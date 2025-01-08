You wouldn't leave your front door open when you leave the house, would you? The same goes for your VMs. Gateways are necessary to manage access to internal networks to prevent external threats. One option is a bastion host.

In military terms, a bastion is a defensive structure that is part of a larger fort or castle. It is typically built to offer a better view of the surroundings and prevent attackers from breaching the walls. Similarly, a bastion host serves as a security checkpoint determining whether incoming access to its assigned internal network is friend or foe.

For those who think bastion hosts are unnecessary, consider a Linux host built on the internet that had over 1,200 scans for port 22 (SSH) and 3389 (Microsoft Remote Desktop Protocol) in less than a day. When done correctly, bastion hosts help users keep safe from bots, scanners and hackers.

The Linux host displays hundreds of scans for SSH and RDP.

Discover the benefits of Azure bastion hosts and how they can protect VMs from port scanning and other threats.

VM management remains isolated from public access, as Azure Bastion uses a private IP address to connect to VMs. By eliminating public IP addresses for VM management, Azure Bastion prevents port scanners from detecting open ports on those VMs. Traditional access methods that expose RDP (port 3389) or SSH (port 22) to the internet are vulnerable to various attacks, including brute force and automated scanning. Secure access. With an Azure Bastion host, the only public-facing component is the bastion host itself. This host can be monitored, and access can be restricted to known IP ranges, which reduces the risk of unauthorized access. All traffic between the client and Azure Bastion is end-encrypted, ensuring secure communication. Access to VMs is also protected by multifactor authentication. Activity logs provide insights into who accessed the VMs to help with audits and incident response.

Seamless integration with Microsoft Entra ID and Azure role-based access control enables granular access management. Users can also configure Azure Firewall or network security groups (NSGs) to enforce additional rules. Users with a specific bastion host IP can set up NSGs to only accept management connectivity from the bastion hosts. Most of the appropriate NSG configurations automatically manage and update to allow access from the bastion. That is a major security win, as it also eases management overhead. Organizations can also configure Azure Monitor and Azure Security Center for threat detection to send alerts about suspicious activities related to bastion access. Browser-based access. Accessing VMs directly through a web browser eliminates the need for additional client software. Added client software could negatively impact security, whether it's from a data leak, malicious code being injected into a third-party application or a man-in-the-middle attack. External tools are supported if needed.

Azure Bastion costs and limitations While Azure Bastion hosts can do a lot of good for businesses, they come at a cost. For example, Azure's East US 2 region has the standard bastion host billed at $0.29 per hour. That might not seem like a lot of money, but keep in mind bastion hosts cannot be shut down like other services. Bastion hosts can scale if need be, and users can increase the count at deployment time. However, hosts either exist or they don't. Outbound data transfers also have a cost. Using our example of Azure's East US 2 region, outbound data transfers are free for the first 5 GB per month. After that, costs increase to $0.087 per GB. Depending on a business's data transfer needs, these costs could accrue substantially. One noteworthy limitation of Azure Bastion hosts is that they cannot span Azure regions. If administrators need to access VMs across different Azure regions, they must set up several bastion hosts. However, Azure Bastion works with two types of network peering to connect VMs deployed inside peered virtual networks: Virtual network peering. Enables users to connect virtual networks within the same Azure region. Global network peering. Enables users to connect virtual networks across Azure regions.