Microsoft has rolled out the public preview for Azure Bastion Premium, a new SKU aimed at increasing the security of virtual machines (VMs) within the Azure ecosystem. This offering targets organizations with high security and compliance needs by introducing advanced features.
Connecting Via Private Endpoints
The “Private Only” mode is one of the notable features of Azure Bastion Premium. This capability allows Azure VMs to be accessed through a private endpoint, thereby eliminating the necessity for a public IP address. This feature is highly beneficial for entities adhering to stringent security policies and seeking to minimize exposure to internet threats. Those connecting from an on-premises network can combine this feature with Azure ExpressRoute private peering, ensuring a secure connection.
Advanced Monitoring and Logging
In addition, Azure Bastion Premium brings in enhanced monitoring and logging features. A key feature is the “graphical session recording” which logs all VM session activities initiated via Azure Bastion. Organizations can choose where these recordings are stored and determine their retention period. It proves useful for identifying unusual user behaviors that could signal security issues. Recorded sessions can be examined to understand actions taken during potentially anomalous activities.
Accessing Azure VMs Securely
Bastion was initially announced for Azure in 2019. Azure Bastion allows users to securely access Azure VMs through the internet. This is done by initiating Remote Desktop Services (RDS) or Secure Shell (SSH) connections from the Azure Portal using an HTML5 web browser. The connection uses Secure Sockets Layer (SSL) to securely connect to the Azure Bastion service via Port 443, enabling access to an Azure VM using a private IP address.
Azure Bastion is a platform as a service (PaaS) that gives Microsoft's cloud customers access to RDP and SSH connectivity to VMs through the Secure Socket Layer (SSL). Khalidi says access is delivered without exposing data to public IPs.