As organisations continue shifting workloads to the cloud, securing administrative access to virtual machines (VMs) becomes a top priority. Traditional methods, like exposing Remote Desktop Protocol (RDP) or Secure Shell (SSH) ports over the public internet, introduce unnecessary risk.
This is where Azure Bastion comes in: a fully managed Platform-as-a-Service (PaaS) offering that enables secure and seamless remote access to VMs without exposing them to the public internet.
Azure Bastion is a managed service that provides secure RDP and SSH connectivity to Azure virtual machines directly through the Azure portal (via a browser) or via native client support. It eliminates the need for public IP addresses on VMs and removes exposure to inbound ports like 3389 (RDP) and 22 (SSH).
In simpler terms, Azure Bastion acts as a secure jump host - but without the complexity of managing and maintaining one.
Before Azure Bastion, administrators typically used public IPs on VMs, Network Security Groups (NSGs) with restricted rules and jump servers (bastion hosts). These approaches come with challenges like increased attack surfaces, complex firewall rules and risks of brute-force attacks on open ports.
Azure Bastion addresses all of these by removing public exposure, centralising secure access and providing a hardened, managed service.
Some key features of Azure Bastion include:
• Secure Connectivity: RDP/SSH over SSL (port 443), no need for public IPs on VMs and sessions are initiated from the Azure portal or client.
• Fully Managed Service: No patching or maintenance is required and it automatically scales based on usage (in Standard SKU).
• Native Client Support: Improves user experience for admins using your local RDP or SSH client.
• Integration with Azure AD: Supports Azure Active Directory authentication, and enables MFA and conditional access policies.
Azure Bastion is deployed into a dedicated subnet within a virtual network called AzureBastionSubmet.
Its architecture components comprise of Azure Bastion Host, virtual network (VNet), AzureBastionSubnet (minimum /26 recommended) and Target Virtual Machines (no public IP required).
Azure Bastion is deployed within a virtual network and supports connectivity through virtual network peering. It provides secure RDP and SSH access to virtual machines located either in the same virtual network or in peered virtual networks.
Azure Bastion supports the following peering types:
• Virtual network peering: Connects virtual networks within the same Azure region
• Global virtual network peering: Connects virtual networks across different Azure regions
It’s important to note that Azure Bastion is deployed per virtual network, not per subscription, account, or individual virtual machine.
An instance in Azure Bastion refers to an optimized virtual machine that is automatically created when you deploy the service. These instances are fully managed by Azure and run all the components required for Bastion to function. An instance is also commonly called a scale unit.
When you connect to a virtual machine, the session is handled through one of these Bastion instances.
• With the Basic SKU, Azure automatically provisions two instances.
• With the Standard SKU, you can define the number of instances based on your needs. This capability is known as host scaling.
Each instance can typically handle:
• Up to 25 concurrent RDP sessions
• Up to 50 concurrent SSH sessions (for moderate workloads)
However, it’s important to understand that:
• One instance does not equal one user session
• Actual capacity depends on the workload generated by each session
For example, users performing data-intensive tasks will consume more resources, reducing the total number of sessions an instance can support. If the number of concurrent sessions exceeds the capacity, additional instances (scale units) must be added.
Azure Bastion provides a scalable, cost-effective, and secure way to manage virtual machine access without the operational burden of maintaining traditional jump servers. Whether you're strengthening your security posture, supporting a distributed workforce, or modernising your Azure infrastructure, Azure Bastion can play a critical role in achieving your cloud objectives.
If you're looking to design, deploy, or optimise Azure Bastion within your environment, AC3 can help. Contact AC3 today to discuss how we can help you build a more secure, resilient, and efficient Azure platform.