With Azure Bastion and shareable links deployment, RDP and SSH connections to virtual machines in Azure can be made quickly and securely from anywhere. The virtual machines do not need a public IP address, agents or other software, and the time-consuming management of NSGs (network security groups) or VPNs is also eliminated.
Azure Bastion uses a web client based on HTML5 that uses TLS over port 443 and is a PaaS (Platform-as-a-Service) service. Regular updated and managed by Microsoft, this Azure service provides an extra layer of protection against zero-day exploits.
The feature Azure Bastion shareable links simplifies the use of Azure Bastion. Until now, in order to use Azure Bastion, the user first had to sign in to the Azure Portal and laboriously click through to the virtual machine. Shareable links provide a URL that connects directly and securely to virtual machines, without the user having to sign in to the Azure Portal first.
Prerequisites and Licensing
- No license is required for Azure Bastion
- A dedicated subnet of size /26 or larger with the name AzureBastionSubnet
- A virtual machine to be managed via RDP or SSH with the Azure Bastion
Deploy Azure Bastion
Azure Bastion is deployed in the Azure Portal (https://portal.azure.com).
In the menu All services under the category Networking select the resource Bastions.
Select option Create
- Select Subscription and Resource Group
- Enter instance name and select Azure Region
- Select SKU for the Azure Bastion. An overview of the SKU and its functions can be read here:
https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#sku - Select the virtual network where Azure Bastion will be deployed.
An dedicated subnet AzureBastionSubnet with the following requirements is a prerequisite:
– The subnet name must be AzureBastionSubnet
– The subnet must have a size of at least /26 or larger (/25, /24 etc) - Select public IP address
- Continue to check the entries by clicking on Review + Create
After successful verification Azure Bastion is created by clicking Create.
After a short time Azure Bastion is created.
Establishing an RDP or SSH session to a virtual machine in Azure Portal is described here.
With a shareable link, users can access the target computer directly and do not have to sign in to the Azure Portal first.
Azure Bastion require the SKU Standard for using shareable links.
Enable sharable links
The feature can be enabled under All services > Networking > Bastions > Azure Bastion Host > Configuration.
Enable Shareable Link
The deployment of the feature is successfully completed after a few minutes.
To create shareable links, go to All services > Networking > Bastions > Azure Bastion Host open Shareable Links and click Add
- Select subscription and resource group
- Select all target resources that should be reachable via a shareable link
- Confirm configuration with Apply
After a short time the shareable links are created and ready to use.
Establishing an RDP or SSH Session to a virtual machine with a shareable link is described here.
If the shareable link is no longer used, it can be deleted. To do this, select the virtual Maschine under All services > Networking > Bastions > Azure Bastion Host > Configuration > Shareable Link and click Delete
Connect to virtual machine
Connect via Azure Portal
Log in to the Azure Portal (https://portal.azure.com) and select All Services > Compute > Virtual Maschines, select the virtual machine to which an RDP or SSH connection should be made via Azure Bastion.
In the virtual machine, select the Bastion feature.
- Select protocol for the connection (RDP or SSH)
- Enter the virtual machine credentials
- Connect by clicking Connect
The session is started in the browser.
A shareable link establishes an RDP or SSH session in the browser directly to the virtual maschine. No login to the Azure Portal is required.
Shareable links have the format https://*.bastion.azure.com/* and are shown per virtual machine under All services > Networking > Bastions > Azure Bastion Host > Shareable Links
Access the shareable link in the browser and log in with the virtual machine credentials. The link does not contain virtual machine credentials.
The session is started in the browser.
Troubleshooting
Copy and paste doesn’t work
The “Copy & Paste” function does not work properly. In order to use “Copy & Paste”, the function must be enabled in Azure Bastion. Go to All services > Networking > Bastions > Azure Bastion Host > Configuration and enable the feature Copy & Paste.
Follow me on LinkedIn and get informed about my latest posts.