastion is billed as making the entire process of provisioning and managing these types of connecting servers much easier. As PaaS it takes only a few clicks and integrates with your Azure Virtual Network. You can apply network security group settings across your environment according to your policy, limiting RDP and SSH traffic through your bastion servers. While support for Active Directory, including MFA, is yet to come, it’s on the roadmap.
Azure competitors like AWS offer their own similar services. The end result is further automation and easy of administration across your environment, as rather than manually configuring each bastion or jumpbox server by logging into the box itself and configuring any connected subnets, you can use global administration from your cloud portal.