Azure Bastion vs. Azure VPN Point-to-site for RDP access for remote workers.

Ravikiran S 116 Reputation points

I am referring to this part of the document which talks about "Enabling employees to work remotely"

I am trying to understand the pros and cons of using Point-to-site VPN and Azure Bastion for RDP access for remote workers. In which situation, one is preferred over the other?
I feel Bastion is better because it doesn't expose any public IP, and ports. But I feel these advantages are given by Azure VPN Point-to-site too? How do we make a decision?

And, if I only need RDP, is Bastion the best solution over the other? and why?

Note: I already referred to this page, and it is not helpful. The answer just copy-pastes the text in the MS docs

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,311 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
235 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,141 Reputation points

    @Ravikiran S First of all, we apologize for the delay in response to your question.

    I understand that you want to know the pros and cons of using P2S VPN va Bastion for RDP access for remote workers.

    Here are some of them:

    Azure P2S VPN:

    1. Requires client software on the remote workers work station.
    2. You can use certificate based authentication or AD authentication
    3. You can see the connected client sessions for monitoring purposes and can also disconnect a session in the portal if needed.(Connection source info is provided for IKEv2 and OpenVPN connections only)
    4. You will be connecting to the Azure network privately and using the private IPs of the VMs so the Public IPs are not exposed.
    5. You will be able to perform all actions between the networks when connected via Azure P2S VPN.

    Azure Bastion:

    1. Does not require a client software on the remote workers workstation. Lets you connect to a virtual machine using your browser and the Azure portal.
    2. Azure Bastion supports AD based authentication.
    3. Azure Bastion also supports session monitoring and Management so you can monitor the remote sessions and take quick management actions.
    4. The Bastion service will open the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network. So a Public IP is not required.
    5. You will be able to perform only text copy/paste at the moment. Features, such as file copy, are not supported.

    Overall, which solution you want to use will depend upon your requirements and limitations.

    Hope this helps. Please let us know if you have any further questions/concerns. Thank you!


    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Ravikiran S 116 Reputation points

    Thanks, @SaiKishor-MSFT for the response.
    I am trying to understand the advantages of using Azure Bastion vs. jump server.
    Am I correct to say that with Azure Bastion, Microsoft hardens it, secures it, etc. That is Microsoft manages Bastion.

    Whereas with jump server, the customer manages it,

    But other than the managing part, they are the same. That is, they both expose public IPs. They both expose ports. How is exposing ports/public IPs for a jump server is less secure than exposing them with Azure Bastion?

    In a nutshell, how Bastion is better than a jump server in terms of security?

    0 comments No comments

  2. SaiKishor-MSFT 17,141 Reputation points

    @Ravikiran S

    Here are some features of Azure Bastion when compared to a Jump-server,

    • A regular Jump-server VM must either be reachable via VPN or needs to have a public IP with RDP and/or SSH open to the Internet. With Azure Bastion Host, you can solve this access issue. Azure Bastion enables you to use RDP and SSH via the Internet using the Azure Portal. The VM does not need a public IP, which GREATLY increases security for the target machine. Azure Bastion provides seamless RDP and SSH connectivity to your virtual machines over the Secure Sockets Layer (SSL). This can be executed with just two clicks and without the need to worry about managing network security policies.
    • For organizations which may have their existing jumpbox(es) exposed over the internet, their machines may be subject to port scans by malicious users. Azure Bastion is virtual machine hardening which protects against zero-day exploits. This is possible since Azure Bastion is a managed service which includes automatic patching and keeping up to date against known vulnerabilities.

    Hope this helps. Please let us know if you have any further questions/concerns. Thank you!