Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Bastion Host in Use

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: Network-026

Ensure there is a bastion host configured to allow secure remote access to the virtual machine (VM) instances running within your Microsoft Azure cloud account. Azure Bastion service enables secure remote access to virtual machines without exposing them directly to the Internet. Additionally, Azure Bastion adheres to hardened configurations within an organization's Microsoft Entra ID service, further enhancing security measures.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security
Operational
excellence

Azure Bastion offers organizations a secure method of accessing their virtual machines (VMs) over the Internet without the need to assign public IP addresses to those VMs. With Azure Bastion, organizations can conveniently access VM instances using Remote Desktop Protocol (RDP) and Secure Shell (SSH) via TLS within a web browser. This eliminates the requirement to expose the TCP ports 3389 and 22 to the Internet. Furthermore, the service provides additional advantages such as Multi-Factor Authentication (MFA), Conditional Access Policies, and other security hardening measures configured within Microsoft Entra ID. By utilizing Azure Bastion as a central point of access, organizations can enhance the security posture of their Azure cloud environment while simplifying remote access to virtual machines.

Audit

To determine if there are any bastion hosts provisioned within your Microsoft Azure cloud account, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Bastion blade available at https://portal.azure.com/#browse/Microsoft.Network%2FbastionHosts.

03 On the Bastions page, select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Check for any bastion hosts created for the selected Azure subscription. If there are no bastion hosts listed on this page and the following confirmation status is returned: No Bastions to display, there are no bastion hosts configured for secure web-based access to your Azure virtual machines (VMs), provisioned in the selected subscription.

05 Repeat steps no. 3 and 4 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network bastion list command (Windows/macOS/Linux) to list all the Azure Bastion host machines provisioned in the selected Azure subscription: 

az network bastion list

05 The command output should return the bastion hosts available in the selected subscription: 

[]

If the network bastion list command output returns an empty array (i.e., []), as shown in the example above, there are no bastion hosts configured for secure web-based access to your Azure virtual machines (VMs), provisioned in the selected Azure subscription.

06 Repeat steps no. 4 and 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To create Azure Bastion host machines in order to enforce secure web-based access to your Azure virtual machine (VM) instances, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Bastion blade available at https://portal.azure.com/#browse/Microsoft.Network%2FbastionHosts.

03 On the Bastions page, select the Azure subscription that you want to access from the Subscription equals all filter box and choose Apply.

04 Choose Create, and perform the following actions to provision a new Azure Bastion host machine:

  1. For Basics, provide the following information:
    1. For Subscription, choose your Azure subscription.
    2. For Resource group, select the correct resource group.
    3. Provide a unique name for the new Bastion host in the Name box.
    4. For Region, select the Azure cloud region where the Bastion host instance will be deployed.
    5. (Optional) For Availability zone, choose the Availability Zone(s) that you want to use for zone redundancy.
    6. For Tier, choose Basic, Standard, or Premium, depending on your application requirements. For more details about Azure Bastion tiers, see the SKUs table.
    7. Use the Instance count slider to set the necessary instance count (available for Standard and Premium tiers only).
    8. For Virtual network, choose the name of the Azure Virtual Network (VNet) that you want to use for your Bastion host. To associate your Bastion host with a VNet, the VNet must contain a subnet with name AzureBastionSubnet, that implements a /26 CIDR range. If you want to create a new Virtual Network, choose Create new and follow the setup wizard to deploy the VNet.
    9. For Subnet, select the VNet subnet with the name AzureBastionSubnet.
    10. For Public IP address, choose whether to use an existing public IP address or to create a new one for frontend IP configuration.
    11. Choose Next : Advanced > to continue the setup.
  2. For Bastion Features, choose whether to enable advanced features such as Native client Support, Kerberos Authentication, Copy and Paste, and Shareable Link. Choose Next : Tags > to continue the setup.
  3. For Tags, use the Name, Value, and Resource fields to create tags that will help organize the identity of the selected resource. Choose Next : Review + create > to validate the Bastion host setup.
  4. For Review + create, review the resource configuration details, then choose Create to deploy your new Azure Bastion host machine.

05 Repeat steps no. 3 and 4 for each subscription available within your Microsoft Azure cloud account.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run network vnet create command (Windows/macOS/Linux) to create the Azure Virtual Network (and the AzureBastionSubnet subnet) required for your Bastion host: 

az network vnet create
	--resource-group cloud-shell-storage-westeurope
	--location westeurope
	--name cc-project5-bastion-vnet
	--address-prefixes 10.0.0.0/16
	--subnet-name AzureBastionSubnet
	--subnet-prefixes 10.0.1.0/26

05 The command output should return the configuration information available for the new Azure VNet: 

{
	"newVNet": {
		"addressSpace": {
			"addressPrefixes": [
			"10.0.0.0/16"
			]
		},
		"enableDdosProtection": false,
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-bastion-vnet",
		"location": "westeurope",
		"name": "cc-project5-bastion-vnet",
		"provisioningState": "Succeeded",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"subnets": [
			{
				"addressPrefix": "10.0.1.0/26",
				"delegations": [],
				"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-bastion-vnet/subnets/AzureBastionSubnet",
				"name": "AzureBastionSubnet",
				"privateEndpointNetworkPolicies": "Disabled",
				"privateLinkServiceNetworkPolicies": "Enabled",
				"provisioningState": "Succeeded",
				"resourceGroup": "cloud-shell-storage-westeurope",
				"type": "Microsoft.Network/virtualNetworks/subnets"
			}
		],
		"type": "Microsoft.Network/virtualNetworks",
		"virtualNetworkPeerings": []
	}
}

06 Run network public-ip create command (Windows/macOS/Linux) to create the public IP address to be used within the frontend IP configuration of the Bastion host: 

az network public-ip create
	--resource-group cloud-shell-storage-westeurope
	--name cc-project5-bastion-ip
	--sku Standard
	--zone 1 2 3

07 The command output should return the configuration information available for the new public IP address: 

{
	"publicIp": {
		"ddosSettings": {
			"protectionMode": "VirtualNetworkInherited"
		},
		"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-bastion-ip",
		"idleTimeoutInMinutes": 4,
		"ipAddress": "xxx.xxx.xxx.xxx",
		"ipTags": [],
		"location": "westeurope",
		"name": "cc-project5-bastion-ip",
		"provisioningState": "Succeeded",
		"publicIPAddressVersion": "IPv4",
		"publicIPAllocationMethod": "Static",
		"resourceGroup": "cloud-shell-storage-westeurope",
		"sku": {
			"name": "Standard",
			"tier": "Regional"
		},
		"type": "Microsoft.Network/publicIPAddresses",
		"zones": [
			"1",
			"2",
			"3"
		]
	}
}

08 Run network bastion create command (Windows/macOS/Linux) to create your new Azure Bastion host machine using the Virtual Network (VNet) and public IP address provisioned in the previous steps: 

az network bastion create
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd
	--resource-group cloud-shell-storage-westeurope
	--name cc-project5-bastion-host
	--public-ip-address cc-project5-bastion-ip
	--vnet-name cc-project5-bastion-vnet
	--location westeurope
	--scale-units 2
	--sku Standard

09 The command output should return the configuration information available for your new Bastion host: 

{
	"disableCopyPaste": false,
	"dnsName": "abc-abcdabcd-1234-abcd-1234-abcdabcdabcd.bastion.azure.com",
	"enableIpConnect": false,
	"enableTunneling": false,
	"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/bastionHosts/cc-project5-bastion-host",
	"ipConfigurations": [
		{
			"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/bastionHosts/cc-project5-bastion-host/bastionHostIpConfigurations/bastion_ip_config",
			"name": "bastion_ip_config",
			"privateIPAllocationMethod": "Dynamic",
			"provisioningState": "Succeeded",
			"publicIPAddress": {
				"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/publicIPAddresses/cc-project5-bastion-ip",
				"resourceGroup": "cloud-shell-storage-westeurope"
			},
			"resourceGroup": "cloud-shell-storage-westeurope",
			"subnet": {
				"id": "/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Network/virtualNetworks/cc-project5-bastion-vnet /subnets/AzureBastionSubnet",
				"resourceGroup": "cloud-shell-storage-westeurope"
			},
			"type": "Microsoft.Network/bastionHosts/bastionHostIpConfigurations"
		}
	],
	"location": "westeurope",
	"name": "cc-project5-bastion-host",
	"provisioningState": "Succeeded",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"scaleUnits": 2,
	"sku": {
		"name": "Standard"
	},
	"type": "Microsoft.Network/bastionHosts"
}

10 Repeat steps no. 4 – 9 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Apr 2, 2020

Related Network rules