Description:
An Azure Bastion is a fully managed platform-as-a-service (PaaS) offering that allows secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) connectivity to virtual machines (VMs) in a Virtual Network (VNet) without exposing them to the public internet. Ensuring that an Azure Bastion host exists for secure connectivity helps prevent the need for exposing VMs to public IPs, enhancing the security of your infrastructure.
Rationale:
Using Azure Bastion improves the security of your network by eliminating the need for public IP addresses for VMs, reducing exposure to the internet. Bastion provides a secure jump server for managing VMs, mitigating risks of unauthorized access and attacks. It also complies with industry standards like SOC 2, HIPAA, and NIST, which recommend protecting management access to VMs with secure methods such as RDP and SSH over private connections.
Impact:
By ensuring that an Azure Bastion host is deployed, you eliminate the need for public IP access to VMs, improving security and reducing the risk of external attacks. However, you may need to configure your network and firewall settings to allow Bastion-hosted access. Additionally, you will incur costs associated with the Bastion service.
Default Value:
By default, Azure Bastion is not deployed in Azure subscriptions. It must be manually deployed or automated via tools like Azure Policy or Azure CLI.
Pre-requisites:
Azure account: Ensure you have appropriate permissions to deploy and configure Azure Bastion.
Virtual Network (VNet): Azure Bastion requires a VNet to function, so ensure your VMs are deployed within a VNet.
Permissions: You need appropriate permissions, such as Owner or Contributor role, to deploy and manage Bastion hosts.
Remediation:
Audit:
To check if Azure Bastion is deployed in your Azure environment:
Sign in to the Azure portal using an account with appropriate permissions.
Navigate to the Virtual Network:
In the Settings section of the VNet, look for Bastion under Security.
Verify if Azure Bastion is deployed and configured.
Automated Implementation:
To automatically ensure that Azure Bastion is deployed across all relevant Virtual Networks, you can use Azure Policy.
Create a custom Azure Policy to ensure Azure Bastion is deployed:
Go to the Azure portal.
Navigate to Policy and click on Definitions.
Create a new Custom Policy with the following content:
{
"properties": {
"displayName": "Ensure Azure Bastion Host Exists for Secure VM Access",
"policyType": "Custom",
"mode": "All",
"description": "This policy ensures that an Azure Bastion host is deployed for secure access to Virtual Machines within a Virtual Network.",
"parameters": {},
"metadata": {
"version": "1.0.0",
"category": "Networking"
},
"policyRule": {
"if": {
"not": {
"field": "Microsoft.Network/bastionHosts",
"exists": "true"
}
},
"then": {
"effect": "deny"
}
}
}
}Assign the policy:
After creating the custom policy, assign it to the relevant subscriptions or resource groups to ensure that Azure Bastion is deployed for all VNets that require secure VM access.
Backout Plan:
To remove Azure Bastion or revert to using public IPs for VM access:
Sign in to the Azure portal with appropriate permissions.
Navigate to the Azure Bastion Host:
In the Settings section of the VNet, click on Bastion under Security.
Delete or Modify Bastion:
You can either delete the Azure Bastion host or configure your VMs to use public IPs for access (not recommended from a security standpoint).
If the setting was enforced via Azure Policy, modify or remove the policy to allow the use of non-Bastion access methods.