This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Scenario: Currently Azure Vms are being accessed using RDP with JIT enabled for administration work. Admins are allowed to do that work even from a coffee shop /home. There is a chance that traffic can be sniffed/captured as we are using their wifi(coffee shop). Even home wifi can compromise.
We are looking for secure communication between the admin device and azure VM. Is there any solution in Zscalar that can fulfill the requirements?
Using Azure Bastion is an easy way than going to any third party solutions
No RDP/SSH ports need to be exposed publicly in VMs and no public IP is required for VM(s)
How Azure Bastion works in accessing VMs from coffee shop scenarios. If the Wifi router has compromised and run a sort of packet sniffing tool, will be administrative commands supplied through the session will be safe?
You may still secure the Azure portal access using MFA, from which you are connecting Bastion host first
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 10%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. You get your RDP/SSH session over TLS on port 443 (which is a secured encrypted port). It provides near fool proof solution to eliminate outside attacks.
However I still wont recommend to run the business critical traffic from vulnerable networks (public ones..coffe shops etc) to connect. There might be a potential security holes in local network which you cant eliminate\prevent. Its not about connecting to azure , am saying for all the work related services.
Having said that, the near best solution you got is bastian to secure with less management overhead.
Thanks, both of you for the comments but my question is for protection in case of the router has been compromised. Suppose we are working from home and our router has compromised. Is there any solution that protects from leaking sensitive info and cred that will be supplied by the admin during the remote session to the Azure VM?
The credentials won't help who got it, if Azure portal access using MFA is enabled
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 95%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Hi. As traffic is encrypted, password cannot be sniffed.
Hi @Sakaldeep Yadav ,
For your home router you could disable remote access, enable and configure the firewall.
As for the Azure VM you can use:
a) Azure Bastion
b) Deploy an Azure P2S VPN
c) Connect to the VM using MFA (requires the VM to be joined to an AAD)
If the answer is helpful, please click "Accept Answer" and kindly upvote it.