Profile Applicability:
- Level 2
Description:
This check ensures that an Azure Bastion host is deployed in your Azure Virtual Network. Azure Bastion provides secure and seamless RDP and SSH connectivity to virtual machines (VMs) in a virtual network without exposing them to the public internet. Using Azure Bastion helps protect virtual machines by eliminating the need for a public IP address for remote access.
Rationale:
Azure Bastion provides a secure alternative to traditional RDP/SSH access methods that require public IP addresses for virtual machines. By using Azure Bastion, you ensure that management of virtual machines is done securely over the Azure internal network, thereby protecting your VMs from internet exposure and reducing the risk of unauthorized access.
Impact:
Pros:
Eliminates the need for public IP addresses on virtual machines, reducing the attack surface.
Provides secure RDP and SSH access to VMs using Azure's internal network.
Ensures compliance with security best practices by limiting direct public access to VMs.
Reduces the complexity of managing VPN or jump box servers for remote access.
Cons:
Requires additional Azure resources and configuration for deploying and managing the Bastion host.
Potential cost increase associated with using Azure Bastion, depending on the number of sessions and usage.
Default Value:
By default, Azure Bastion is not deployed in a virtual network. It must be manually configured and set up for secure remote access.
Pre-requisites:
Ensure that you have a virtual network with appropriate subnets in place. You will also need administrative privileges to deploy and configure the Azure Bastion host.
Test Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Bastions blade.
Verify that an Azure Bastion host exists in the virtual network for which you want to ensure secure RDP/SSH access.
Ensure the Bastion host is associated with the correct virtual network and subnet.
Confirm that the Bastion host is active and properly configured by testing RDP/SSH connectivity to a VM in the network.
Using Azure CLI:
To check if Azure Bastion is deployed in a virtual network, run the following command:
az network bastion show --name <BASTION_HOST_NAME> --resource-group <RESOURCE_GROUP_NAME>
Ensure that the output confirms that the Bastion host is deployed and associated with the correct virtual network.
Implementation Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Bastions blade and click Create.
Select the Subscription and Resource Group.
Choose the Virtual Network and Subnet where the Bastion host should be deployed. The subnet should be named AzureBastionSubnet for Bastion deployment.
Configure the Public IP address (a static public IP will be created during Bastion host creation).
Click Review + Create and then click Create to deploy the Bastion host.
Using Azure CLI:
To deploy a new Azure Bastion host, run the following command:
az network bastion create --name <BASTION_HOST_NAME> --resource-group <RESOURCE_GROUP_NAME> --vnet-name <VNET_NAME> --subnet <SUBNET_NAME> --public-ip-address <PUBLIC_IP_NAME>
Verify the Bastion host deployment by checking the status:
az network bastion show --name <BASTION_HOST_NAME> --resource-group <RESOURCE_GROUP_NAME>
Backout Plan:
Using Azure Console:
Log in to the Azure portal at https://portal.azure.com.
Go to the Bastions blade and select the Bastion host you want to remove.
Click Delete to remove the Bastion host.
Ensure that VMs that were relying on Bastion access are reconfigured for an alternative remote access method.
Using Azure CLI:
To delete the Azure Bastion host, run the following command:
az network bastion delete --name <BASTION_HOST_NAME> --resource-group <RESOURCE_GROUP_NAME>