Azure Bastion Session Recording | Preview

0
157

This Blog post shows how to enable the session recording feature of Azure Bastion. You can record the graphical sessions for connections to virtual machines (SSH and RDP) made through the bastion host when you enable the recording of Azure Bastion Sessions. Listed in a blob container from your selected storage account is the location of the recordings via a SAS URL. Once a session finishes you can retrieve the recordings via the Session Recording page within the Azure portal. This feature needs the Bastion Premium plan.

Prior to configuring Bastion session recording practices are crucial and must comply with specific conditions.

Key Considerations & Limitations:

  • To activate session recording you need the Premium SKU.
  • At present this feature does not operate with native client-based sessions.
  • At any time there can be just one storage account and container ready for session recording.
  • When you turn on session recording on a bastion host all sessions entering and exiting that host will be recorded.

Consider the below Prerequisites

  • Bastion needs to be installed within your virtual network.
  • If Bastion is not currently on the Premium tier it must be upgraded to it.
  • Virtual machines must be located either in the same network as the bastion host or in a network connected to it.

Enabling Session Recording

Session recording can be turned on either during the setup of a new bastion host or by modifying an existing deployment.

New Bastion Deployments

For new installations of the bastion host service you can select the Premium SKU and activate session recording.

  • Select Create resource within the Azure portal.
  • Hit the Search for Azure Bastion button and then Create.
  • Fill in the required details during setup and make sure the Premium SKU is marked.
  • On the Advanced tab check to enable session recording.
  • Examine the settings and confirm the creation. Typically it needs around 10 minutes for deploying the bastion host.

Existing Bastion Deployments

If your bastion host is already deployed, follow these steps to enable session recording:

  • Visit your Bastion resource within the Azure portal.
  • Choose Configuration from the menu on the left.
  • Check that Premium is chosen (if it’s not already).
  • Activate the Session Recording (Preview) setting.
  • Press Apply to implement the settings. It will take roughly 10 minutes for the updates.

Configuring the Storage Account Container

You have to establish a blob container in a storage account to retain the session recordings. Follow these steps:

  1. Setup a storage account in a resource group already created. Look at the manuals for setting up a storage account while also learning how to configure shared access signatures.
  2. Create a Container inside the storage account to keep the recordings. Creating a container for session recordings is suggested. Check the detailed guide to generate a container.
  3. Under the Settings option in the left pane click Resource sharing (CORS).
  4. Configure a new policy under the Blob service section:
    • Allowed origins: Enter HTTPS:// and mix in the DNS of your bastion.
    • Allowed Methods: Select GET.
    • Max Age: Set to 86400 (24 hours).
  5. Save the changes.

Adding or Updating the SAS URL
A SAS URL is necessary for you to connect your session recordings to your blob container.

  1. Visit the Containers area within your storage account.
  2. Find the container where you will archive Bastion session recordings. Choose Generate SAS from the three dots beside the container name.
  3. On the Generate SAS page:
    • Select WRITE and take READ under Permissions.
    • Choose a start date 15 minutes ahead of now and opt for an extended expiry time.
    • Choose only HTTPS as the selected protocol.
  4. Click Generate SAS token and URL and obtain the Blob URL.
  5. Access the configuration of your bastion host again and opt for Session recordings on the left part of the interface. Copy the SAS URL and click Upload.

Viewing Session Recordings

With session recording turned on in Azure Bastion automatically captures and saves session data. These recordings are accessible through the Azure portal with an embedded web player.

  • Visit your Bastion host in the Azure portal.
  • Click Session recordings under Settings on the left-hand pane.
  • Should you have set the SAS URL previously it will remain in use. If you haven’t already added or updated the SAS URL before now follow these earlier steps.
  • Pick the virtual machine and session recording to check out and press View recording.

Comments

comments

LEAVE A REPLY

Please enter your comment!
Please enter your name here