In today’s blog, ClearCloud’s Azure expert Matt is having his say on Azure’s new platform-as-a-service solution Azure Bastion.
So, what does he think of this new tech?
Although Azure Bastion is only in private preview, it has gained a lot of attention over the past few weeks. But why?
Well, giving you the ability to connect to VMs that do not have a public IP address seems like a winning strategy. It makes sense – if your VMs don’t need to be publicly accessible to operate, then they shouldn’t have a public IP. It’s not exactly rocket science!
Usually, people manage their VMs by either restricting access so they can only be connected over a VPN, or they can use a Bastion VM (jump box). Azure Bastion gives you the ability to connect to VMs that don’t have a public IP, without the need for either of these. It does this by opening an RDP/SSH connection through the Azure portal over HTTPS, which makes sense theory, but in practice I’m not 100% convinced.
Having the ability to do the above does make accessing things simpler and cheaper. But we shouldn’t always let convenience get in the way of security!
Yeah, a VM without a public IP can’t be brute forced over the internet, but if you use Azure Bastion then your security is only as strong as your Azure portal access and management. If you don’t have additional restrictions in place for logging into Azure, then your VMs without a public IP just got slightly less difficult to access.
So, if you’re going to use Azure Bastion instead of a VPN then make sure it is for a better reason than to save the cost of a VPN Gateway! If someone has access to your Azure portal then they potentially have the ability to reset VM passwords and access all of those private resources you’ve worked so hard to protect from the world.
Here are some things (completely unrelated to Azure Bastion) that you can do to strengthen your Azure portal access. Really these should be done anyway, but this feels like a good moment to highlight them again.
Use multi-factor authentication to log into the Azure portal – this is something I tell every client to configure. It’s free for any Office 365 account used for Azure, or any user with an administrative role in Azure, but it isn’t enabled by default.
Accounts that don’t fall into those two categoriesrequire an Azure AD P1 licence. At £6 a user, it’s no cost at all to really bolster your security, so configure MFA then enforce this for all users!
One of the biggest considerations if you’re in Azure is that you have the ability to manage all of your infrastructure over a browser. This means that you (or an attacker) can access it from anywhere! If your password isn’t up to scratch and you don’t have MFA enabled, then this has the potential to cripple your business.
Conditional access policies allow you to restrict the locations that people can connect to your Azure portal from, based on source IP. This is really easy to set up; just add your IPs to your Trusted Locations list and then use that as the condition for connecting to the Azure portal.
A lot of Azure accounts I log onto have most of their users as Reader, Contributor and Owner. This is mainly done because people aren’t aware of all of the RBAC roles available to delegate the correct permissions to users.
There are 124 built-in RBAC roles. 124! And you can create your own custom roles if you want to. Azure provides roles of varying levels for all platforms, so make sure you only give people the access they need and keep it at that. Making everyone a Contributor over the subscription because they need to create vNets is completely unnecessary and should always be avoided.
VPNs allow for two-factor authentication when connecting into your environment. Using this method is more secure and doesn’t give people access to reset VM passwords like they can do via the Azure portal.
Explore our award-winning eCloud hosting range today, backed by outstanding 24/7/365 support.