Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Bastion Host in Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-026

Ensure there is a bastion host configured to allow secure remote access to the virtual machine (VM) instances running within Microsoft Azure cloud account. Azure Bastion service enables secure remote access to virtual machines without exposing them directly to the Internet. Additionally, Azure Bastion adheres to hardened configurations within an organization's Microsoft Entra ID service, further enhancing security measures.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Operational
excellence

Azure Bastion offers organizations a secure method of accessing their virtual machines over the Internet without the need to assign public IP addresses to those machines. With Azure Bastion, organizations can conveniently access VM instances using Remote Desktop Protocol (RDP) and Secure Shell (SSH) via TLS within a web browser. This eliminates the requirement to expose the TCP ports 3389 and 22 to the Internet. Furthermore, the service provides additional advantages such as Multi-Factor Authentication (MFA), Conditional Access Policies, and other security hardening measures configured within Microsoft Entra ID. By utilizing Azure Bastion as a central point of access, organizations can enhance the security posture of their Azure cloud environment while simplifying remote access to virtual machines.


Audit

To determine if there are any bastion hosts provisioned within your Azure cloud account, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Bastion blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FbastionHosts.

03 On the Bastions page, select the subscription that you want to examine from the Subscription filter box and choose Apply.

04 Check for any bastion hosts created for the selected Azure subscription. If there are no bastion hosts listed on this page and the following confirmation status is returned: No Bastions to display, there are no bastion hosts configured for secure web-based access to your Azure virtual machines, provisioned within the selected subscription.

05 Repeat steps no. 3 and 4 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run network bastion list command (Windows/macOS/Linux) to list all the Azure Bastion host machines provisioned in the selected Azure subscription:

az network bastion list 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

02 The command output should return the bastion hosts available in the selected subscription:

[]

If the network bastion list command output returns an empty array, i.e. [], as shown in the example above, there are no bastion hosts configured for secure web-based access to your Azure virtual machines, provisioned in the selected Azure subscription.

03 Repeat steps no. 1 and 2 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To create Azure Bastion host machines in order to configure secure web-based access to your virtual machine (VM) instances, perform the following actions:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure Bastion blade at https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.Network%2FbastionHosts.

03 On the Bastions page, select the subscription that you want to access from the Subscription filter box and choose Apply.

04 Choose Create to provision a new Azure Bastion host machine.

05 On the Create a Bastion setup page, perform the following operations:

  • For Basics, select the target Azure subscription, resource group, and region. Type a name for the new bastion host in the Name box and choose Standard for the Tier. Use the Instance count slider to set the instance count. Select the Virtual Network (VNet) that you want to use from the Virtual network dropdown list or choose Create new to create a new one. For Subnet, select the required subnet, i.e. a subnet named AzureBastionSubnet that implements a /26 CIDR range. For Public IP address, choose the public IP address to be used in the frontend IP configuration. Choose Next : Tags > to continue the setup process.
  • For Tags, configure any required tags sets and choose Next : Advanced > to continue.
  • For Advanced, configure the advanced bastion features based on your application requirements. Choose Next : Review + create > to continue the setup.
  • For Review + create, review the resource configuration details and choose Create to provision your new Azure Bastion host machine.

06 Repeat steps no. 3 – 5 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run network vnet create command (Windows/macOS/Linux) to create the virtual network (and the required AzureBastionSubnet subnet) for your bastion host:

az network vnet create 
  --resource-group cloud-shell-storage-westeurope 
  --location westeurope 
  --name cc-bastion-vnet 
  --address-prefixes 10.0.0.0/16 
  --subnet-name AzureBastionSubnet 
  --subnet-prefixes 10.0.1.0/26

02 The command output should return the configuration information available for the new Azure Virtual Network (VNet):

{
	"newVNet": {
		"addressSpace": {
			"addressPrefixes": [
			"10.0.0.0/16"
			]
		},
		"enableDdosProtection": false,
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-bastion-vnet",
		"location": "westeurope",
		"name": "cc-bastion-vnet",
		"provisioningState": "Succeeded",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"subnets": [
			{
				"addressPrefix": "10.0.1.0/26",
				"delegations": [],
				"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-bastion-vnet/subnets/AzureBastionSubnet",
				"name": "AzureBastionSubnet",
				"privateEndpointNetworkPolicies": "Disabled",
				"privateLinkServiceNetworkPolicies": "Enabled",
				"provisioningState": "Succeeded",
				"resourceGroup": "cloud-shell-storage-westeurope",
				"type": "Microsoft.Network/virtualNetworks/subnets"
			}
		],
		"type": "Microsoft.Network/virtualNetworks",
		"virtualNetworkPeerings": []
	}
}

03 Run network public-ip create command (Windows/macOS/Linux) to create the public IP address to be used within the frontend IP configuration of the bastion host:

az network public-ip create 
  --resource-group cloud-shell-storage-westeurope 
  --name cc-bastion-ip 
  --sku Standard 
  --zone 1 2 3

04 The command output should return the configuration information available for the new public IP address:

{
	"publicIp": {
		"ddosSettings": {
			"protectionMode": "VirtualNetworkInherited"
		},
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-bastion-ip",
		"idleTimeoutInMinutes": 4,
		"ipAddress": "20.13.42.222",
		"ipTags": [],
		"location": "westeurope",
		"name": "cc-bastion-ip",
		"provisioningState": "Succeeded",
		"publicIPAddressVersion": "IPv4",
		"publicIPAllocationMethod": "Static",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"sku": {
			"name": "Standard",
			"tier": "Regional"
		},
		"type": "Microsoft.Network/publicIPAddresses",
		"zones": [
			"1",
			"2",
			"3"
		]
	}
}

05 Run network bastion create command (Windows/macOS/Linux) to create your new Azure Bastion host machine:

az network bastion create 
  --subscription abcdabcd-1234-abcd-1234-abcdabcdabcd 
  --resource-group cloud-shell-storage-westeurope 
  --name cc-bastion-host 
  --public-ip-address cc-bastion-ip 
  --vnet-name cc-bastion-vnet 
  --location westeurope 
  --scale-units 2 
  --sku Standard

06 The command output should return the configuration information available for your new bastion host:

{
	"disableCopyPaste": false,
	"dnsName": "bst-abcdabcd-1234-abcd-1234-abcdabcdabcd.bastion.azure.com",
	"enableIpConnect": false,
	"enableTunneling": false,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/bastionHosts/cc-bastion-host",
	"ipConfigurations": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/bastionHosts/cc-bastion-host/bastionHostIpConfigurations/bastion_ip_config",
			"name": "bastion_ip_config",
			"privateIPAllocationMethod": "Dynamic",
			"provisioningState": "Succeeded",
			"publicIPAddress": {
				"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-bastion-ip",
				"resourceGroup": "cloud-shell-storage-westeurope"
			},
			"resourceGroup": "cloud-shell-storage-westeurope",
			"subnet": {
				"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-bastion-vnet/subnets/AzureBastionSubnet",
				"resourceGroup": "cloud-shell-storage-westeurope"
			},
			"type": "Microsoft.Network/bastionHosts/bastionHostIpConfigurations"
		}
	],
	"location": "westeurope",
	"name": "cc-bastion-host",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scaleUnits": 2,
	"sku": {
		"name": "Standard"
	},
	"type": "Microsoft.Network/bastionHosts"
}

07 Repeat steps no. 1 – 6 for each subscription available within your Microsoft Azure cloud account.

References

Publication date Apr 2, 2020