Loading...

Follow christiaanbrinkhoff.com | Sharing Azure Cloud.. on Feedspot

Continue with Google
Continue with Facebook
or

Valid

We all remember (and some of you still use them, unfortunately) stepping stone, or also called jump management servers to manage and maintain your Remote Desktop, or infrastructure server environment internally (and externally) through a Remote Desktop Connection with the most common reason; it’s just easy?

“From an security perspective this is the most worst you can do, because once hackers are in – you’ve got access to almost everything!”

Azure Bastion is a relatively new Azure service that can simplify as well as improve remote connectivity – as a secure better alternative for stepping stone servers to your Windows Virtual Desktop – and infrastructure Virtual Machines on Microsoft Azure. Azure Bastion is completely web-based and works via SSL. In some simple configuration clicks – and most importantly without exposing any RDP (or SSH) ports to the outside internet – you can access your Windows Virtual Desktop Virtual Machines in Azure.

Curious about how to do this? Please continue reading…

Table of Contents

Click on the title to jump to that spot in this article:

What is Azure Bastion?

Azure Bastion is a new Azure Platform service you could leverage to enable external access to your resources in Azure Infrastructure-as-a-Service (IaaS). The service is completely HTML5 based and works from every modern web browser. The service automatically streaming to your local device via an RDP/SSH session over SSL on port 443. This makes it easy and secure to go over corporate firewalls without any adjustments. Also, it doesn’t require you to expose any Public IP or Remote Desktop Services port on your Network Security Group (NSG) for the internet.

Azure Bastion works over port 443, this is the only port you need to open from the outside to the inside over the Network Security Group (NSG). After that, the connection proceeds to the subnet in the Azure Virtual Network where the Bastion Service persists and connect via the NSG of the VMs you want to leverage internally over the Remote Desktop (3389) or SSH (22) ports.

A secure way to access your Windows Virtual Desktop as well as infrastructure servers in your Azure Infrastructure-as-a-Service environment. Also to replace insecure steppingstone servers, as I mentioned earlier in this article!

See below how it works from an architecture perspective…

Did you know?
  • The service operation from inside your Azure ARM portal.
  • There are two ways that you can create a Bastion host resource:
    • Create a Bastion resource using the Azure portal.
    • Create a Bastion resource in the Azure portal by using existing VM settings.
  • The Bastion Service is currently available for the following Azure DC regions.
    • West US
    • East US
    • West Europe
    • South Central US
    • Australia East
    • Japan East
  • Bastion can also be used for secure SSH connections to for example Linux resources in your Azure IaaS environment
  • If you create a bastion host in the portal by using an existing VM, various settings will automatically default corresponding to your virtual machine and/or virtual network.
  • You must use a separate subnet in your virtual network to which the new Bastion host resource will be deployed. You must create a subnet using the name-value AzureBastionSubnet. This value lets Azure know which subnet to deploy the Bastion resources to.
  • The Bastion PM team is adding some new futures soon, such as Azure AD and MFA integration and recording mode directly from the service.
See here how it works 

I’ve recorded a short video after writing and creating my Azure Bastion Service, and to give you a sneak preview on the end result of this blog article – I’ve uploaded a video to show you the easiness and value.

Check it out in the video below.

Manage Windows Virtual Desktop with Azure Bastion Demo - YouTube

Other secure alternatives…

One other alternative way to reduce exposure to a brute force attack to your Windows Virtual Desktop environment is to limit (and IP whitelist – filter) the amount of time that a port is open. This is something you could achieve with the also not so old service Just-in-time VM Access, it’s an Azure Security Center feature you can leverage. In a nutshell; Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Read more about it here:

https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

How to Activate the Bastion Service Pre-step: Create a separate Azure Subnet for Bastion

This step is easier to do prior to the Azure Bastion instance on Azure.

One technical network requirement is to have a separate subnet, specifically for Azure Bastion traffic. You could either create a separate Azure Virtual Network and setup vNet peerings between your networks or just create a separate subnet in your existing vNet in Azure. This is the example I’m going to use in this article.

Note: To be most efficient with your network addresses at least a /27 or larger subnet (/27, /26, and so on).

Open the Azure vNet you want to use.

Add a new Subnet

Create the AzureBastionSubnet without any Network Security Groups, route tables, or delegations.

Continue to the next step where we deploy the Bastion instance.

Deploy Azure Bastion from the Azure Marketplace

Just because Azure Bastion is still in Preview mode – you have to use this Preview Azure Marketplace URL below to get access to the service. The expectation is that this service becomes GA soon.

Click on the URL below.

https://aka.ms/BastionHost

Search for Bastion (preview) in the Azure Marketplace


Click on create

Enter the required information for the VM deployment in your Azure IaaS environment.

Optional: Assign a Public IP for the external Access to your Bastion server.

Note: Make sure to select the correct Azure vNet we created/modified earlier.

Click on the review+ create button

Click on the Create button to start the deployment

After a couple of minutes, the deployment is finished.

Access my Windows Virtual Desktop images


The following steps are similar to when you normally set up a Remote Desktop Connection to a Virtual Machine in Azure, although then through an MSTSC RDP file connection – we now leverage the Azure Bastion capabilities over HTML5 (clientless).

Open the Virtual Machine that you want to manage

Click on the Connect button

Choose for the new option – BASTION

Enter the Domain / Local Administrator credentials to get access to the VM

Click on Connect

There we go – I’m connected to my Windows 10 Multi-User master image inside Microsoft Azure via my Azure Bastion HTML5 (agentless) service!

Hope this helps to get familiar with Azure Bastion for Remote Access to your infra & Windows Virtual Desktop servers.

There are updates coming to this feature, which results in more and more interesting use-cases for your customers. Stay tuned.

Cheers,

Christiaan Brinkhoff

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Op vrijdag 7 juni lanceerde Bas van Kaam en Christiaan Brinkhof het community boek Byte-Sized: Cloud design principles and architectural recommendations
Na een aantal maanden hard werken voor beide heren was het eindelijk zover, een boek geschreven vanuit de community voor de community. Na de lancering van het boek hebben wij Bas en Christaan gesproken en we wilden natuurlijk alles weten over het boek, de voorbereidingen en natuurlijk hoe hun ervaring was na de lancering van het boek.

Nieuwsgierig geworden? Just listen!

Wil je meer informatie over het boek, of gewoon het boek bestellen en daarmee steun geven aan het “One Laptop Per Child” project. Ga dan naar www.bookprojectbytesized.com

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Op vrijdag 7 juni lanceerde Bas van Kaam en Christiaan Brinkhof het community boek Byte-Sized: Cloud design principles and architectural recommendations
Na een aantal maanden hard werken voor beide heren was het eindelijk zover, een boek geschreven vanuit de community voor de community. Na de lancering van het boek hebben wij Bas en Christaan gesproken en we wilden natuurlijk alles weten over het boek, de voorbereidingen en natuurlijk hoe hun ervaring was na de lancering van het boek.

Nieuwsgierig geworden? Just listen!

Wil je meer informatie over het boek, of gewoon het boek bestellen en daarmee steun geven aan het “One Laptop Per Child” project. Ga dan naar www.bookprojectbytesized.com

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Citrix Synergy is just around the corner and starts officially on Tuesday the 21st of May. Prior to this event, I received a lot of question which session you need to attend to get to know everything around Citrix and Windows Virtual Desktop.

FInd it all out here…

Keynote w/ Brad Anderson

Brad Anderson Corporate VP, Enterprise Experiences & Management at Microsoft will join PJ Hough – EVP and Chief Product Officer at Citrix during the opening keynote to talk about Windows Virtual Desktop, Microsoft 365 as Cloud Solution Provider (CSP) model and how Citrix adds value.

Citrix Synergy TV - KEY001 - Opening Keynote - YouTube

Joint sessions with Microsoft 

With the joint sessions, I mean people from Citrix and Microsoft will share the stage to tell you everything about the new stuff that is coming for Windows Virtual Desktop and how Citrix adds value.

  • SYN139: Citrix and Microsoft: A value-add across your workspace | Tuesday, May 21​ – 2:00 – 3:30 pm​

Citrix Synergy TV - SYN139 - Citrix and Microsoft: a value-add across your workspace - YouTube

  • SYN212: Windows Virtual Desktop and Citrix: New opportunities for desktop and app virtualization | Wednesday, May 22 – 3:30 – 4:15 pm​

Citrix Synergy TV - SYN212 - Windows Virtual Desktop and Citrix: new opportunities for desktop... - YouTube

  • SYN232: Geek’s guide to the workspace (part 7): more than one way to VDI | Thursday, May 23​ – 1:30 – 2:15 pm​

Citrix Synergy TV - SYN232 - Geek's guide to the workspace (part 7): more than one way to VDI - YouTube

SYN214 will also be repeated on Thursday, May 23​ at 4:30 – 5:15 pm​

Citrix sessions on WVD and Azure

  • SYN111: Desktops-as-a-Service with Citrix | Tuesday, May 21, 4:00 – 4:45 pm

Citrix Synergy TV - SYN111 - Desktops-as-a-Service with Citrix - YouTube

  • SYN105: Citrix on Azure: What you need to know | Wednesday, May 22 – 4:30 – 5:15 pm

Citrix Synergy TV - SYN105 - Citrix on Azure: what you need to know - YouTube

Also, don’t forget to attend our session…

Don’t miss our (us = Thomas Poppelgaard and myself) Citrix Synergy session below as well – we’ll share insights on performance and share our best practices:

  • SYN210: Avoid performance stress when using hybrid cloud workloads | Wednesday, May 22, 10:30 – 11:15 am

Citrix Synergy TV - SYN210 - Avoid performance stress when using hybrid cloud workloads - YouTube

Come visit the Windows Virtual Desktop booth!

We do have a Windows Virtual Desktop booth section on the expo hall. It’s on number #416 and we’re (we = people from Microsoft) happy to answer every question you have there.

Hope to see you there.

Cheers,

Christiaan Brinkhoff

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Citrix Synergy is just around the corner and starts officially on Tuesday the 21st of May. Prior to this event, I received a lot of question which session you need to attend to get to know everything around Citrix and Windows Virtual Desktop.

FInd it all out here…

Keynote w/ Brad Anderson

Brad Anderson Corporate VP, Enterprise Experiences & Management at Microsoft will join PJ Hough – EVP and Chief Product Officer at Citrix during the opening keynote to talk about Windows Virtual Desktop, Microsoft 365 as Cloud Solution Provider (CSP) model and how Citrix adds value.

With the opening Keynote stream here.

Joint sessions with Microsoft 

With the joint sessions, I mean people from Citrix and Microsoft will share the stage to tell you everything about the new stuff that is coming for Windows Virtual Desktop and how Citrix adds value.

  • SYN139: Citrix and Microsoft: A value-add across your workspace | Tuesday, May 21​ – 2:00 – 3:30 pm​
  • SYN214: Windows Virtual Desktop and Citrix: New opportunities for desktop and app virtualization | Wednesday, May 22 – 3:30 – 4:15 pm​
  • SYN232: Geek’s guide to the workspace (part 7): more than one way to VDI | Thursday, May 23​ – 1:30 – 2:15 pm​

SYN214 will also be repeated on Thursday, May 23​ at 4:30 – 5:15 pm​

Citrix sessions on WVD and Azure

  • SYN111: Desktops-as-a-Service with Citrix | Tuesday, May 21, 4:00 – 4:45 pm
  • SYN105: Citrix on Azure: What you need to know | Wednesday, May 22 – 4:30 – 5:15 pm

Also, don’t forget to attend our session…

Don’t miss our (us = Thomas Poppelgaard and myself) Citrix Synergy session below as well – we’ll share insights on performance and share our best practices:

  • SYN210: Avoid performance stress when using hybrid cloud workloads | Wednesday, May 22, 10:30 – 11:15 am

Come visit the Windows Virtual Desktop booth!

We do have a Windows Virtual Desktop booth section on the expo hall. It’s on number #416 and we’re (we = people from Microsoft) happy to answer every question you have there.

What to do when you’re not in Atlanta? 

If you aren’t able to join Citrix Synergy in person, then you’ll definitely want to check out the Citrix Synergy TV livestream. This gives you the possibility to attend live sessions from home.

Hope to see you there.

Cheers,

Christiaan Brinkhoff

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

A great thing I found out this weekend is that my blog is listed as part of yearly top 20 Microsoft Azure Blogs and Websites To Follow in 2019 on Feedspot.com

It’s great to be on this huge list and to see my website next to other top contributors out of different Cloud related communities.

I’ve got a personal bloggers page on feedspot.com as well which can be found here.

See below their message around this top 20 chart:

“The Best Microsoft Azure Blogs from thousands of Microsoft Azure blogs in our index using search and social metrics. We’ve carefully selected these websites because they are actively working to educate, inspire, and empower their readers with frequent updates and high-quality information.”

About Feedspot: Feedspot is the content reader for reading all your favorite websites in one place. Add your favorite Blogs, News websites, RSS Feeds, Youtube Channels and Social sites accounts to your Feedspot account and read new updates from one place.

Top 10 Azure blogs on Feedspot.com

  • #1 Microsoft Azure Blog
  • #2 Build Azure | All about the Microsoft Cloud
  • #3 Thomas Maurer | Cloud and Datacenter Blog
  • #4 Serverless360 | Azure Serverless Monitoring and Management
  • #5 Daniel’s Tech Blog
  • #6 Quae Nocent Docent
  • #7 Azure Field Notes Blog
  • #8 christiaanbrinkhoff.com | Sharing Azure Cloud and Desktop Virtualization Knowledge
  • #9 Azure Stack
  • #10 AZURE HEROES

Thank you for stopping by, in particular, all my followers and the ones that comment and shared some of my content/blogs in the past.

Cheers,

Christiaan Brinkhoff

                      

  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free month
Free Preview