WEBVTT 0:00:02.820000 --> 0:00:08.460000 One of the common dilemmas when you are hosting virtual machines in Azure, 0:00:08.460000 --> 0:00:12.900000 is how are you going to access those virtual machines from the standpoint 0:00:12.900000 --> 0:00:17.020000 of administration or put a little more succinctly, how are you going to 0:00:17.020000 --> 0:00:19.860000 administer those virtual machines that are sitting in Azure? 0:00:19.860000 --> 0:00:22.820000 They're no longer sitting on your virtual network. 0:00:22.820000 --> 0:00:24.480000 That's what we're going to talk about. 0:00:24.480000 --> 0:00:28.380000 We're going to talk about a really novel tool that's built into the Azure 0:00:28.380000 --> 0:00:29.460000 environment now. 0:00:29.460000 --> 0:00:32.020000 What built in you have to pay for it, but it's available in the Azure 0:00:32.020000 --> 0:00:34.780000 environment called the Azure Bastion Service. 0:00:34.780000 --> 0:00:38.280000 We'll look at what it is and more importantly, how to implement it. 0:00:38.280000 --> 0:00:43.600000 Unfortunately, it's not an especially complex capability, but it is a 0:00:43.600000 --> 0:00:46.320000 very powerful and important capability. 0:00:46.320000 --> 0:00:50.020000 What we're going to do is we're going to talk about Azure VM connectivity. 0:00:50.020000 --> 0:00:54.240000 What are the ways that you can access a virtual machine and Azure, specifically 0:00:54.240000 --> 0:00:57.640000 for the purpose of administering that virtual machine? 0:00:57.640000 --> 0:01:01.360000 Then we'll talk about the Azure Bastion Service as one of those options, 0:01:01.360000 --> 0:01:05.500000 and then I'm going to demonstrate the Azure Bastion Service. 0:01:05.500000 --> 0:01:11.260000 Let's go ahead and let's pop over and take a look at this. 0:01:11.260000 --> 0:01:14.400000 First of all, Azure connectivity. 0:01:14.400000 --> 0:01:18.660000 If I think about connecting to a virtual machine in Azure, so I've got 0:01:18.660000 --> 0:01:24.440000 Azure and within Azure, I've got a virtual network. 0:01:24.440000 --> 0:01:35.260000 I also have a virtual machine, and that virtual machine has a network 0:01:35.260000 --> 0:01:38.440000 interface, which I'll just call a NIC. 0:01:38.440000 --> 0:01:46.860000 That NIC is associated with a subnet in the virtual network. 0:01:46.860000 --> 0:01:53.040000 Now, let's say this virtual machine is a Linux virtual machine, and it's 0:01:53.040000 --> 0:01:58.060000 hosting a web app that's running on EngineX. 0:01:58.060000 --> 0:02:03.220000 That's my environment. 0:02:03.220000 --> 0:02:04.960000 Now, that's great. 0:02:04.960000 --> 0:02:09.820000 At some point though, you're probably running your machine, this would 0:02:09.820000 --> 0:02:11.720000 be you or whoever. 0:02:11.720000 --> 0:02:15.960000 That is as good as my drawing gets, I apologize. 0:02:15.960000 --> 0:02:18.240000 We're in a baseball cap. 0:02:18.240000 --> 0:02:24.460000 You need to access this virtual machine to manage it. 0:02:24.460000 --> 0:02:27.160000 There's a few ways that you could do that. 0:02:27.160000 --> 0:02:33.020000 One and probably really the worst way would be to provide a public IP 0:02:33.020000 --> 0:02:43.060000 address and allow access to that public IP address over port 22, which 0:02:43.060000 --> 0:02:52.780000 if you are familiar with Linux is the standard SSH port, secure shell 0:02:52.780000 --> 0:02:56.540000 port. Now, the problem is that's a public IP address. 0:02:56.540000 --> 0:03:01.220000 Now, I can do things like I can manage that, maybe put in a network security 0:03:01.220000 --> 0:03:06.380000 group here or g.q. 0:03:06.380000 --> 0:03:09.620000 Network security group here, or ideally maybe a network security group 0:03:09.620000 --> 0:03:16.340000 here, and I can do that, but that is definitely suboptimal. 0:03:16.340000 --> 0:03:26.360000 Now, an alternate to that, let me take care of, take that away. 0:03:26.360000 --> 0:03:27.840000 Let's say we take that away. 0:03:27.840000 --> 0:03:30.080000 We don't want that public IP address. 0:03:30.080000 --> 0:03:35.460000 Alternatively, I could have a load balancer, set up an Azure load balancer 0:03:35.460000 --> 0:03:43.640000 up here, and I could have the load balancer set up NAT rules so that you 0:03:43.640000 --> 0:03:48.040000 go through the load balancer and the load balancer goes to the NIC. 0:03:48.040000 --> 0:03:53.720000 You've got a pathway, but that pathway is at least a little bit obfuscated. 0:03:53.720000 --> 0:03:58.600000 I could set up port forwarding and port translation, I mean, so that you're 0:03:58.600000 --> 0:04:04.000000 not coming in on 22, you're coming down maybe 50,013, whatever it is, 0:04:04.000000 --> 0:04:08.480000 but you're still kind of accessing that directly over the internet, even 0:04:08.480000 --> 0:04:10.200000 if it is through a load balancer. 0:04:10.200000 --> 0:04:17.720000 Now, another alternative is you might be in a on-premises network and 0:04:17.720000 --> 0:04:24.380000 you might have connectivity set up between your networks, and then what 0:04:24.380000 --> 0:04:28.960000 you're going to do is you're just now going through that tunnel and going 0:04:28.960000 --> 0:04:33.920000 to the NIC, and that's great if you have that. 0:04:33.920000 --> 0:04:35.140000 But what if you don't? 0:04:35.140000 --> 0:04:39.740000 What if you are, and I'm going to clear all of this and start it again, 0:04:39.740000 --> 0:04:44.100000 right? Let's go back and let's say that you've got your virtual network, 0:04:44.100000 --> 0:04:49.520000 you've got your VM, you've got your NIC, you've got your subnet, and what 0:04:49.520000 --> 0:04:54.620000 you want is you want a secure and managed way of connecting, right? 0:04:54.620000 --> 0:05:02.900000 So you're over here still happy, love that you're always happy, and you 0:05:02.900000 --> 0:05:06.120000 are running on apparently a very large laptop, okay? 0:05:06.120000 --> 0:05:10.980000 But you need to get over to this Linux VM, but you don't want any kind 0:05:10.980000 --> 0:05:13.520000 of direct public access to the VM. 0:05:13.520000 --> 0:05:17.720000 That's where the new service Bastion comes into play, okay? 0:05:17.720000 --> 0:05:22.640000 The Bastion host is a managed service, and I've got this managed service 0:05:22.640000 --> 0:05:32.040000 over here, Bastion, didn't give myself enough room to write it straight, 0:05:32.040000 --> 0:05:35.100000 so I'll pretend like I did that on purpose, it looks cool, all right? 0:05:35.100000 --> 0:05:47.860000 And what Bastion does is it provides an HTTPS, a web-based interface. 0:05:47.860000 --> 0:05:54.260000 So I've got this secure tunnel that's going up through HTTPS, and on the 0:05:54.260000 --> 0:06:00.020000 back end, it's going to allow me access to the VM, but it's going to allow 0:06:00.020000 --> 0:06:06.280000 very specific access, either SSH access, which on the back end is going 0:06:06.280000 --> 0:06:10.760000 to be on port 22, or RDP for Windows access, which is going to be on the 0:06:10.760000 --> 0:06:13.400000 back end, 33.89, right? 0:06:13.400000 --> 0:06:17.460000 But neither of those are being directly accessed. 0:06:17.460000 --> 0:06:20.820000 Instead, you're going through this web interface, you're going over port 0:06:20.820000 --> 0:06:28.420000 443, okay? And that web interface is being controlled through Azure, which 0:06:28.420000 --> 0:06:36.040000 means it's being controlled through things such as role-based access control, 0:06:36.040000 --> 0:06:38.020000 okay? So I've got a secure connection. 0:06:38.020000 --> 0:06:44.100000 I can manage access to role-based access control, and there's no direct 0:06:44.100000 --> 0:06:49.760000 public access at all that doesn't need to be to that virtual machine that's 0:06:49.760000 --> 0:06:54.800000 running. Now, I may have, you know, I may have port 80 going out, or port 0:06:54.800000 --> 0:06:57.900000 443 going out through a load balancer, all right? 0:06:57.900000 --> 0:07:03.800000 So I may have an Azure load balancer that's giving me access to port 443 0:07:03.800000 --> 0:07:10.200000 because this is a web app, but that crucial management access is not being 0:07:10.200000 --> 0:07:12.880000 granted directly or publicly, okay? 0:07:12.880000 --> 0:07:18.420000 And that's really where the Azure Bastion service comes into play, is 0:07:18.420000 --> 0:07:24.560000 that it's giving you this, again, controlled, secure, encrypted, management 0:07:24.560000 --> 0:07:29.000000 interface to your VMs, and that's really what Bastion does. 0:07:29.000000 --> 0:07:30.900000 So let's talk a little bit about it. 0:07:30.900000 --> 0:07:36.540000 First of all, the Azure Bastion service requires its own dedicated subnet, 0:07:36.540000 --> 0:07:40.020000 okay? And that dedicated subnet has to be in the same virtual network 0:07:40.020000 --> 0:07:43.460000 as any host that you want to grant access, okay? 0:07:43.460000 --> 0:07:48.720000 And it has to be named Azure Bastion subnet. 0:07:48.720000 --> 0:07:50.860000 Suppose that got to have that subnet. 0:07:50.860000 --> 0:07:54.360000 That subnet has to be a size 27 or larger. 0:07:54.360000 --> 0:08:02.140000 You do not need any public IP address for your resources. 0:08:02.140000 --> 0:08:04.500000 The Bastion service is going to have its own. 0:08:04.500000 --> 0:08:09.220000 There's no NSG rules that need to be created. 0:08:09.220000 --> 0:08:15.200000 And again, you can create NSG rules, but they don't apply to the Bastion 0:08:15.200000 --> 0:08:17.840000 traffic because as far as your virtual machine is concerned, that traffic 0:08:17.840000 --> 0:08:20.940000 is coming from your virtual network. 0:08:20.940000 --> 0:08:25.500000 So you're not opening up any NSG rules, and it is completely browser based, 0:08:25.500000 --> 0:08:28.920000 which means it is completely cross platform. 0:08:28.920000 --> 0:08:32.500000 So it is a very, very cool service. 0:08:32.500000 --> 0:08:36.260000 And what I want to do is show it to you because it's also really pretty 0:08:36.260000 --> 0:08:37.180000 straightforward. 0:08:37.180000 --> 0:08:45.320000 So what I'm going to do is open up my browser. 0:08:45.320000 --> 0:08:46.780000 Here's my browser. 0:08:46.780000 --> 0:08:51.520000 Now I've got a virtual network. 0:08:51.520000 --> 0:08:56.620000 It's got my virtual networks. 0:08:56.620000 --> 0:08:59.300000 A poorly named virtual network. 0:08:59.300000 --> 0:09:01.300000 We're going to take a look at this. 0:09:01.300000 --> 0:09:10.040000 And what I want to do is take a look at what's connected to it right now. 0:09:10.040000 --> 0:09:19.520000 And in particular, notice that I've got three virtual machines, which 0:09:19.520000 --> 0:09:26.260000 actually, oh, okay, and two of them, they shouldn't have them, but they're 0:09:26.260000 --> 0:09:28.240000 still attached to public IP addresses. 0:09:28.240000 --> 0:09:30.020000 But one of them is not. 0:09:30.020000 --> 0:09:31.660000 So it doesn't really matter if it is or not. 0:09:31.660000 --> 0:09:37.260000 But I've got a virtual machine here, this FTP VM. 0:09:37.260000 --> 0:09:42.660000 It's got a private IP of 10.0 dot or 10.2.0.5. 0:09:42.660000 --> 0:09:48.360000 And what I want to do is I want to add an Azure Bastion service. 0:09:48.360000 --> 0:09:53.040000 Now I've already added the Azure Bastion subnet to this virtual network. 0:09:53.040000 --> 0:09:55.320000 And it's pretty simple. 0:09:55.320000 --> 0:10:00.120000 It is a actually set up as a 28. 0:10:00.120000 --> 0:10:04.400000 But it does take it as a 28, even though you're supposed to do 27. 0:10:04.400000 --> 0:10:07.040000 I've got this set up as a 28. 0:10:07.040000 --> 0:10:08.820000 And that will work. 0:10:08.820000 --> 0:10:13.080000 And so what I'm going to do is actually add that Bastion service. 0:10:13.080000 --> 0:10:16.320000 I'm going to go ahead and create a resource. 0:10:16.320000 --> 0:10:17.760000 This part's pretty simple. 0:10:17.760000 --> 0:10:30.100000 I can actually do this directly from the same resource group. 0:10:30.100000 --> 0:10:32.940000 I'm going to give this a name. 0:10:32.940000 --> 0:10:40.540000 This in the same region, it's got to be in the same region as everything 0:10:40.540000 --> 0:10:51.460000 else. Okay. And I'm going to associate this with this incredibly poorly 0:10:51.460000 --> 0:10:56.860000 named resource. Now, see, it does say it needs at least 27. 0:10:56.860000 --> 0:10:59.360000 So let me change that. 0:10:59.360000 --> 0:11:09.480000 Bastion subnet. So when I deploy this contained, yes, it is contained 0:11:09.480000 --> 0:11:12.160000 by that I swear. 0:11:12.160000 --> 0:11:19.820000 Oh, all right, 200. 0:11:19.820000 --> 0:11:25.080000 So slash, we're going a full 24 there. 0:11:25.080000 --> 0:11:26.560000 That should be fine. 0:11:26.560000 --> 0:11:31.760000 There we go. Okay, interestingly enough, when I deploy this directly, 0:11:31.760000 --> 0:11:36.500000 which is how this is kind of set up, I deploy this directly from a template, 0:11:36.500000 --> 0:11:38.360000 it actually works with the 28. 0:11:38.360000 --> 0:11:40.800000 I hadn't even noticed that I had it on the 28. 0:11:40.800000 --> 0:11:44.080000 Okay, well, at least now we have that that's good. 0:11:44.080000 --> 0:11:50.360000 Okay, and it should change this and change it back. 0:11:50.360000 --> 0:11:54.600000 There we go. Now it's happy. 0:11:54.600000 --> 0:11:56.360000 Took me a minute, but it is happy now. 0:11:56.360000 --> 0:12:00.460000 Now the Bastion itself does have a public IP address, which is going to 0:12:00.460000 --> 0:12:03.180000 create. And I'm fine with that. 0:12:03.180000 --> 0:12:13.500000 And now I'm going to go a couple of moments to create once it's done, 0:12:13.500000 --> 0:12:36.100000 we'll come back and see what that gives me. 0:12:36.100000 --> 0:12:41.740000 Okay, so that Bastion host has been deployed and I could go to the Bastion, 0:12:41.740000 --> 0:12:44.620000 but I really don't need to go to it. 0:12:44.620000 --> 0:12:46.660000 You can you can see what's going on with it. 0:12:46.660000 --> 0:12:52.000000 But what I really want to do is I'm going to go to my virtual machines. 0:12:52.000000 --> 0:12:54.680000 I'm going to go back to the resource group where that is. 0:12:54.680000 --> 0:13:04.600000 And I am going to go to my FTP based virtual machine. 0:13:04.600000 --> 0:13:07.640000 That's the one and it doesn't matter that I've got it labeled FTP. 0:13:07.640000 --> 0:13:09.160000 Yeah, I just want to connect to it. 0:13:09.160000 --> 0:13:11.120000 Now this is running Linux. 0:13:11.120000 --> 0:13:13.660000 Okay, so I want to connect to it. 0:13:13.660000 --> 0:13:17.560000 It's got a private IP address of 10.2.0.5. 0:13:17.560000 --> 0:13:21.420000 Now before I connect to this, I just remembered that the way I deployed 0:13:21.420000 --> 0:13:25.100000 this, I don't know the actual password. 0:13:25.100000 --> 0:13:27.980000 So I'm going to reset the password for this. 0:13:27.980000 --> 0:13:30.740000 That has nothing to do with Bastion. 0:13:30.740000 --> 0:13:35.060000 That's just me needing to actually have a password here that I can type 0:13:35.060000 --> 0:13:49.680000 in. Okay, let's just say that that password update probably took a little 0:13:49.680000 --> 0:13:51.520000 longer than it will appear. 0:13:51.520000 --> 0:13:54.880000 But now I can connect because I know what the password is. 0:13:54.880000 --> 0:13:57.020000 Again, that had nothing to do with Bastion. 0:13:57.020000 --> 0:14:00.920000 This part is going to be a little bit anticlimactic, but very cool. 0:14:00.920000 --> 0:14:06.840000 All right, so I am in my virtual machine blade in the portal. 0:14:06.840000 --> 0:14:08.500000 I've set up Bastion. 0:14:08.500000 --> 0:14:11.280000 Now I just want to use it to use Bastion. 0:14:11.280000 --> 0:14:12.060000 I'm going to go to connect. 0:14:12.060000 --> 0:14:15.740000 All right, I could connect over SSH if I had a public IP address, which 0:14:15.740000 --> 0:14:20.220000 I don't. RDP, if this was a Windows machine and I had a public IP address, 0:14:20.220000 --> 0:14:22.060000 neither of which are the case. 0:14:22.060000 --> 0:14:24.440000 And then I've got Bastion. 0:14:24.440000 --> 0:14:26.040000 And so I select Bastion. 0:14:26.040000 --> 0:14:28.560000 All right, and it's going to say, okay, you're going to connect up. 0:14:28.560000 --> 0:14:29.920000 Here's the username. 0:14:29.920000 --> 0:14:34.880000 Put in student. Now because this is Linux that I'm connecting to, I can 0:14:34.880000 --> 0:14:39.900000 use a password and SSH private key or an SSH private key from a local 0:14:39.900000 --> 0:14:46.520000 file. But as it is, we're just going to put in a password and connect. 0:14:46.520000 --> 0:14:50.680000 And that's going to open up a new browser window. 0:14:50.680000 --> 0:14:55.400000 And I'm going to allow it to interact with my clipboard. 0:14:55.400000 --> 0:14:59.200000 And now, it might be a little bit hard to see. 0:14:59.200000 --> 0:15:05.780000 Unfortunately, I think even if I up that it doesn't actually impact this. 0:15:05.780000 --> 0:15:14.500000 So if you have been a hard time seeing this, this is my just an SSH shell 0:15:14.500000 --> 0:15:20.560000 into this. And I can do things like PS dash ox. 0:15:20.560000 --> 0:15:27.080000 And grab that and pull out WA agent. 0:15:27.080000 --> 0:15:30.680000 All right. And all that's doing is it's making sure that the Azure daemon 0:15:30.680000 --> 0:15:32.960000 is running and it is. 0:15:32.960000 --> 0:15:37.740000 And I could do things like pseudo. 0:15:37.740000 --> 0:15:42.080000 Let's see what we want it. 0:15:42.080000 --> 0:15:57.120000 App get update. And put in that shiny new password I gave it. 0:15:57.120000 --> 0:15:57.980000 And there we go. 0:15:57.980000 --> 0:15:59.800000 So it's updating that VM. 0:15:59.800000 --> 0:16:03.940000 The point is I'm interacting with this Linux VM the same way I would if 0:16:03.940000 --> 0:16:06.960000 it was local or I was connecting to the public IP address, there just 0:16:06.960000 --> 0:16:08.960000 is no public IP address. 0:16:08.960000 --> 0:16:15.520000 I'm going through a web based interface, which is exactly what I want. 0:16:15.520000 --> 0:16:20.640000 Right now, if I've got, I will tell you, I love bastion. 0:16:20.640000 --> 0:16:25.980000 All right, it's great because I don't have a permanent pipeline set up. 0:16:25.980000 --> 0:16:28.320000 I don't have a VPN gateway. 0:16:28.320000 --> 0:16:31.420000 I don't have express route set up because I just create these things and 0:16:31.420000 --> 0:16:33.680000 drop them. It would make sense to have them. 0:16:33.680000 --> 0:16:37.740000 So for me, someone who doesn't have that direct network connection where 0:16:37.740000 --> 0:16:42.360000 I'm going over a tunnel to get to the virtual networks, this is fantastic. 0:16:42.360000 --> 0:16:46.220000 And it's what I'm going to use really for connectivity to any virtual 0:16:46.220000 --> 0:16:50.980000 machine that's up in Azure again, because I don't have that direct private 0:16:50.980000 --> 0:16:54.000000 connectivity. And quite frankly, I don't want to set up a VPN gateway 0:16:54.000000 --> 0:16:57.000000 and go through the process of registering it as a point of sight. 0:16:57.000000 --> 0:17:01.380000 Now, one thing you do need to be aware of is that there is a cost to this. 0:17:01.380000 --> 0:17:05.980000 And so last thing I want to show you, Azure Bastion pricing. 0:17:05.980000 --> 0:17:12.260000 Just to be aware, pricing Azure Bastion. 0:17:12.260000 --> 0:17:21.460000 And so the general pricing for this, 19 cents per hour, and not huge. 0:17:21.460000 --> 0:17:26.760000 And your outbound data transfer, first five gigabytes per month is free. 0:17:26.760000 --> 0:17:31.020000 Now, remember, by and large, right, I'm just going and I am managing my 0:17:31.020000 --> 0:17:37.320000 VM either through SSH on the Linux side, RDP, you open up an RDP session, 0:17:37.320000 --> 0:17:38.840000 if you've ever used RDP. 0:17:38.840000 --> 0:17:42.060000 So the same thing that you're used to, it's just opened up in a browser 0:17:42.060000 --> 0:17:45.740000 window. But there is that cost to it. 0:17:45.740000 --> 0:17:48.880000 So just be aware, it's not free, but it's really not a big deal. 0:17:48.880000 --> 0:17:58.620000 There are some data transfer fees that are Europe, East US, South Central 0:17:58.620000 --> 0:18:02.360000 US, West US, Zone 2 is Australia, East and Japanese. 0:18:02.360000 --> 0:18:09.880000 Notice also, right now, that this isn't available everywhere, definitely 0:18:09.880000 --> 0:18:20.040000 available in East US, and it's on most continents, it's not in South America, 0:18:20.040000 --> 0:18:25.380000 but we've got US, three different US, Europe, Asia with Japan East and 0:18:25.380000 --> 0:18:29.860000 Australia. And it's also not on Antarctica, but if you're on Antarctica, 0:18:29.860000 --> 0:18:31.500000 you're pretty much out of luck anyways. 0:18:31.500000 --> 0:18:33.620000 All right, so that is Azure Bastion. 0:18:33.620000 --> 0:18:37.840000 Again, you set it up, the only thing is you need to have, it needs to 0:18:37.840000 --> 0:18:42.420000 have its own subnet, which, if you're going through the portal has to 0:18:42.420000 --> 0:18:47.520000 be a 27. Now, 28, I'm going to have to change my template to make sure 0:18:47.520000 --> 0:18:51.120000 I get that. So it's right all over the place, hadn't even noticed that. 0:18:51.120000 --> 0:18:57.460000 But in any case, you have a specific subnet, it has to be the Azure Bastion 0:18:57.460000 --> 0:19:02.320000 subnet, it has to be the name, it's got to be a dedicated 27 slash 27 0:19:02.320000 --> 0:19:05.840000 subnet and CIDR notation. 0:19:05.840000 --> 0:19:09.620000 And then, as long as you're willing to pay 19 cents an hour, you've got 0:19:09.620000 --> 0:19:13.360000 this great way of connecting to your VMs that are in Azure.