One of the most common attack vectors for cloud servers is through Remote Desktop Protocol (RDP) or Secure Shell (SSH). When administrators build servers in the cloud, Microsoft and AWS had typically assigned a public IP to ease management of the servers. There is no VMware Console equivalent in the cloud, so RDP or SSH are the only way to manage a server.
The problem starts when that public IP is assigned. Hackers are constantly running scans on the IP ranges owned by the cloud providers, and as soon as a server comes online it is inundated with brute force and password spray attacks. To thwart this, the preferred method had been to establish a VPN (client or site-to-site) between your environment and the cloud, and use private IPs for RDP and SSH. While this works, VPN access is not always preferred; for instance, in an environment set up as an island in the cloud. More often than not, working with the networking and security groups to establish this connectivity can be a challenge.
Enter “Azure Bastion”, which is now in preview. Azure Bastion is a Platform as a Service (PaaS) that provides secure and seamless access to RDP and SSH on the servers in Azure through the Azure Portal. The Azure Portal reverse proxies the RDP and SSH connections over SSL and connects to the servers in Azure using their private IP addresses. Below is a diagram provided by Microsoft:
Enabling Azure Bastion is pretty straightforward. It is provisioned into the VNet (or in each VNet) and provides access to the servers within the VNet. Because it is a PaaS, Microsoft handles the appropriate scaling and hardening. It uses HTML5 which is built into all modern browsers, so there is no need to install anything on the client side or server side to support it. This also means you can access it from anywhere with browser access, making it easier to administrate from home, the office, or your parent’s house using your child’s tablet (hey, you never know).
Azure Bastion is not free, but it isn’t expensive either. It costs $.095/hour which equates to approximately $70/month. There are additional costs for data transfer, but I doubt most customers will be generating enough RDP/SSH traffic to make this consequential.
Contact Gotham to assist with enabling Azure Bastion in your environment, and assessing the security of your existing cloud deployment.