Microsoft Azure dedication to delivering robust and reliable networking solutions is unwavering. In today’s rapidly evolving digital landscape, seamless connectivity, uncompromising security, and optimal performance are essential. As cyber threats become more frequent and severe, the demand for heightened cloud security has surged. In response, we are thrilled to announce the new SKU for Microsoft Azure Bastion—Azure Bastion Premium. Now in public preview, this service offers advanced recording, monitoring, and auditing capabilities for customers managing highly sensitive workloads.

Introducing Azure Bastion Premium
Azure Bastion Premium is designed for customers handling highly sensitive virtual machine workloads, providing enhanced security features to ensure secure connectivity and monitor virtual machines for anomalies. Our initial features focus on ensuring private connectivity and graphical recordings of virtual machine sessions connected through Azure Bastion.

Key Security Enhancements

1. Enhanced Security
With existing Azure Bastion SKUs, customers protect their virtual machines using Azure Bastion’s public IP address as the entry point. Azure Bastion Premium takes this a step further by eliminating the public IP. Instead, customers connect through a private endpoint on Azure Bastion, removing the need to secure a public IP address and reducing a significant point of attack.

2. Virtual Machine Monitoring
Azure Bastion Premium allows customers to graphically record their virtual machine sessions. These recordings can be stored in alignment with internal policies and compliance requirements, enabling the identification of anomalies or unexpected behavior. Whether it’s unusual activity, security breaches, or data exfiltration, having a visual record facilitates investigations and mitigations.

Features of Azure Bastion Premium
Graphical Session Recording
Azure Bastion Premium graphically records all virtual machine sessions connected through Azure Bastion. These recordings are stored in a customer-designated storage account and can be viewed directly in the Azure Bastion resource blade. This feature adds an extra layer of monitoring, allowing customers to review session recordings to pinpoint anomalies and maintain compliance with data retention policies.

Setting up session recording is straightforward. Simply designate a container within a storage account, have a virtual machine, and connect through Azure Bastion. For detailed setup instructions, refer to Microsoft documentation.

Private Only Azure Bastion
In the current Azure Bastion SKUs, inbound connections to the virtual network where Azure Bastion is provisioned are only available through a public IP address. With Private Only Azure Bastion, customers can connect through a private IP address. This feature is crucial for customers with strict policies on public endpoint usage, ensuring Azure Bastion compliance with organizational policies. For customers with on-premises machines connecting to Azure, Private Only Azure Bastion with ExpressRoute private peering enables private connectivity directly to Azure virtual machines.

Setting up Private Only Azure Bastion is simple. When creating an Azure Bastion, select Private IP address under Configure IP address, then click Review + create. Note that Private Only Azure Bastions can only be created with new Azure Bastions, not pre-existing ones.

Feature comparison of Azure Bastion offerings

Private connectivity to virtual machines No Yes Yes Yes
Dedicated host agent No Yes Yes Yes
Support for multiple connections per user No Yes Yes Yes
Linux Virtual Machine private key in AKV No Yes Yes Yes
Support for network security groups No Yes Yes Yes
Audit logging No Yes Yes Yes
Kerberos support No Yes Yes Yes
VNET peering support No No Yes Yes
Host scaling (2 to 50 instances) No No Yes Yes
Custom port and protocol No No Yes Yes
Native RDP/SSH client through Azure CLI No No Yes Yes
AAD login for RDP/SSH through native client No No Yes Yes
IP-based connection No Yes Yes Yes
Shareable links No Yes Yes Yes
Graphical session recording No No No Yes
Private Only Azure Bastion No No No Yes

How to get started

  1. Navigate to the Azure portal.
  2. Deploy Azure Bastion configured manually to include Premium SKU.
  3. Under Configure IP Address, there is the option to enable Azure Bastion on a public or private IP address (Private Only Azure Bastion).
  4. In the Advanced tab, there is a checkbox for Session recording (Preview).

Azure Bastion Premium is a game-changer for customers with highly regulated security policies. Its advanced security features and monitoring capabilities provide an essential layer of protection for sensitive workloads. As we continue to enhance our networking solutions, Azure Bastion Premium represents our commitment to meeting the evolving security needs of our customers. Try Azure Bastion Premium today and experience the future of secure cloud networking. For more information, visit Azure Bastion documentation.




Please enter your comment!
Please enter your name here