@ChaitanyaNaykodi-MSFT - your answer suggests to place the bastion in the Hub VNet. That would require adding an AzureBastionSubnet to it. You can't add a subnet without a VNet, and the VNet of a hub is not exposed - it's internally managed - so how would one place a Bastion service in the Hub?
Azure Bastion with Secured Virtual Hub
We would like to build a shared Bastion service, where VNET peering is based on a secured virtual hub.
So, we build two virtual networks, one for Bastion and the other for VMs. The two virtual networks are peered through a secured virtual hub. We also refer to the NSG rules to configure firewall to allow communication between the two virtual networks through port 22,3389, 5701, 8080. But it still doesn't work.
How could Bastion work with secured virtual hub?
Thanks.
2 answers
Sort by: Most helpful
-
-
ChaitanyaNaykodi-MSFT 26,216 Reputation points Microsoft Employee
2021-11-23T18:58:16.32+00:00 Hello @Chia-Chun Shih , Thank you for reaching out, and apologies for the delayed response here. If I have understood the question correctly you have a hub and spoke architecture where one spoke VNET has Bastion host and the other spoke VNET has the VM's. The Hub VNET is secured using Azure Firewall.
If my understanding of the question is correct. As per the FAQ documentation here UDR is not supported on an Azure Bastion subnet so you can use bastion for VNETS that are directly peered. The solution in this scenario will be to either move the bastion host to Hub VNET or peer Spoke VNETs together. Additionally, you don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private.
Hope this helps. Please let me know if you have any additional questions here I will be glad to continue with our discussion. Thank you!