Securely Connect to On-Premises VMs Using Azure Bastion and Private IPs

-

 

What Is This About?

With Azure Bastion, you can securely connect to your on-premises (local) machines, Azure VMs, or even non-Azure systems using a private IP address. No public IP needed! This guide shows you how to set up Bastion and connect to your on-premises VM over a VPN or ExpressRoute connection.



Why Use Azure Bastion for On-Premises Access?

  • Enhanced Security: Keep your machines safe by avoiding public IP addresses.
  • Centralized Access: Manage connections to all your systems (on-premises or in Azure) from one place.
  • Simple Setup: Follow a few steps to connect securely using private IPs.







What You’ll Need to Get Started

Before you begin, make sure you have:

  • A Virtual Network (VNet) with Azure Bastion:
    Bastion must be set up in your VNet. If not, follow the Quickstart: Deploy Bastion with Default Settings and Standard SKU guide.
  • A Reachable Virtual Machine:
    Ensure your on-premises VM (e.g., in Hyper-V) or Azure VM is in a VNet that Bastion can access.
  • VPN or ExpressRoute for On-Premises:
    To connect to a local VM, set up a VPN or ExpressRoute connection between your on-premises network and Azure.




         ---------------------------------------------------------------------------------------------------------


Steps to Set Up Azure Bastion for On-Premises Access

1. Configure Azure Bastion

  • Sign in to the Azure portal and go to your Bastion deployment.
  • Check the Tier: IP-based connection requires the Standard SKU or higher. On the Configuration page, ensure the Tier is set to Standard SKU (upgrade if needed).
  • Enable IP-Based Connection: Select the "IP-based connection" option and click Apply. This may take a few minutes.




2. Connect to Your On-Premises VM

  • Go to the Bastion page in the Azure portal and click Connect.
  • On the Connect page:
    • Enter the private IP address of your on-premises VM.
    • Select the Protocol (e.g., RDP for Windows or SSH for Linux) and Port (e.g., 3389 for RDP, 22 for SSH).
    • Provide your credentials (e.g., Username and Password in the format domainname\username or username@domainname).
  • Click Connect to securely access your VM.


                    ----------------------------------------------------------------------------------------------------




Important Limitations to Understand

Azure Bastion’s IP-based connection has some restrictions:

  • Internet Access Required: Bastion won’t work if you use force tunneling over VPN or advertise a default route via ExpressRoute, as this can block traffic.
  • Authentication Support: Microsoft Entra authentication works for SSH but not for RDP connections.
  • No Custom Ports/Protocols: You can’t use custom ports or protocols with a native client.
  • Routing Limitation: User-Defined Routes (UDR) are not supported on the Bastion subnet.
Source
https://learn.microsoft.com/sv-se/azure/bastion/connect-ip-address

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
🔹 Benefits of IntuneWin: ✅ Seamless app packaging 📦 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »

🔧 Microsoft 365 Apps Admin Center: Tips & Tricks

-
Bild
  Microsoft 365 Apps Admin Center What is the M365 apps admin center? Deployment Configuration Profile is a configuration profile used to automate and manage how software, such as Microsoft 365 Apps (Office), should be deployed and configured on devices within an organization. This profile allows IT administrators to define exactly how the installation should proceed, which settings should apply, and which components should be included. Where are Deployment Configuration Profiles used? - Microsoft Intune: For cloud-based management of devices and software. - Office Deployment Tool (ODT): For local deployments of Office. - Group Policy: For traditional on-premises networks with Active Directory. I will configure it in the Intune environment To get started with the  Microsoft 365 Apps Admin Center ,  1-Sign in  https://config.office.com/  with you Intune admin account,  you should first go to  Settings  and activate or create a  custom profile ...
Read more »