Remote Access Management

By Ashwin Venugopal -

 


Azure Bastion

The Azure Bastion service is a fully platformed-managed PaaS service that you provision inside your virtual network which provides a secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS. 
When you connect using Azure Bastion, your virtual machines do not need a public IP address and with it you can easily connect to the virtual machine directly from the Azure portal.

Architecture

Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.
RDP and SSH are some of the fundamental means through which you can easily connect to your workloads running in Azure. Bastion servers also provides RDP and SSH connectivity to the workloads sitting behind the Bastion, as well as further inside the network.

 

This figure shows the architecture of an Azure Bastion deployment. In this diagram:

  • The Bastion host is deployed in the virtual network.
  • The user connects to the Azure portal using any HTML5 browser.
  • The user selects the virtual machine to connect to.
  • With a single click, the RDP/SSH session opens in the browser.
  • No public IP is required on the Azure VM. 

Key features

The following features are available:
  • RDP and SSH directly in Azure portal- You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
  • Remote session over TLS and firewall traversal for RDP/SSH- Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you can get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
  • No public IP required on the Azure VM- Azure Bastion opens the RDP/SSH connection to your Azure VM using private IP on your VM (no need of public IP on your VM).
  • No hassle of managing NSGs- Azure Bastion is afully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.
  • Protection against port scanning- As you do not need to expose your VMs to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
  • Protect against zero-day exploits- Hardening in one place only. As Azure Bastion sits at the perimeter of your virtual network, you don't need to worry about hardening each of the VMs in your virtual network. 

Virtual Machine Updates

Azure update management is a service included as part of your Azure subscription and is available at no additional cost (you pay only for the long data that Azure Log Analytics stores), and easily enable it for Azure and on-premises VMs. Making updates easy, is one of the key factors in maintaining good security hygiene.

Azure Update Management Overview

Computers that Update Management use following configurations to perform assessment and update deployments:
  • Microsoft Monitoring Agent (MMA) for Windows or Linux.
  • Desired State Configuration (DSC) in Windows PowerShell for Linux.
  • Hybrid Runbook Worker in Azure Automation
  • Microsoft Update or Windows Server Update Services (WSUS) for Windows computers.
When an update deployment is created, it creates a schedule that starts a master update runbook at the specified time for the included computers and this master runbook starts a child runbook on each agent to install the required updates.

Manage updates for multiple machines

From your Azure Automation account, you can:
  • Onboard virtual machines
  • Assess the status of available updates
  • Schedule installation of required updates
  • Review deployment results to verify that updates were applied successfully to all virtual machines for which Update Management is enabled
After you enable Update Management for your machines, you can conveniently view machine information about machine name, compliance status, environment, OS type, critical and security updates installed, other updates installed, and update agent readiness by selecting Computers.

Update inclusion

Azure Update Management provides the ability to deploy patches based on classifications. However, there are scenarios where you may want to explicitly list the exact set of patches. With update inclusion lists you can choose exactly which patches you want to to deploy instead of relying on patch classifications.

 





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more