Enhance your security capabilities with Azure Bastion Premium

June 20, 2024

At Microsoft Azure, we are unwavering in our commitment to providing robust and reliable networking solutions for our customers. In today’s dynamic digital landscape, seamless connectivity, uncompromising security, and optimal performance are non-negotiable. As cyber threats have grown more frequent and severe, the demand for security in the cloud has increased drastically. As a response to this, we are announcing a new SKU for Microsoft Azure Bastion—Azure Bastion Premium. This service, now in public preview, will provide advanced recording, monitoring, and auditing capabilities for customers handling highly sensitive workloads. In this blog post, we’ll explore what Azure Bastion Premium is, the benefits this SKU offers, and why it is a must-use for customers with highly regulated security policies.

Enhance your security capabilities with Azure Bastion Premium

Azure Bastion

Protect your virtual machines with more secure remote access

What is Azure Bastion Premium?

Azure Bastion Premium is a new SKU for customers that handle highly sensitive virtual machine workloads. Its mission is to offer enhanced security features that ensure customer virtual machines are connected securely and to monitor virtual machines for any anomalies that may arise. Our first set of features will focus on ensuring private connectivity and graphical recordings of virtual machines connected through Azure Bastion.

Two key security advantages

  1. Enhanced security: With the existing Azure Bastion SKUs, customers can protect their virtual machines by using the Azure Bastion’s public IP address as the point of entry to their target virtual machines. However, Azure Bastion Premium SKU takes security to the next level by eliminating the public IP. Instead of relying on the public IP address, customers can now connect to a private endpoint on Azure Bastion. As a result, this approach eliminates the need to secure a public IP address, effectively reducing one point of attack.
  2. Virtual machine monitoring: Azure Bastion Premium SKU allows customers to graphically record their virtual machine sessions. Customers can retain virtual machine sessions in alignment to their internal policies and compliance requirements. Additionally, keeping a record of virtual machine sessions allows customers to identify anomalies or unexpected behavior. Whether it is unusual activity, security breaches, or data exfiltration, having a visual record opens the door to investigations and mitigations.

Features offered in Azure Bastion Premium

  • Graphical session recording
    Graphical session recording allows Azure Bastion to graphically record all virtual machine sessions that connect through the enabled Azure Bastion. These recordings are stored in a customer-designated storage account and can be viewed directly in the Azure Bastion resource blade. We see this feature as a value add to customers that want an additional layer of monitoring on their virtual machine sessions. With this feature enabled, if an anomaly within the virtual machine session happens, customers can go back and review the recording to see what exactly happened within the session.

    For other customers that have data retention policies, session recording will keep a complete record of all recorded sessions. Customers can maintain access and control over the recordings within their storage account to keep it compliant to their policies.

    Setting up session recording is extremely easy and intuitive. All you need is a designated container within a storage account, a virtual machine, and Azure Bastion to connect to. For more information about setting up and using session recording, see our documentation.

  • Private Only Azure Bastion
    In Azure Bastion’s current SKUs that are generally available, inbound connection to the virtual network where Azure Bastion has been provisioned is only available through a public IP address. With Private Only Azure Bastion, we are enabling customers to connect inbound to their Azure Bastion through a private IP address. We see this offering as a must-have feature for customers who want to minimize the use of public endpoints. For customers who have strict policies surrounding the use of public endpoints, Private Only Azure Bastion ensures that Azure Bastion is a compliant service under organizational policies. For other customers that have on-premises machines trying to connect to Azure, utilizing Private Only Azure Bastion with ExpressRoute private peering will enable private connectivity from their on-premise machines straight to their Azure virtual machines.

    Setting up Private Only Azure Bastion is very easy. When you create a Azure Bastion, under Configure IP address, select Private IP address instead of Public IP address and then click Review + create.

    Note: Private Only Azure Bastions can only be created with net-new Azure Bastions, not with pre-existing Azure Bastions.

Feature comparison of Azure Bastion offerings

Features Developer Basic Standard Premium
Private connectivity to virtual machines Yes Yes Yes Yes
Dedicated host agent No Yes Yes            Yes
Support for multiple connections per user No Yes Yes Yes
Linux Virtual Machine private key in AKV No Yes Yes Yes
Support for network security groups No Yes Yes Yes
Audit logging No Yes Yes Yes
Kerberos support No Yes Yes Yes
VNET peering support No No Yes Yes
Host scaling (2 to 50 instances) No No Yes Yes
Custom port and protocol No No Yes Yes
Native RDP/SSH client through Azure CLI No No Yes Yes
AAD login for RDP/SSH through native client No No Yes Yes
IP-based connection No No Yes Yes
Shareable links No No Yes Yes
Graphical session recording No No No Yes
Private Only Azure Bastion No No No Yes

How to get started

  1. Navigate to the Azure portal.
  2. Deploy Azure Bastion configured manually to include Premium SKU.
  3. Under Configure IP Address, there is the option to enable Azure Bastion on a public or private IP address (Private Only Azure Bastion).
  4. In the Advanced tab, there is a checkbox for Session recording (Preview).

Stay updated on the latest

Our commitment extends beyond fulfilling network security requirements; we are committed to collaborating with internal teams to integrate our solution with other products within our security portfolio. As upcoming features and integrations roll out in the coming months, we are confident that Azure Bastion will seamlessly fit into the “better together” narrative, effectively addressing customer needs related to virtual machine workload security.

The post Enhance your security capabilities with Azure Bastion Premium appeared first on Microsoft Azure Blog.

News originally posted on Microsoft Azure Blog

Need help with an Azure project? Learn more about our Azure Consulting Services