Remote Access Management

 


Azure Bastion

The Azure Bastion service is a fully platformed-managed PaaS service that you provision inside your virtual network which provides a secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS. 
When you connect using Azure Bastion, your virtual machines do not need a public IP address and with it you can easily connect to the virtual machine directly from the Azure portal.

Architecture

Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.
RDP and SSH are some of the fundamental means through which you can easily connect to your workloads running in Azure. Bastion servers also provides RDP and SSH connectivity to the workloads sitting behind the Bastion, as well as further inside the network.

 

This figure shows the architecture of an Azure Bastion deployment. In this diagram:

  • The Bastion host is deployed in the virtual network.
  • The user connects to the Azure portal using any HTML5 browser.
  • The user selects the virtual machine to connect to.
  • With a single click, the RDP/SSH session opens in the browser.
  • No public IP is required on the Azure VM. 

Key features

The following features are available:
  • RDP and SSH directly in Azure portal- You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
  • Remote session over TLS and firewall traversal for RDP/SSH- Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you can get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
  • No public IP required on the Azure VM- Azure Bastion opens the RDP/SSH connection to your Azure VM using private IP on your VM (no need of public IP on your VM).
  • No hassle of managing NSGs- Azure Bastion is afully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.
  • Protection against port scanning- As you do not need to expose your VMs to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
  • Protect against zero-day exploits- Hardening in one place only. As Azure Bastion sits at the perimeter of your virtual network, you don't need to worry about hardening each of the VMs in your virtual network. 

Virtual Machine Updates

Azure update management is a service included as part of your Azure subscription and is available at no additional cost (you pay only for the long data that Azure Log Analytics stores), and easily enable it for Azure and on-premises VMs. Making updates easy, is one of the key factors in maintaining good security hygiene.

Azure Update Management Overview

Computers that Update Management use following configurations to perform assessment and update deployments:
  • Microsoft Monitoring Agent (MMA) for Windows or Linux.
  • Desired State Configuration (DSC) in Windows PowerShell for Linux.
  • Hybrid Runbook Worker in Azure Automation
  • Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.
When an update deployment is created, it creates a schedule that starts a master update runbook at the specified time for the included computers and this master runbook starts a child runbook on each agent to install the required updates.

Manage updates for multiple machines

From your Azure Automation account, you can:
  • Onboard virtual machines
  • Assess the status of available updates
  • Schedule installation of required updates
  • Review deployment results to verify that updates were applied successfully to all virtual machines for which Update Management is enabled
After you enable Update Management for your machines, you can conveniently view machine information about machine name, compliance status, environment, OS type, critical and security updates installed, other updates installed, and update agent readiness by selecting Computers.

Update inclusion

Azure Update Management provides the ability to deploy patches based on classifications. However, there are scenarios where you may want to explicitly list the exact set of patches. With update inclusion lists you can choose exactly which patches you want to to deploy instead of relying on patch classifications.

 





Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)