I'm currently working with Azure and trying to get a clear understanding of what Bastion does. Is it essentially a last-resort console for my servers when RDP isn't an option? I know it can be pricey to set up. Can it be deployed only in emergencies and removed afterward? How does this all fit together?
7 Answers
In short, Bastion secures RDP access to Azure virtual machines. With the proper setup—like an AzureBastionSubnet and the right NSG rules—you can deploy and remove it as needed. There’s a basic version that’s cheaper, but it comes with limitations.
It functions similarly to a terminal server gateway, enabling RDP from the internet without directly opening RDP access. It also offers additional features like screen recording.
You can automate Bastion's creation and deletion through tools like Logic Apps. I typically use mine for emergency access, and I can configure it to be ready pretty quickly—though I heard it can vary by region.
Think of Bastion as an expensive jump box—like $250 a month. You connect to it, and it has a private route to your internal VMs, which aren't exposed to the public. It does have some nice features, especially in higher SKUs, and for those with private routes into Azure, Just in Time Access (JIA) might be a better bet.
I actually use Bastion but have it set up to shut down at night, which cuts costs significantly—almost by 80%! It only runs when necessary.
Bastion is mainly a security tool that lets you connect to your virtual machines via RDP without needing them to have public IP addresses. It's designed to secure those connections and prevent exposure to the internet.
Bastion allows secure RDP and SSH access without needing to expose remote ports. Plus, you can enforce multi-factor authentication (MFA). There's a Developer edition available for free, though it may not be accessible in all regions.
That makes sense! I run on a private network too, so I appreciate the clarity.