At Microsoft Azure, Azure’s team dedication to provide their clients stable and dependable networking solutions never wavers. The ever-changing digital world requires seamless connectivity, continuous security, and optimum performance. As cyberattacks have increased, cloud security has grown more important. Microsoft Azure is responding to this by introducing Azure Bastion Premium, a new SKU for Microsoft Azure Bastion. Customers managing extremely sensitive workloads will benefit from extensive recording, monitoring, and auditing capabilities offered by this service, which is currently in public preview. Azure will go over the definition of Azure Bastion Premium, the advantages this SKU provides, and why users with strictly controlled security rules should utilise it in this blog article.
What is Azure Bastion Premium ?
A new SKU for clients managing extremely sensitive virtual machine workloads is Azure Bastion Premium. Its goal is to provide customers with improved security features that guarantee their virtual machines are linked safely and to keep an eye out for any potential anomalies in virtual machines. Azure’s initial feature set will concentrate on providing graphical records of virtual machines linked via Azure Bastion and private connectivity.
Azure Bastion Premium Benefits
Two important benefits of security
Increased protection: Customers can secure their virtual machines by using the public IP address of Azure Bastion as the point of entry to their target virtual machines when using the current Azure Bastion SKUs. But by removing the public IP, Azure Bastion Premium SKU increases security even further. Using Azure Bastion, clients can now connect to a private endpoint instead of depending on the public IP address. This reduces one point of attack because it does away with the requirement to secure a public IP address.
Monitoring of virtual machines: Users can graphically record their virtual machine sessions using the Azure Bastion Premium SKU. Clients may keep virtual machine sessions as long as they comply with regulatory requirements and corporate standards. Furthermore, by maintaining a log of virtual machine sessions, clients might spot irregularities or strange activity. Having a visual record facilitates investigations and mitigations regarding anomalous activities, security breaches, and data exfiltration.
Azure Bastion Premium features
Visual recording of a session
Azure Bastion can record all virtual machine sessions that connect over an activated Azure Bastion graphically thanks to graphical session recording. The recordings are accessible straight from the Azure Bastion resource blade and are kept in a storage account that the customer has specified. For clients who desire an extra degree of monitoring for their virtual machine sessions, Azure regard this option as a value addition. Customers can go back and watch the tape to determine exactly what happened during the virtual machine session if this functionality is enabled and an anomaly occurs during the session.
Session recording will maintain an exhaustive record of all recorded sessions for other customers with data retention rules. To ensure that the recordings in their storage account adhere to company policies, customers can continue to have access to and control over them.
Session recording is very simple and easy to set up. All you need is a virtual machine, Azure Bastion to connect to, and a selected container inside a storage account. See guide for further details on configuring and utilising session recording.
Private Only Azure Bastion
The only way to establish an inbound connection to the virtual network where Azure Bastion has been deployed is via a public IP address for the currently available general availability SKUs of Azure Bastion. Microsoft Azure is allowing clients to connect inbound to their Azure Bastion using a private IP address with Private Only Azure Bastion. For clients who wish to use fewer public endpoints, Azure believe that this capability is essential.
Private Only Azure Bastion makes sure that Azure Bastion complies with organisational standards for clients with stringent rules about the use of public endpoints. Using Private Only Azure Bastion with ExpressRoute private peering will allow other customers with on-premises equipment attempting to connect to Azure to have private connectivity from their on-premises devices directly to their Azure virtual machines.
It’s quite simple to set up Azure Bastion for Private Only. Instead of choosing Public IP address when creating an Azure Bastion, choose Private IP address and click Review + create.
It should be noted that only net-new Azure Bastions not ones that already exist can be used to generate Private Only Azure Bastions.
A comparison of the features offered by Azure Bastion
| FEATURES | DEVELOPER | BASIC | STANDARD | PREMIUM |
|---|---|---|---|---|
| Private connectivity to virtual machines | Yes | Yes | Yes | Yes |
| Dedicated host agent | No | Yes | Yes | Yes |
| Support for multiple connections per user | No | Yes | Yes | Yes |
| Linux Virtual Machine private key in AKV | No | Yes | Yes | Yes |
| Support for network security groups | No | Yes | Yes | Yes |
| Audit logging | No | Yes | Yes | Yes |
| Kerberos support | No | Yes | Yes | Yes |
| VNET peering support | No | No | Yes | Yes |
| Host scaling (2 to 50 instances) | No | No | Yes | Yes |
| Custom port and protocol | No | No | Yes | Yes |
| Native RDP/SSH client through Azure CLI | No | No | Yes | Yes |
| AAD login for RDP/SSH through native client | No | No | Yes | Yes |
| IP-based connection | No | No | Yes | Yes |
| Shareable links | No | No | Yes | Yes |
| Graphical session recording | No | No | No | Yes |
| Private Only Azure Bastion | No | No | No | Yes |
How to begin
- Open the Azure portal by navigating.
- Install Azure Bastion with the Premium SKU enabled and manually configured.
- You can enable Azure Bastion on a public or private IP address (Private Only Azure Bastion) under Configure IP Address.
- Session recording (Preview) has a checkbox under the Advanced tab.
Keep abreast on the newest
Microsoft Azure is dedicated to working with internal teams to integrate their solution with other products in their security portfolio, going above and beyond simply meeting network security standards. They are certain that Azure Bastion will fit into the “better together” narrative naturally when further capabilities and integrations become available in the following months, successfully meeting customer expectations around virtual machine workload security.
Azure Bastion Pricing
- Base price: Regardless of usage, you are billed an hourly rate for the Bastion resource itself. The number of deployed scale units and the selected SKU (Premium or Standard) determine this price.
- Data transfer: Every month, the first 5 GB of outgoing data transfer are free. After then, the amount of data you transfer will determine your charge, with higher use levels resulting in lower costs.
