Microsoft Azure Bastion service seeks to secure VMs

Microsoft's Azure Bastion managed service provides a means for companies to remotely access their VMs without touching the public internet.

Microsoft has debuted an Azure service for customers to more securely connect their virtual machine workloads to the cloud -- a move that reflects the fact that, for many enterprises, secure VMs are a foundation of their IT footprint.

Azure Bastion, now in preview, is a managed PaaS that connects customers' VMs via the Remote Desktop Protocol (RDP) and Secure Shell (SSH) network protocols, and it uses Secure Sockets Layer encryption in the process, Microsoft said. It's inspired by Bastion hosts and jump boxes, long a networking staple for companies that want to place dedicated gateways between the public internet and their private networks.

Azure Bastion similarly connects VMs and the cloud in a manner that doesn't expose them to the public internet. It is provisioned from a customer's Azure Virtual Network and only requires a couple of clicks to turn on, Microsoft said. The company claims it worked with hundreds of customers prior to the broader preview release, which suggests ample interest in such a service.

"The feedback has been very consistent: We need an easy and integrated way to deploy, run, and scale jump-servers or bastion hosts within our Azure infrastructure," said Yousef Khalidi, corporate vice president of Azure networking, in a blog post.

These gateway systems are always a challenge to maintain for enterprises. ... Offering this as a managed service is a huge benefit.
Holger MuellerAnalyst, Constellation Research

Azure customers already can deploy jump boxes and bastion hosts on their own to help secure VMs, but the process is manual, complex and tricky, particularly to monitor and audit them.

The preview version of Azure Bastion can launch RDP and SSH sessions quickly through the Azure portal. It also provides a rules management framework with which IT shops can configure network security groups that confine RDP and SSH traffic to Azure Bastion.

Softer benefits include better protection for private networks from malicious activity such as external port scanning, because VMs are shielded from the public internet, Microsoft said. Finally, as a managed service, Microsoft will continuously patch Azure Bastion to harden it against zero-day exploits.

Holger Mueller, analyst, Constellation ResearchHolger Mueller

Future plans include Active Directory integration for single sign-on and multifactor authentication and support for native RDP and SSH clients, Microsoft said.

Azure Bastion is now available at 50% off during the preview period, with base costs at $0.095 per hour, plus fees for outbound data transfer on a sliding scale. No service-level agreement is provided prior to general availability, however.

Azure Bastion strikes at critical customer pain point

More options to secure VMs and private networks are important, analysts agreed.

"It's a great thing that they're doing this," said Gary Chen, an analyst at IDC. "It's going to make people's lives easier in a lot of ways."

Microsoft's rival AWS offers capabilities similar in intent to Azure Bastion, such as AWS Transit Gateway. AWS has also advised customers on how to replace a self-managed bastion host with its EC2 Systems Manager tool.

"These gateway systems are always a challenge to maintain for enterprises," said Holger Mueller, an analyst at Constellation Research in Cupertino, Calif. "They are critical, but unique. And, therefore, [they are] almost always handled manually -- and with that, mistakes happen. Offering this as a managed service is a huge benefit."

Next Steps

Compare Azure Firewall vs. NSGs for network security

Core Azure networking services you need to know

Dig Deeper on Cloud infrastructure design and management

Data Center