Share via

Bastion Host on Azure

HITESH AGARWAL 1 Reputation point
2020-08-13T11:51:35.52+00:00

How can i connect to my Virtual Manager Scale Set Instance using Bastion where my connection can go through the Load Balancer placed infront of VMSS?
As now when i use bastion to connect to VMSS it connects me directly instead of forwarding the connection through the Load Balancer which creates a issue for my enviroment.

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
264 questions
Azure Load Balancer
Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
450 questions
Azure Virtual Machine Scale Sets
Azure Virtual Machine Scale Sets
Azure compute resources that are used to create and manage groups of heterogeneous load-balanced virtual machines.
407 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 49,581 Reputation points Microsoft Employee
    2020-08-14T10:17:21.437+00:00

    Hello @HITESH AGARWAL ,

    Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS.
    UDR is not supported on an Azure Bastion subnet. For scenarios that include both Azure Bastion and Azure Firewall/Network Virtual Appliance (NVA)/Load Balancer in the same virtual network, you don’t need to force traffic from an Azure Bastion subnet to Azure Firewall/NVA/LB because the communication between Azure Bastion and your VMs is private. All connections to Azure Bastion are enforced through the Azure Active Directory token-based authentication with 2FA, and all traffic is encrypted/over HTTPS. So connecting to your VMSS Instance using Bastion where your connection can go through the Load Balancer placed infront of VMSS is not possible.
    As of now, we block adding a UDR on Azure Bastion Subnet due to multiple reasons. We do plan to explore support for force tunneling scenario going forward. Unfortunately, we don't have any assertive ETA at this point in time. One of the main reason is that adding an incorrect UDR can prevent Bastion normal operation.

    Please refer : https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#udr
    https://azure.microsoft.com/en-gb/blog/accessing-virtual-machines-behind-azure-firewall-with-azure-bastion/

    Please feel free to share your feedback here requesting this feature. All the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

    Kindly let us know if you need any further assistance on this issue from our end.

    ----------------------------------------------------------------------------------------------------------------

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.