Share via

How to create Jump Server in Azure (not bastion PaaS) to connect to corporate network?

roy lucky 1 Reputation point
2020-11-22T10:10:59.093+00:00

Hello,

We are looking to design a Remote Network Connection for our vendors to connect to vendor-devices/applications running in our corporate network, we already have a hybrid connection between on-premise and azure so we would like to create a Jump host (DMZ ?) in azure which will talk to our vendor applications deployed in corporate network . Is this a good idea ? Rationale behind this , we will be migrating all our applications (except those vendor devices) to azure so in the long term this will be a feasible solution. I know there is an azure bastion PaaS available but that work's within the vnet and cannot be used to connect to on-premise servers? what are the pros and cons of creating a hardened bastion server in azure for the purpose of granting external people(internet) access to the application running in corporate network? what are the best practices around this ? Anyone has any thoughts on this please

Windows for business | Windows Client for IT Pros | User experience | Remote desktop services and terminal services
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 123.6K Reputation points MVP Volunteer Moderator
    2020-11-22T10:25:33.517+00:00

    Maybe Azure Windows Virtual Desktop is an option to get your requirement done.

    https://azure.microsoft.com/en-us/services/virtual-desktop/

    This solution offers:

    • Secure access to a Remote Desktop
    • Secure access to Remote Applications
    • Routing inside Azure virtual networks or on-premises networks is possible
    • Authentication against Azure AD / ADDS with existing users

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    1 person found this answer helpful.
  2. Andreas Baumgarten 123.6K Reputation points MVP Volunteer Moderator
    2020-11-30T09:04:11.423+00:00

    How to allow only ingress traffic from vendors coporate network to WVD instead of allowing any public connections such as public wifi?

    As far as I know this is not poosible. The Azure Windows Virtual Desktop infrastructure allows connections from any public internet connection. But authentication is required to get access to the WVD environment. This authentication could also include/require MFA.

    How to allow only egress traffic from WVD into specific vm/ devices in the corporate network?

    You can use "forced tunneling" to send any traffic from WVD infrastructure in the corporate network: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-forced-tunneling

    Is it good practice to have WVD as Domain-joined device because you are allowing internet connections and that would make more attack surface if compromised. what are the implications of having it non-domain joined?

    Currently it's mandatory to domain join the WVD VMs. There is no option to use WVD VMs non-domain joined.

    Is there an article that explains how to deploy hardened WVD for security reasons.

    Basically "hardening the WVD VMs" is possible. The WVD VMs are Windows 10 based, you can do a lot of things with GPOs.

    Maybe this link is helpful: https://learn.microsoft.com/en-us/azure/virtual-desktop/security-guide

    Hope this helps.

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

    1 person found this answer helpful.
    0 comments
  3. Carl Fan 6,881 Reputation points
    2020-11-23T10:00:31.13+00:00

    Hi,
    Please refer to the link below about how to deploy your jump host in Azure. Hope it could be helpful to you.
    https://www.verboon.info/2020/03/how-to-deploy-your-jump-host-in-azure/
    Hope this helps and please help to accept as Answer if the response is useful.
    Best Regards,
    Carl

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.