On 30th May 2024. Microsoft has announced a new Azure Bastion SKU called Premium, which is great news for the business, but they will have to wait for a while as the Premium SKU features are still in preview.
With Azure Bastion, you have access to your virtual machines directly through the Azure portal through a secure, seamless remote desktop protocol (RDP) or secure shell connection (SSH) without the need for a Public IP address, which is something that minimizes the VM exposure to potential threats from the public Internet.
Azure Bastion Premium SKU key features
- Private-only deployment : Customers can access their Azure VMs through a private endpoint using the Private Only Azure Bastion feature. Using this capability enterprise environments do not need to secure public IP addresses.
The following diagram depicts the Azure Bastion private-only deployment architecture.
The original architecture diagram was provided by Microsoft and you can view it here: Deployment – Private-only (Preview)
- Session recording : You can record your sessions for connections to virtual machines via the Bastion host, and save the recording into an azure blob container.
For the benefit of a more complete picture of the features per SKU in Azure Bastion, the following table is provided (which is available in several articles as well as in the official Microsoft documentation).
Two differences between the Premium SKU and the Standard SKU are pretty significant, and they are Graphical session recording and Private Only Azure Bastion.
Features | Developer | Basic | Standard | Premium |
Private connectivity to virtual machines | Yes | Yes | Yes | Yes |
Dedicated host agent | No | Yes | Yes | Yes |
Support for multiple connections per user | No | Yes | Yes | Yes |
Linux Virtual Machine private key in AKV | No | Yes | Yes | Yes |
Support for network security groups | No | Yes | Yes | Yes |
Audit logging | No | Yes | Yes | Yes |
Kerberos support | No | Yes | Yes | Yes |
VNET peering support | No | No | Yes | Yes |
Host scaling (2 to 50 instances) | No | No | Yes | Yes |
Custom port and protocol | No | No | Yes | Yes |
Native RDP/SSH client through Azure CLI | No | No | Yes | Yes |
AAD login for RDP/SSH through native client | No | No | Yes | Yes |
IP-based connection | No | No | Yes | Yes |
Shareable links | No | No | Yes | Yes |
Graphical session recording (Preview) | No | No | No | Yes |
Private Only Azure Bastion | No | No | No | Yes |
How can we use these features? The following are some examples of how the features appear and operate.
Private-only deployment (Azure Portal)
Enabling the IP-based connection feature
on Azure Bastion opens the Settings – Connect option, allowing you to connect via the VM Private IP.
When the IP-based connection feature is disabled the Settings – Connect option is not listed on the Azure Bastion blade.
Session recording (Azure Portal)
Enabling the Session recording (Preview) feature
To proceed with the Session recording feature configuration requires a storage account container.
Create a CORS (Cross-Origin Resource Sharing)
CORS (Cross-Origin Resource Sharing), is an HTTP feature that enables a web application from one domain to access resources from another.
Create Access Policy
Storage access policies provide an additional level of control over server-side shared access signatures (SASs).
Select the Azure Storage container, i.e. “Session-Recording”, and click the More (…) button and select Access policy.
In the Access policy pane, select + Add policy
In the Add policy pane, type the Identifier name, select the Permissions (Read, Create, Write, List), set the Start and Expiry time and click OK.
Generate SAS
The shared access signature (SAS) enables secure delegated access to your storage account resources.
Select the Azure Storage container, i.e. “Session-Recording”, and click the More (…) button and select Generate SAS.
On the Storage access policy drop-down, select the access policy you’ve created in the previous step and click the “Generate SAS token and URL” button.
Copy the Blob SAS URL using the copy button
Session recordings (Add or update SAS URL)
In the left-hand blade of the Bastion host, select Settings – Session recordings, select Add or update SAS URL.
Paste the Blob SAS URL you have copied on the previous step and click the Upload button.
Now, every time you log in to the VM via Azure Bastion, your sessions are automatically recorded and can be viewed from the Session Recording section.
Useful links
- Enhance your security capabilities with Azure Bastion Premium
- Deploy Bastion as private-only (Preview)
- Configure Bastion session recording (Preview)
- Azure Bastion: Cannot connect to session without valid SAS URL