How to disable RDP and enable Bastion for multiple VMs in the Subscription - Little Confusion

krishna572 876 Reputation points
2023-05-23T08:57:27.88+00:00

I have few of the VMs in the subscription that are enabled with RDP and has some security rules defined in each of the VM's NSG.

I want to deny the RDP and allow the bastion host to access the VM.

One bastion to access all the VMs through peering of Bastion's VNet to each of the VM's VNet.

The process I was doing is:

1. Created Bastion Host/Instance in a Subnet (AzureBastionSubnet) of Vnet
2. Create a NSG for Bastion, defined the following:
	○ Inbound Security Rules:
	○ Outbound Security Rules: 
3. Assign NSG with Bastion's Subnet (NSG > Subnets > Assign Subnet to NSG)
4. 1 Bastion to all Virtual Network's - Peering 
5. Make NSG to None for all the VM's by comparing any missing rules from existing NSG to bastion's NSG/NIC.
	a. VM > Networking > Nic > NSG > Make it to None
6. Disabling the Public Access of RDP because bastion provisioned on RDP with TSL/SSL
	a. Add/Create NSG's (based on Location of VMs)
		i. Allow RDP, SSH from bastion IP [ISR --> Source IP Address (Bastion Subnet), Service - RDP, SSH]
		ii. Deny RDP, SSH from Internet [ISR --> Service Tag, SSH Service]
7. Check any extra rules defines in NSGs of all the VMs Networking Menu.
8. Check RDP Connection and bastion connections for all VMs - Final Testing

Is this process correct or am i missing any step or doing mistake anywhere?c

Could you please assist me.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,566 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
250 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,295 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Luca Lionetti 3,136 Reputation points
    2023-05-23T09:33:09.2733333+00:00

    HI Vaishu

    welcome to the q&a forum

    To enable the bastion you simply have to follow the wizard from the portal and the service will be configured without the need for further activities. Once configured and tested you can disable the public ip from the various vm's.

    Check the procedure at this link

    ttps://learn.microsoft.com/en-us/azure/bastion/quickstart-host-portal

    Hope this helps

    Cheers

    Luca

    0 comments No comments

  2. vipullag-MSFT 26,016 Reputation points
    2023-05-23T11:46:08.5766667+00:00

    Hello Vaishu

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Adding to previous response from Luca, overall process you've described seems to be on the right track for disabling RDP and enabling Bastion for multiple VMs in your Azure subscription.

    Before proceeding with the steps, I would recommend you to take a backup of your VMs and NSGs.

    You have created a Bastion Host/Instance in a Subnet (AzureBastionSubnet) of Vnet. This is the correct step to create a Bastion Host.

    You have created a NSG for Bastion and defined inbound and outbound security rules. This is also correct. You need to define inbound rules to allow traffic from the Bastion Host to the VMs and outbound rules to allow traffic from the VMs to the Bastion Host.

    You have assigned the NSG with Bastion's Subnet. This is also correct. You need to assign the NSG to the Bastion Host's subnet to allow traffic to flow through the Bastion Host.

    You have created peering between the Bastion Host's VNet and each of the VM's VNet. This is also correct. You need to create peering between the Bastion Host's VNet and each of the VM's VNet to allow traffic to flow between them.

    You have made NSG to None for all the VMs by comparing any missing rules from existing NSG to bastion's NSG/NIC. This is also correct. You need to make NSG to None for all the VMs to allow traffic to flow through the Bastion Host.

    You have disabled the Public Access of RDP because bastion provisioned on RDP with TSL/SSL. This is also correct. You need to disable the Public Access of RDP to allow traffic to flow through the Bastion Host.

    You have checked any extra rules defined in NSGs of all the VMs Networking Menu. This is also correct. You need to check any extra rules defined in NSGs of all the VMs Networking Menu to ensure that they do not conflict with the Bastion Host's NSG.

    You have checked RDP Connection and bastion connections for all VMs - Final Testing. This is also correct. You need to check RDP Connection and bastion connections for all VMs to ensure that they are working as expected.

    By following these steps, you should be able to disable RDP access and enable Azure Bastion as the primary method for accessing your VMs securely.

    It is important to note that Azure Bastion uses port 443 for communication, so you need to ensure that this port is open in your NSGs. Also, make sure that you have the correct permissions to perform these actions.

    Hope this helps.

    0 comments No comments