On 30th May 2024. Microsoft has announced a new Azure Bastion SKU called Premium, which is great news for the business, but they will have to wait for a while as the Premium SKU features are still in preview.

With Azure Bastion, you have access to your virtual machines directly through the Azure portal through a secure, seamless remote desktop protocol (RDP) or secure shell connection (SSH) without the need for a Public IP address, which is something that minimizes the VM exposure to potential threats from the public Internet.

Azure Bastion Premium SKU key features

  • Private-only deployment : Customers can access their Azure VMs through a private endpoint using the Private Only Azure Bastion feature. Using this capability enterprise environments do not need to secure public IP addresses.

The following diagram depicts the Azure Bastion private-only deployment architecture.

The original architecture diagram was provided by Microsoft and you can view it here: Deployment – Private-only (Preview)

  • Session recording : You can record your sessions for connections to virtual machines via the Bastion host, and save the recording into an azure blob container.

For the benefit of a more complete picture of the features per SKU in Azure Bastion, the following table is provided (which is available in several articles as well as in the official Microsoft documentation).

Two differences between the Premium SKU and the Standard SKU are pretty significant, and they are Graphical session recording and Private Only Azure Bastion.

Features Developer Basic Standard Premium
Private connectivity to virtual machines Yes Yes Yes Yes
Dedicated host agent No Yes Yes Yes
Support for multiple connections per user No Yes Yes Yes
Linux Virtual Machine private key in AKV No Yes Yes Yes
Support for network security groups No Yes Yes Yes
Audit logging No Yes Yes Yes
Kerberos support No Yes Yes Yes
VNET peering support No No Yes Yes
Host scaling (2 to 50 instances) No No Yes Yes
Custom port and protocol No No Yes Yes
Native RDP/SSH client through Azure CLI No No Yes Yes
AAD login for RDP/SSH through native client No No Yes Yes
IP-based connection No No Yes Yes
Shareable links No No Yes Yes
Graphical session recording (Preview) No No No Yes
Private Only Azure Bastion No No No Yes

 

How can we use these features? The following are some examples of how the features appear and operate.

Private-only deployment (Azure Portal)

Enabling the IP-based connection feature

on Azure Bastion opens the Settings Connect option, allowing you to connect via the VM Private IP.

When the IP-based connection feature is disabled the SettingsConnect option is not listed on the Azure Bastion blade.

Session recording (Azure Portal)

Enabling the Session recording (Preview) feature

To proceed with the Session recording feature configuration requires a storage account container.

Create a CORS (Cross-Origin Resource Sharing)

CORS (Cross-Origin Resource Sharing), is an HTTP feature that enables a web application from one domain to access resources from another.

Create Access Policy

Storage access policies provide an additional level of control over server-side shared access signatures (SASs).

Select the Azure Storage container, i.e. “Session-Recording”, and click the More (…) button and select Access policy.

In the Access policy pane, select + Add policy

In the Add policy pane, type the Identifier name, select the Permissions (Read, Create, Write, List), set the Start and Expiry time and click OK.

 

Generate SAS

The shared access signature (SAS) enables secure delegated access to your storage account resources.

Select the Azure Storage container, i.e. “Session-Recording”, and click the More (…) button and select Generate SAS.

On the Storage access policy drop-down, select the access policy you’ve created in the previous step and click the “Generate SAS token and URL” button.

Copy the Blob SAS URL using the copy button

Session recordings (Add or update SAS URL)

In the left-hand blade of the Bastion host, select SettingsSession recordings, select Add or update SAS URL.

Paste the Blob SAS URL you have copied on the previous step and click the Upload button.

Now, every time you log in to the VM via Azure Bastion, your sessions are automatically recorded and can be viewed from the Session Recording section.

 

 

Useful links

 

Share This