Introduction: This article is a continuation of the series of articles starting with the description of SignalR service which was followed by a discussion on Azure Gateway service, Azure Private Link, and Azure Private Endpoint and the benefit of diverting traffic to the Azure Backbone network. Then we started reviewing a more public internet-facing service such as the Bing API. and the benefits it provided when used together with Azure Cognitive Services. We then discussed infrastructure API such as Provider API, ARM resources, and Azure Pipeline. 

Azure Bastion is a fully managed PaaS service, and it is provisioned inside the virtual network created by the Azure user. It provides secure and seamless RDP/SSH connectivity to the virtual machines directly from the Azure portal over the TLS. Since the SSH/RDP access is provided in a software-as-a-service, the virtual machine resource does not need a public IP address, agent, or special software. It provides RDP or SSH connectivity to all the virtual machines in the virtual network so that host-level settings need not be configured on a host-by-host basis.  

The key benefits of this service include the RDP and SSH access to the network, remote session over the TLS, firewall traversal over corporate network, no public IP, no management of network policies and network security groups, network vulnerability avoidance from port scanning, and network edge level protection that dissipates the hardening on each resource internally thwarting zero-day attacks and hardening in one place. 

Bastion hosts do not introduce a new concept to the network. A jump server or relay server has been used for access to production environment virtual machines in traditional enterprise settings. Bastion merely provides a jump server access by sitting at the public side of a perimeter network They are also secure to withstand attacks from the public internet. 

The Bastion host is deployed with its own AzureBastionSubnet that has a minimum /27 prefix which means that there are at least 30 addressable hosts in that subnet. The prefix length is an indication of the number of bits in the IP address that can be used in the mask leaving the remaining bits to vary such that each variation can be the valid IP address for a single host. The number of such variations determines the number of hosts that can be addressed in the network. The user can connect to the Azure Portal for using the Bastion service using any HTML5 browser. 

The number of Bastion hosts can be scaled manually for concurrent RDP/SSH access. It supports up to 50 host instances. Increasing this number increases the number of concurrent connections. Network architects are saved a lot of effort on host and security group settings and instead can delegate all access via this service.

  

As an Azure public cloud service, it comes with its support for ARM-based deployment, command-line interface, REST-API, SDK, and UI-based management and provisioning routines.