Hey everyone! I just deployed the Microsoft LandingZone, and under the HUB subscription, I set up a bastion host with two VMs (one Windows and one Linux). I can use this bastion for testing connections to other SQL subscriptions. I'm wondering if I should create additional bastion hosts under each subscription and give access to just the users of that subscription? I'm trying to avoid giving unnecessary permissions to the HUB subscription for them to use the bastion. Thanks!
3 Answers
Be cautious about adding multiple bastion instances since that can really add to your costs. What's the SKU of your hub bastion? Also, what specific permissions are you worried about for the other users?
Azure Bastion is a solid choice for setting up in Hub and Spoke networking for enterprise architectures. When you deploy it in the hub, you won't need to modify any VNET settings to connect to the VMs since it operates on the backbone. Just make sure the users have the necessary access permissions! Philips guidelines recommend:
- Reader access on the target VM,
- Reader access on the NIC of the VM,
- Reader access on the Azure Bastion service,
- Reader access on the VNETs of the VMs they're accessing.
If it's not working, you might need to check the reader rights on the VNET associated with the bastion service!
We use Windows Hello for Business, which means we have to opt for the "Standard" SKU and sometimes need complex command lines to run it.
I've heard multiple bastions can boost costs significantly—around $300 a month for basic use? It’s definitely not cheap, but if you consider the alternative of allowing devs to RDP/SSH into VMs without direct network access, the value might be worth it! Definitely depends on your use case.
Yeah, having multiple bastions can really drain your budget! I would recommend sticking with one bastion and just giving users read access on it. Then you can assign them RBAC VM login access on the specific VMs they need to get into.
This is the same approach we take! If you have proper VNET peering, that should work seamlessly.
I don’t want them to have access to the hub environment at all, just for security reasons.