iCompaas Support

Description:

Azure Bastion provides secure RDP and SSH access to Virtual Machines directly through the Azure Portal using TLS over port 443. This prevents the need to expose RDP (3389) or SSH (22) to the internet. Bastion integrates with Microsoft Entra ID, allowing organizations to enforce Multi-Factor Authentication, Conditional Access, and centralized identity governance for remote access. This control verifies that at least one Bastion Host is deployed in the environment to provide secure management access to Azure Virtual Machines.

Rationale:

If Azure Bastion is not deployed, administrators may open public RDP or SSH ports on Virtual Machines, which increases exposure to brute-force attacks, credential theft, and unauthorized access. Azure Bastion eliminates the need for public IPs on Virtual Machines and centralizes secure access through the Azure Portal. Organizations gain stronger security controls, identity enforcement, and reduced attack surface, making Bastion an essential component of secure remote management.

Impact:

Improves security by preventing direct exposure of RDP and SSH to the internet. Supports authentication controls through Microsoft Entra ID. May introduce additional cost and requires the correct virtual network configuration, including a dedicated AzureBastionSubnet with a /26 prefix. The Standard SKU enables advanced features but may increase cost.

Default Value:

Azure Bastion is not deployed by default in any subscription or virtual network.

Pre-requisites:

1. A virtual network with a subnet named AzureBastionSubnet sized with a /26 prefix.

2.  A Standard Public IP address for Bastion.

3.  Permissions to create network resources and Bastion resources.

4.  Microsoft.Network/bastionHosts/write permission.

Test Plan:

1. Sign in to the Azure Portal: https://portal.azure.com

2. In the search bar, search for Bastions.

3. Verify that a Bastion Host exists for the virtual network hosting the virtual machines.

4. Confirm the Bastion Host status is Running and operational in Microsoft Azure.

5. If not running, follow the implementation steps.

Implementation Steps:

1. Sign in to the Azure Portal https://portal.azure.com

2. In the search bar, search for Bastions.

3. Click Create Bastion.

4. Select the Subscription and Resource Group.

5. Enter a Bastion Name and select the Region.

6. Select Standard as the Tier.

7. Select the target Virtual Network.

8. Ensure a subnet named AzureBastionSubnet exists with a /26 prefix.

9. Select or create a Standard Public IP address.

10. Click Review + Create, then click Create.

Backout Plan:

1. Sign in to the Azure Portal https://portal.azure.com

2. In the search bar, search for Bastions.

3. Select the Bastion Host to be removed.

4. Click Delete.

5. Confirm the deletion when prompted.

References:

• https://learn.microsoft.com/azure/bastion/bastion-overview

• https://learn.microsoft.com/azure/bastion/bastion-create-host

• https://learn.microsoft.com/azure/security/benchmark/azure-security-benchmark-network-security