Implement an open-source jump server solution on Azure

Virtual Machines
Load Balancer
Virtual Network
Database for MySQL

This example scenario describes a high-availability solution for a jump server that runs on Azure. It uses an open-source tool called Apache Guacamole, which has functionality that's like that of Azure Bastion.

ApacheĀ®, Apache Guacamole, and the flame logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries. No endorsement by The Apache Software Foundation is implied by the use of these marks.

Architecture

The architecture includes a public load balancer that receives external access requests and directs them to two virtual machines (VMs) in the web layer. The web layer communicates with the data layer, where a MySQL database stores sign-in information, access events, and connections.

Diagram that shows a reference architecture for using Apache Guacamole on Azure.

Download a Visio file of this architecture.

Dataflow

  1. A user initiates a connection over the internet.
  2. The connection from the user is established with the Azure public load balancer.
  3. The Azure public load balancer receives external access and directs the traffic for the two VMs in the web tier.
  4. The web tier communicates with Azure Database for MySQL in the data tier. This database stores sign-in information, access events, and connections.
  5. The connection is established with the target clients via Secure Shell (SSH), Virtual Network Computing (VNC), or Remote Desktop Protocol (RDP) protocol.

Components

  • Azure Load Balancer: A service for distributing load (incoming network traffic) across a group of back-end resources or servers.
  • Azure Virtual Network: The fundamental building block for your private network on Azure.
  • Public IP addresses: A service that allows internet resources to communicate inbound to Azure resources.
  • Network security groups: A service that filters network traffic traveling to and from Azure resources in an Azure virtual network.
  • Availability set: A logical grouping of VMs that allows Azure to provide redundancy and availability.
  • Azure Database for MySQL: A fully managed MySQL database as a service.

Alternatives

If you don't need as much control as the solution described here provides, you can use Azure Bastion, a fully managed service that offers high-security RDP and SSH access to VMs without any exposure through public IP addresses.

Scenario details

Apache Guacamole is a clientless remote desktop gateway that supports standard protocols like VNC, RDP, and SSH. Because it's clientless, your users don't need to install anything. They just use a web browser to remotely access your VMs.

For more information about Guacamole and its internal components, see Implementation and architecture.

To provide high availability, this solution:

The solution also uses:

Potential use cases

  • Access your computers from any device. Because Guacamole requires only a reasonably fast standards-compliant browser, it runs on many devices, including mobile phones and tablets.
  • Host a computer in the cloud. Computers hosted on virtualized hardware are more resilient to failures. With the current availability of on-demand computing resources, Guacamole is a perfect way to access machines that are accessible only over the internet.
  • Provide easy access to a group of people. You can use Guacamole to centralize access to a large group of machines and specify on a per-user basis which machines can be accessed. Rather than remember a list of machines and credentials, users only need to sign in to a central server and select one of the listed connections.
  • Add HTML5 remote access to your existing infrastructure. Because Guacamole is an API and not just a web application, you can use the core components and libraries provided by the Guacamole project to add HTML5 remote access features to an existing application. You don't need to use the main Guacamole web application. You can write or integrate with your own applications fairly easily.

Considerations

These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that you can use to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.

Reliability

Reliability ensures your application can meet the commitments you make to your customers. For more information, see Overview of the reliability pillar.

This solution's resiliency depends on the failure modes of individual services like Azure Virtual Machines, Azure Database for MySQL, and Azure Load Balancer. For more information, see these articles:

For information about disaster recovery, see Business continuity and disaster recovery.

For Azure VMs in the web tier, you can use availability sets to create a logical grouping of VMs that provides redundancy and availability. We recommend at least two VMs per availability set to create a high-availability application and meet the Azure SLA.

Because Azure Database for MySQL is a managed database as a service, its architecture is optimized for built-in high availability. For information about SLAs, see SLAs for Azure Database for MySQL.

Security

Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.

You might want to add Azure Web Application Firewall to this solution. It helps protect your application from common vulnerabilities. This Azure Application Gateway option uses Open Web Application Security Project (OWASP) rules to help prevent attacks like cross-site scripting, session hijacking, and other exploits.

As an added layer of protection, be sure to use Azure network security groups to filter network traffic traveling to and from Azure resources in the Azure virtual network.

You should also consider Private Link for Azure Database for MySQL. You can use Private Link to connect to platform as a service (PaaS) services in Azure via a private endpoint. Private Link essentially brings Azure services inside your private virtual network. PaaS resources can be accessed via the private IP address just like any other resource in the virtual network.

Finally, follow these security guidelines when you implement this solution.

Cost optimization

Cost optimization is about finding ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.

To better understand the cost of running this scenario on Azure, use the pricing calculator.

For more information about the cost of this solution, see:

Operational excellence

Operational excellence covers the operations processes that deploy an application and keep it running in production. For more information, see Overview of the operational excellence pillar.

Operational excellence applies reliability, predictability, and automated operations to your architecture to keep your application running in production. Deployments must be reliable and predictable. Automated deployments reduce the chance of human error.

Implement software engineering disciplines across your entire environment, including these practices:

For more information, see Operational excellence design principles.

Performance efficiency

Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see Performance efficiency pillar overview.

To accomplish this goal, consider using Azure Virtual Machine Scale Sets, which you can use to create and manage a group of load-balanced VMs. The number of VM instances can automatically increase or decrease in response to demand or according to a defined schedule.

Deploy this scenario

We recommend that you use the Bash environment in Azure Cloud Shell to deploy this solution. If you'd rather run commands in your own Windows, Linux, or macOS environment, install the Azure CLI.

For deployment steps, see Deploying Apache Guacamole on Azure.

Contributors

This article is maintained by Microsoft. It was originally written by the following contributors.

Principal author:

Other contributor:

To see non-public LinkedIn profiles, sign in to LinkedIn.

Next steps