Cloud Workload Connection Vulnerability

Malicious attacks on your cloud workload can take many different forms; according to the Microsoft Digital Defence Report, there have been a more than 40% increase in the Remote Desktop Protocol (RDP) and Secure Shell (SSH) attacks in the last 12 months.

So, why must we talk about this now?

As you are already aware, when it comes to hosting your workload on the cloud, you need a way to manage these workloads, whether it’s using VMs or SAS services and applications. In addition to these VMs, services and apps, you also need a way to manage these workloads remotely; here, you have some options to ensure that you have secure remote access, such as:

  • VPN connectivity
  • Jump box
  • and others 

The challenge with those solutions is the extra effort and cost your organization must manage to ensure secure remote access manageability. Let me introduce you to a secure, cost-effective solution that can get you the following benefits:

  • Protection against zero-day exploits
  • Secure connection via TLS
  • Reduce cost and complexity
  • No Public IP required
  • and more

Your solution is a service called Azure Bastion. Let’s go there now.

Azure Bastion

So, what is this service? Simply, it is an Azure PaaS (Platform as a Service) service that you can deploy on your Azure vNet. It allows you to connect to your VMs using the browser and the Azure portal. When this is setup, you can securely and seamlessly connect to, and manage, your VMs using RDP/SSH connectivity over TLS. You can do this without the need to assign a public IP address for each VM or jump box.

Below is an architectural view of the Bastion service:

Deploy Bastion

There are several ways you can deploy Azure Bastion. One way is to deploy it during the vNet provisioning; or you can deploy it after the vNet provisioning.  The first option is very simple and straightforward; it can be accomplished during the vNet creation, and you can enable the service at the security stage:

As you can see in the figure above, you must select the Enable radio button to enable the BastionHost. You then provide a name for your Bastion, then nominate an address space, and then select, or acquire, a new public IP address. After this is done, a new dedicated bastion subnet is created on your vNet where the BastionHost is be located.

The second option is more practical if you already have your own vNet; maybe now you want to benefit from the service. To set up Bastion after a vNet deployment, browse the vNet;

  • from the right menu, select Bastion
  • then choose how you want to provision the service; your options are to select Create Azure Bastion using defaults, or to create you own configuration using the I want to configure Azure Bastion on my own option

If you choose the defaults, then Azure provides the service for you automatically and gets you started.

If you have chosen the I want to configure Azure Bastion on my own option, you have more configuration settings you can use:

Connect

It doesn’t matter which way you deploy your Azure Bastion; after it has deployed, you can easily connect to and manage your VMs directly from the Azure portal. You have only to browse to the VM, press Connect, then choose Bastion:

Provide your username and password to connect:

From the above screenshot, you can see that we connected to our Linux VM using SSH over TLS directly from the Azure portal. Also, note that the VM has no public IP address.

Conclusion

Azure Bastion helps you to reduce the surface area open to attack on your workload infrastructure by eliminating the need to open the standard management ports to the outside world. Today, we went through the procedure to connect to Azure Bastion easily from the Azure portal over TLS (HTTPS). You can now manage your remote connection directly from your browser. In my next blog, I will show you how you can use the Microsoft Remote Desktop to connect to Azure Bastion to better manage your VMs. After all, the solution is to deliver what is needed; that can be summarised as security, simplicity and reduced cost.

2 thoughts on “Cloud Workload Connection Vulnerability

  1. So.. Its a jumpbox that you have to interact with on a webpage.
    Could do the same thing with Guacamole and gotty?

    • Thanks, @Doug Mclntyre for your reply, correct another way to achieve the same result, but when comes to big organizations I prefer the ease and seamless deployment and less maintenance etc… will give these tools a try.

Leave a Reply