Azure services

Step-by-Step Guide: How to use Azure Bastion with Global VNet Peering?

If we need to access an Azure VM using RDP or SSH, most of the time we access it using the public IP address. In this way, the virtual machine will have a public IP address (static or dynamic) assigned to it, and RDP or SSH service ports will open to the internet via NSG. This method provides easy access but not a very secure method.

If we have VPN or Express Route connectivity to Azure, we can connect to virtual machines using private IP addresses. It is secure than the public IP address method. However, it required additional configuration at the network level.
Azure Bastion is a solution that we can use to access Azure VM securely without the use of public IP addresses or VPN connectivity. This is similar to using a jump-server to connect to resources in the remote network but instead of the traditional RDP method, it is using browser-based secure HTTP connectivity.

Azure Bastion deployment is per virtual network. Once Azure Bastion service is enabled in a virtual network, remote access (RDP/SSH) will be available for all the virtual machines in that particular virtual network. According to Microsoft’s recent announcement, Azure Bastion is now supporting VNet Peering. Let’s assume we enable Azure Bastion for a Virtual network which is already peered with another VNet. Now we do not need another Azure Bastion deployment to access virtual machines hosted in the peered network. We can use centralized Azure Bastion deployment to reach virtual machines in all peered networks. Azure Bastion supports two types of peering.

Virtual network peering – Virtual network peering in the same Azure region
Global virtual network peering – Virtual network peering between different Azure regions

In peered virtual networks, Azure Bastion can be deployed either using hub-and-spoke or full-mesh topologies. In this post, I am going to demonstrate how to deploy and use Azure Bastion with Global VNet peering.
Azure VNet peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. VNet peering can use to connect virtual networks in the same Azure region or different Azure regions. If it is between regions, we call it “Azure Global VNet Peering“.
Global VNET Peering has the following benefits,

• Low latency and high bandwidth as it uses Azure network backbone
• No requirement for encryptions, VPN gateways, or public internet to connect VNnets

Demo Environment

The following diagram explains what we going to set up in this demo.

Azure Virtual Network Topology
Here we are going to create three resource groups in three different Azure regions. Each resource group will have its own Azure virtual network. For the connectivity, we will be using the hub-and-spoke network model. EUSVnet1 & UKSVnet1 will be Spoke virtual networks and BASVnet1 will be the Hub virtual network. Both Spoke virtual networks will have Global VNet peering with Hub virtual network. We will enable Azure Bastion service on hub virtual network (BASVnet1) and try to connect to virtual machines hosted in Spoke virtual networks. I have summarized virtual network configuration as follows,

Resource Group Azure Virtual Network Address Space Azure Region
EUSRG1 EUSVnet1 10.15.0.0/16 East US
UKSRG1 UKSVnet1 10.75.0.0/16 UK South
BASRG1 BASVnet1 10.2.0.0/16 West US

For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Create Resource Groups

As the first part of the configuration, I am going to create three new resource groups. To do that,

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Then create two new resource group using,

New-AzResourceGroup -Name EUSRG1 -Location “East US”

New-AzResourceGroup -Name UKSRG1 -Location “UK South”

New-AzResourceGroup -Name BASRG1 -Location “West US”

Create Azure Resource Groups

In the above, EUSRG1, UKSRG1 & BASRG1 are the names of new resource groups. From those, EUSRG1 is created in Azure East US region. UKSRG1 is created in Azure UK South region and BASRG1 is created in Azure West US region.

Create Spoke Virtual Networks

According to the plan, we need two virtual networks under EUSRG1 & UKSRG1 resource groups. Let’s start the configuration process by creating a virtual network under EUSRG1.

$vmsubnet = New-AzVirtualNetworkSubnetConfig -Name vmsubnet -AddressPrefix “10.15.0.0/24”
New-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1 -Location “East US” -AddressPrefix “10.15.0.0/16” -Subnet $vmsubnet

Create Virtual Network in East US Azure Region

In the above, EUSVnet1 is the new virtual network name. It has 10.15.0.0/16 address space. It also has a new subnet 10.15.0.0/24 (vmsubnet) for virtual machines.

Then let’s go ahead and create another virtual network under UKSRG1 resource group. This will be in UK South Azure region.

$vmsubnet2 = New-AzVirtualNetworkSubnetConfig -Name vmsubnet2 -AddressPrefix “10.75.0.0/24”
New-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1 -Location “UK South” -AddressPrefix “10.75.0.0/16” -Subnet $vmsubnet2

Create Virtual Network in UK South Azure region

In the above, UKSVnet1 is the new virtual network name. It has 10.75.0.0/16 address space. It also has a new subnet 10.75.0.0/24 (vmsubnet2) for virtual machines.

Create Virtual Machines for Testing

Later on, we are going to test remote access to virtual machines running on Spoke virtual networks by using Azure Bastion. For that, first, we need to create test virtual machines in EUSRG1 and UKSRG1 resource groups. Let’s start the process by creating a test VM in EUSRG1 resource group.

$mylogin = Get-Credential
New-AzVm -ResourceGroupName EUSRG1 -Name “EUSRGVM01” -Location “East US” -VirtualNetworkName “EUSVnet1” -SubnetName “vmsubnet” -addressprefix 10.15.0.0/24 -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

Create Azure VM in East US Azure Region

In the above, I am creating a virtual machine called EUSRGVM01 in East US Azure region. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 VM size. For networking, it uses EUSVnet1 virtual network and subnet 10.15.0.0/24.

Same way, I am going to create a new virtual machine under UKSRG1 resource group.

$mylogin = Get-Credential
New-AzVm -ResourceGroupName UKSRG1 -Name “UKSRGVM01” -Location “UK South” -VirtualNetworkName “UKSVnet1” -SubnetName “vmsubnet2” -addressprefix 10.75.0.0/24 -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

Create Azure VM in UK South Azure region

In the above, I am creating a virtual machine called UKSRGVM01 in UK South Azure region. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 VM size. For networking, it uses UKSVnet1 virtual network and subnet 10.75.0.0/24.

Create an Azure Bastion resources

The next step of the configuration is to create Azure bastion resources in the Hub network. Before we do that, we need to create a Hub virtual network.

$azsubnetname = “AzureBastionSubnet”
$azsubnet = New-AzVirtualNetworkSubnetConfig -Name $azsubnetname -AddressPrefix 10.2.0.0/24
$vnet = New-AzVirtualNetwork -Name “BASVnet1” -ResourceGroupName “BASRG1” -Location “West US” -AddressPrefix 10.2.0.0/16 -Subnet $azsubnet

In the above, BASVnet1 is the new virtual network name. It has 10.2.0.0/16 address space. It also has a new subnet 10.2.0.0/24 for Azure Bastion. This subnet name must be set to AzureBastionSubnet. It should at least have /27 suffix.

Then we need to create Public IP address for Azure Bastion.

$pip = New-AzPublicIpAddress -ResourceGroupName “BASRG1” -name “BASPublicIP” -location “West US” -AllocationMethod Static -Sku Standard

Now we have everything in place to create Azure Bastion resource. We can go ahead and set up it using,

New-AzBastion -ResourceGroupName “BASRG1” -Name “REBELBastion” -PublicIpAddress $pip -VirtualNetwork $vnet

Create Azure Bastion resources

This will take 5-10 minutes to complete.

Create Global VNet Peering

As the next step of the configuration, we need to create Global VNet Peering between Hub and Spoke virtual networks.

First, I am going to create peering from BASVnet1 to EUSVnet1

$vnet1 = Get-AzVirtualNetwork -Name BASVnet1 -ResourceGroupName BASRG1
$vnet2 = Get-AzVirtualNetwork -Name EUSVnet1 -ResourceGroupName EUSRG1
Add-AzVirtualNetworkPeering -Name BASVnet1toEUSVnet1 -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet2.Id

Azure Global VNet Peering from BASVnet1 to EUSVnet1

Same way we also need to initiate peering from EUSVnet1 to BASVnet1

Add-AzVirtualNetworkPeering -Name EUSVnet1toBASVnet1 -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet1.Id

Global VNet peering from EUSVnet1 to BASVnet1

We also need to create peering from BASVnet1 to UKSVnet1

$vnet3 = Get-AzVirtualNetwork -Name BASVnet1 -ResourceGroupName BASRG1
$vnet4 = Get-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName UKSRG1
Add-AzVirtualNetworkPeering -Name BASVnet1toUKSVnet1 -VirtualNetwork $vnet3 -RemoteVirtualNetworkId $vnet4.Id

Global VNet peering from BASVnet1 to UKSVnet1

Then we need to create peering from UKSVnet1 to BASVnet1

Add-AzVirtualNetworkPeering -Name UKSVnet1toBASVnet1 -VirtualNetwork $vnet4 -RemoteVirtualNetworkId $vnet3.Id

Global VNet peering from UKSVnet1 to BASVnet1

This completes the configuration part. Next step is to do testing.

Testing

We have only enabled Azure Bastion on the Hub network. What we need to test is if we can use Azure Bastion with virtual machines running in Spoke networks.
To do that,

1. Log in to Azure portal (https://portal.azure.com) as Global Administrator

2. Go to Virtual Machines

3. From the VM list, click on the EUSRGVM01 virtual machine which we created in the earlier step.

4. On properties, page click on Connect

5. From the list select Bastion

Azure Bastion Access from VM

6. On the Bastion service page click on Use Bastion

Use Bastion Feature

7. On the next page, we can see it is using Azure Bastion resources we created in the Hub network. To test the connectivity, type the VM login details and click on Connect

Initiate Azure Bastion Connection

8. As expected, I can connect to VM without issue.

Azure VM connection

9. In the same way I was able to connect UKSRGVM01 virtual machine in UK South Azure region.

Connection to UK South VM

RDP Access to VM

This confirms the Azure Bastion is working with Global VNet peering is working as expected.

This marks the end of this blog post. If you have any further questions about this feel free to contact me at rebeladm@live.com also follow me on Twitter @rebeladm to get updates about new blog posts.

All the PowerShell commands used in this demo is available on https://github.com/rebeladm/rebeladm/blob/master/AzureBastion.ps1

Related posts
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Azure servicesCyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra Permissions Management – Part 01 – How to onboard Azure Subscription ?

Today’s rapidly changing digital landscape creates new identity and access challenges. Microsoft…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : How to Automate JML process with Microsoft Entra lifecycle workflows ?

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *