Connect To VMs Securetly With Azure Bastion For Free

If you’re running VMs in Azure, you will usually need to either RDP or SSH to the VM to resolve issues, install software or perform other administrative tasks. You can do this by opening the inbound port on your NSG and connecting directly to your VM. This will work, but leaving that port open invites brute-force attacks to compromise your VMs. Cloud services are an easy target for attackers looking for open ports, and it’s not uncommon to see attempts at brute force attacks within hours of a VM being deployed with an open port.

Instead of leaving your RDP or SSH ports open to the internet, you can use the Azure Bastion service. This service provides a bastion host as a service which allows you to connect via HTTPS and then make a secure RDP or SSH connection to your VMs without the need to open insecure ports on your network security groups

Bastion

Azure Bastion has been around for a while, and is a great solution for providing secure access to VMs, however it’s not cheap. The standard SKU comes in at around $200 per month and even the basic SKU is around $130. For larger deployments this cost is a small amount compared to VM and other costs. However, for smaller environments where there are only a couple of VMs, or developers who are testing things out in an MSDN subscription, this cost can quickly eat up Azure credits. The new developer SKU aims to help with these scenarios.

Bastion Developer SKU

So the headline item first - Azure Bastion Developer SKU is free. You can deploy this to your vNet and get access to VMs for no additional cost. Given this, there should be no reason to expose your RDP or SSH ports to the internet any more, just spin up a bastion instance. However, there are some limitations on the basic SKU that you should be aware of, and that might push you towards the paid SKU.

Limitations

  • No support for peering - you cannot use the developer SKU to connect to VMs on a different vNet that is connected to the Bastion vNet via a peer. That said, you can just deploy a second bastion instance to that vNet for free.
  • No support for multiple concurrent connections per user - a single user can only connect to one VM at a time
  • No Key Vault integration - you cannot store SSH keys in Key Vault and automatically access them from Bastion
  • No support for custom inbound ports, only standard RDP (3389) and SSH (22) ports are supported
  • No support for connecting to VMs from Azure CLI
  • No file upload/download support
  • No Kerberos authentication

Other SKUs

If you do hit the limits of the developer SKU, there are several other Bastion SKUs that introduce additional features, at additional costs.

Basic SKU

Monthly Cost: $130 approx

Additional features on top of developer SK:

  • Connect to peered networks
  • Access to Key Vault keys
  • Kerberos Authentication

Standard SKU

Monthly Cost: $200

Additional features on top of Basic SKU:

  • Connect to Linux VMs with RDP
  • Connect to Windows VMs with SSH
  • Custom inbound ports
  • Connect to VMs with Azure CLI
  • Host scaling
  • Upload and download files
  • Shareable link
  • Connect to VMs via IP address
  • Disable copy and paste

Premium SKU

Monthly Cost: $325

Additional features on top of Standard SKU:

  • Session recording
  • Private only deployment