Microsoft Azure dedication to delivering robust and reliable networking solutions is unwavering. In today’s rapidly evolving digital landscape, seamless connectivity, uncompromising security, and optimal performance are essential. As cyber threats become more frequent and severe, the demand for heightened cloud security has surged. In response, we are thrilled to announce the new SKU for Microsoft Azure Bastion—Azure Bastion Premium. Now in public preview, this service offers advanced recording, monitoring, and auditing capabilities for customers managing highly sensitive workloads.
Introducing Azure Bastion Premium
Azure Bastion Premium is designed for customers handling highly sensitive virtual machine workloads, providing enhanced security features to ensure secure connectivity and monitor virtual machines for anomalies. Our initial features focus on ensuring private connectivity and graphical recordings of virtual machine sessions connected through Azure Bastion.
Key Security Enhancements
1. Enhanced Security
With existing Azure Bastion SKUs, customers protect their virtual machines using Azure Bastion’s public IP address as the entry point. Azure Bastion Premium takes this a step further by eliminating the public IP. Instead, customers connect through a private endpoint on Azure Bastion, removing the need to secure a public IP address and reducing a significant point of attack.
2. Virtual Machine Monitoring
Azure Bastion Premium allows customers to graphically record their virtual machine sessions. These recordings can be stored in alignment with internal policies and compliance requirements, enabling the identification of anomalies or unexpected behavior. Whether it’s unusual activity, security breaches, or data exfiltration, having a visual record facilitates investigations and mitigations.
Features of Azure Bastion Premium
Graphical Session Recording
Azure Bastion Premium graphically records all virtual machine sessions connected through Azure Bastion. These recordings are stored in a customer-designated storage account and can be viewed directly in the Azure Bastion resource blade. This feature adds an extra layer of monitoring, allowing customers to review session recordings to pinpoint anomalies and maintain compliance with data retention policies.
Setting up session recording is straightforward. Simply designate a container within a storage account, have a virtual machine, and connect through Azure Bastion. For detailed setup instructions, refer to Microsoft documentation.
Private Only Azure Bastion
In the current Azure Bastion SKUs, inbound connections to the virtual network where Azure Bastion is provisioned are only available through a public IP address. With Private Only Azure Bastion, customers can connect through a private IP address. This feature is crucial for customers with strict policies on public endpoint usage, ensuring Azure Bastion compliance with organizational policies. For customers with on-premises machines connecting to Azure, Private Only Azure Bastion with ExpressRoute private peering enables private connectivity directly to Azure virtual machines.
Setting up Private Only Azure Bastion is simple. When creating an Azure Bastion, select Private IP address under Configure IP address, then click Review + create. Note that Private Only Azure Bastions can only be created with new Azure Bastions, not pre-existing ones.
Feature comparison of Azure Bastion offerings
| FEATURES | DEVELOPER | BASIC | STANDARD | PREMIUM |
|---|---|---|---|---|
| Private connectivity to virtual machines | No | Yes | Yes | Yes |
| Dedicated host agent | No | Yes | Yes | Yes |
| Support for multiple connections per user | No | Yes | Yes | Yes |
| Linux Virtual Machine private key in AKV | No | Yes | Yes | Yes |
| Support for network security groups | No | Yes | Yes | Yes |
| Audit logging | No | Yes | Yes | Yes |
| Kerberos support | No | Yes | Yes | Yes |
| VNET peering support | No | No | Yes | Yes |
| Host scaling (2 to 50 instances) | No | No | Yes | Yes |
| Custom port and protocol | No | No | Yes | Yes |
| Native RDP/SSH client through Azure CLI | No | No | Yes | Yes |
| AAD login for RDP/SSH through native client | No | No | Yes | Yes |
| IP-based connection | No | Yes | Yes | Yes |
| Shareable links | No | Yes | Yes | Yes |
| Graphical session recording | No | No | No | Yes |
| Private Only Azure Bastion | No | No | No | Yes |
How to get started
- Navigate to the Azure portal.
- Deploy Azure Bastion configured manually to include Premium SKU.
- Under Configure IP Address, there is the option to enable Azure Bastion on a public or private IP address (Private Only Azure Bastion).
- In the Advanced tab, there is a checkbox for Session recording (Preview).
Conclusion
Azure Bastion Premium is a game-changer for customers with highly regulated security policies. Its advanced security features and monitoring capabilities provide an essential layer of protection for sensitive workloads. As we continue to enhance our networking solutions, Azure Bastion Premium represents our commitment to meeting the evolving security needs of our customers. Try Azure Bastion Premium today and experience the future of secure cloud networking. For more information, visit Azure Bastion documentation.
