Microsoft Cloud Server: Use Azure Bastion (Bastion Machine) to securely log in to virtual machines without public network IP and RDP/SSH ports
In the daily operation and maintenance of the enterprise public cloud, there is a security disaster area that can be called "the emperor's new clothes:
Virtual machine remote login.
Many friends who have just moved their business to Microsoft Cloud (Azure), in order to save trouble, often directly hang a public network IP to the virtual machine, and then give the green light in the network security group (NSG) to put the Windows
RDP(3389 port)
Or Linux.
SSH(22 ports)
Direct exposure to the world.
In the eyes of hackers and automated scanning scripts, this approach is tantamount to running naked on the public Internet. All you need to do is log into the background of the Linux virtual machine and look at the log, and you will be shocked to find that every minute and every second there are unknown IP from all over the world, using thousands of dictionary combinations to violently crack your root password. As long as you set a weak password for an employee in your team, it is only a matter of time before the entire server or even the entire enterprise cloud intranet falls.
The traditional security method is to build a VPN, or use a virtual machine to gnaw the configuration and build an open source springboard machine (fortress machine). However, the fortress machine you build also needs public network IP. You not only have to patch it with the operating system every day, but also worry about whether it will become a "single point of breakthrough" in the eyes of hackers ".
In Microsoft's cloud-native security ecosystem, there is a dimension-reduction strike weapon designed to completely end "public network exposure anxiety", called
Azure Bastion (Bastion)
.
Its core logic is both ruthless and pure:
Let your virtual machine completely bid farewell to public network IP, and even block all ports 22 and 3389 on the cloud defense (NSG). Employees only need to open the browser to log in to the intranet without secret, high security and silky in the web page.
Today, we refuse to preach any official concept, and directly start from the actual combat of hard core. We will take you hand in hand to use the standard of large factory level to configure AVD level safe fortress machine channel within 10 minutes.
Phase 1: Deep Teardown, Azure Bastion's "Invisibility Cloak World Model"
Before you go to the console and click the mouse, you must build the underlying physical operating model of Azure Bastion in your mind. Why can it do "no public IP, no port exposure"?
The entire secure communication link is made up of three intertwined positions:
[user browser] --( HTTPS / 443 port) --> [ Azure Bastion (PaaS) ] -- (intranet RDP/SSH )--> [pure intranet virtual machine (no public network IP)]
Absolutely compliant front-end defense (HTTPS / 443):Bastion is a fully managed PaaS service. Employees do not need to install any RDP (Remote Desktop Connection) client or Putty/Xshe on the local computer when logging in
ll and other tools. All you need to do is log in to the Azure portal and click on the connection. All the remote images and operation instructions will be packaged in standard HTTPS(443 port) traffic and rendered directly in your browser tab. The strict firewall of any enterprise intranet will not block 443 web traffic.
Exclusive positions for absolute isolation (AzureBastionSubnet):Bastion will not be crowded into the same subnet as your business virtual machines. It requires that in your virtual network (VNet), a separate, exclusive, name-dead, no one is allowed to stay in a separate subnet. Bastion sit in this position and play the strongest gatekeeper.
Secure Intubation of Pure Intranet (Private IP Link): When uncle verifies that your Azure account is legal, it will knock on the door of your virtual machine with intranet private IP through the backbone network inside Microsoft cloud. Therefore, your virtual machine can completely cut off all physical connections with the external network, 0 public network IP, 0 external port open, as stable as Mount Tai.
The second stage: actual combat exercise -10 minutes to build high-rise buildings on the ground and weld the safe passage
Please make sure that you already have a virtual network (VNet) on Azure, and there is a Linux or Windows virtual machine running in it without a public IP. Next, we start the battle.
Enter
Azure portal
, search and enter
“Bastions”
Page.
Step 1: Open up a Bastion-exclusive "no-fly zone" (subnetting)
Before creating a Bastion, we must first cut out his independent office for the janitor in the virtual network, otherwise the subsequent creation will directly report an error failure.
Go to your virtual network (VNet) page and click "Subnets" (Subnet) in the left menu.
Click "Subnet" at the top ".
One step to inject soul: the name (Name) of the subnet must be filled in word for word: AzureBastionSubnet. This is the only code for Microsoft's underlying automated script to identify, not even a single letter.
Address range (Address range): divide a small network segment of/26 or/27 (for example, 10.0.1.0/26), and click Save.
Step 2: Create a Bastion Hosting Service
Go back to the Bastions page and click at the top
"Create”
:
Basic configuration: select your resource group, name the bastion machine bst-core-prod, and select the region that is exactly the same as your virtual machine (such as East Asia Hong Kong).
Tier (level): select "Devel" for development test
Oper "(the most economical, fully managed); Commercial production is recommended to choose" Basic "or" Standard "(support dynamic scaling and file transfer).
Virtual Network: Select the VNet that you just subnetted. The system will automatically detect and bind the AzureBastionSubnet we just built.
Public IP: The Bastion service itself needs a public portal to receive HTTPS requests from global employees. Create a standard public IP address named pip-bst-prod.
Click Create. Microsoft's serverless orchestration engine will automatically polish this high-security gateway for you in the background, which usually takes about 5 minutes to land.
The third stage: miracle moment-experience the pure web side of the "Matrix-style secure login"
When the Bastion status lights up green
Succeeded
Then came the most shocking experience. Hands away from your local remote desktop software, ready for physical clearance.
Enter the details page of your virtual machine (such as vm-linux-prod) that has no public network IP and is completely isolated from the intranet.
Click the "Connect" (link) big button at the top, in the drop-down menu, do not hesitate to select "Connect via Bastion".
[Virtual Machine Details Page] -> [Click Connect ] -> [Select Bastion Channel]
The page instantly switches to an extremely clean login panel. Enter your Linux system account (such as root) and password (or upload your SSH private key file).
The most shocking picture happens: the moment you click "Connect", your browser will automatically pop up a brand new tab. Inside this web page, the dark, extremely fast Linux terminal command line (or Windows gorgeous desktop) is directly rendered 100% perfectly!
You type in the web page
ifconfig
, looking at all
10.0.x.x
Pure intranet IP, the local computer does not open any VPN, does not configure any complicated port mapping, everything is incredibly smooth.
The fourth stage: the history of avoiding the pit and tears under the high defense structure of the large factory level
After this solution is configured, the virtual machine assets within your enterprise are already tucked into a safe. But to survive in the harsh commercial battlefield of high concurrency and auditing, as the Chief Security Officer (CISO), you must weld the following two invisible pits that are easily overlooked before closing the computer:
1. The deadly "NSG firewall reverse lock" tragedy
Many network management who have just started Bastion are excited after seeing the successful login of the web page. In the pursuit of absolute security, they will come to the virtual machine.
Network Security Group (NSG)
Inside,
A new denial strategy has been drastically created:
"Ban all inbound traffic (Deny All Inbound)"
.
Disaster: once this strategy is saved, you will find that the Bastion on the web page is disconnected instantly and can no longer be entered.
Many people mistakenly believe that since Bastion is an official Microsoft service, they can ignore the network security group (NSG). Actually, it's not! Bastion are also essentially connected to virtual machines through intranet IP (in the AzureBastionSubnet range). If you simply and roughly block the 22/3389 port of the virtual machine, you will shut the door.
Large factory standard pit avoidance configuration: in the NSG inbound rules of virtual machines, it is strictly prohibited to open 22 and 3389 to public networks (Internet). However, you must create a new high-priority rule: select "Service Tag" for the source (Source) and select the AzureBastionSubnet tag name accurately. Ports 22 and 3389 are allowed to pass. In this way, in addition to the big ye can push the door in, the public network of any cow ghost snake god knock on the door will be instantly physically intercepted.
2. Beware of the financial Bai Piao trap of "cross-VNet blind command"
Many companies have built more than one virtual network (VNet) in the cloud, perhaps one VNet for the test environment and one VNet for the production environment. Many novices will buy a brand-new Azure Bastion instance for each VNet in order to save trouble.
Insider exposure: Azure Bastion is money by the hour and instance. If you open several bastion machines, the high bill at the end of the month can directly make the finance department complain to the boss.
Architects reduce costs and increase efficiency and reinforce specifications: only one bastion machine (Hub-Spoke architecture) needs to be built for the whole network. You only need to build a high-profile Bastion bastion machine in the core Hub-VNet. Other sub-VNets (such as test and pre-release environments) only need to be connected to the core Hub-VNet through virtual network peering (VNet Peering). When logging into virtual machines of other VNets, Bastion can be extremely clever to cross Peering pipes and connect directly from a distance to realize "single machine guarding the whole network". The control plate is precise and uses every coin on the blade.
Summary
Using Azure Bastion to quickly build an enterprise-level high-security virtual machine login channel, the core industrial essence is simplified into 16 words:
The secret code is aligned to avoid public network, web page rendering and intranet locking.
You have completely bid farewell to the original bitterness of staring at brute force cracking logs every day, fearing weak password loopholes in virtual machines, and getting up late at night to upgrade the springboard operating system. All the core remote connection control surfaces are fully hosted to Microsoft's $10 billion W.
eb-level network security gateway. Sitting in front of the computer, pulling open the browser to work elegantly, and letting hackers scan and detect in front of you, the core server of your entire cloud empire will be as stable as Mount Tai.
