WEBVTT 0:00:03.000000 --> 0:00:07.020000 If you're running infrastructure as a service, if you're running virtual 0:00:07.020000 --> 0:00:10.780000 machines in Azure, frankly, anywhere in the Cloud, one of the concerns 0:00:10.780000 --> 0:00:15.080000 that you're going to have is, how are you going to configure remote access 0:00:15.080000 --> 0:00:18.380000 management to those virtual machines? 0:00:18.380000 --> 0:00:22.080000 That's what we're going to talk about in this video. 0:00:22.080000 --> 0:00:26.540000 We're going to talk about different ways that you can manage your virtual 0:00:26.540000 --> 0:00:28.560000 machines that are in Azure. 0:00:28.560000 --> 0:00:33.080000 We're going to talk first about actual gateway access, which would be 0:00:33.080000 --> 0:00:37.740000 my preference. We'll also talk about controlling access to network security 0:00:37.740000 --> 0:00:42.020000 groups, and I'm going to demonstrate just in time access. 0:00:42.020000 --> 0:00:46.740000 And we'll go into that, but I'm just going to do that fully by demonstration. 0:00:46.740000 --> 0:00:50.100000 We'll talk about firewalls and how you could use those to control access, 0:00:50.100000 --> 0:00:53.100000 as well as the Azure load balancer. 0:00:53.100000 --> 0:00:58.140000 And then what is really my preferred means, I would say my secondary means 0:00:58.140000 --> 0:01:02.040000 of access, which is the Bastion host. 0:01:02.040000 --> 0:01:05.540000 And we're going to go ahead and demonstrate that as well. 0:01:05.540000 --> 0:01:10.180000 So let's go ahead and let's jump right into this. 0:01:10.180000 --> 0:01:14.020000 Right now, the first thing that we're going to talk about is the idea 0:01:14.020000 --> 0:01:24.340000 of actually accessing your virtual machines via a gateway. 0:01:24.340000 --> 0:01:32.940000 So I've got on-prem, I've got over here in Azure, I've got a gateway, 0:01:32.940000 --> 0:01:40.100000 a VPN gateway could be also express route. 0:01:40.100000 --> 0:01:48.760000 Right? And then over here, I've got a corresponding clients. 0:01:48.760000 --> 0:01:53.500000 I've got my VPN connection, it's encrypted, it's forming a tunnel, and 0:01:53.500000 --> 0:01:58.360000 then I'm going over and managing through that approach, right? 0:01:58.360000 --> 0:02:04.320000 And for me, this is the best approach to remote access, because there's 0:02:04.320000 --> 0:02:10.600000 no public access to the administrative capabilities within that virtual 0:02:10.600000 --> 0:02:14.320000 machine. Right? As far as that virtual machine is concerned, I'm locally 0:02:14.320000 --> 0:02:19.680000 on a network that is connected directly to the virtual machine, and I'm 0:02:19.680000 --> 0:02:28.280000 managing it the way I would really with pretty much any other really set 0:02:28.280000 --> 0:02:33.440000 of tools. All right, so, or any excuse me, any other local virtual machine. 0:02:33.440000 --> 0:02:36.680000 It's local effectively from an administrative standpoint. 0:02:36.680000 --> 0:02:38.500000 That to me is the best way to do it. 0:02:38.500000 --> 0:02:47.240000 Now, there are other options, and it is possible to have a public endpoint 0:02:47.240000 --> 0:02:50.440000 and to control access to that public endpoint. 0:02:50.440000 --> 0:02:55.000000 Okay? If you're going to do this, you absolutely want to go ahead and 0:02:55.000000 --> 0:02:58.680000 you want to set up network security groups, right? 0:02:58.680000 --> 0:03:03.200000 And you want to set them up such that I have a network security group 0:03:03.200000 --> 0:03:11.280000 set up on that, either the NIC or the actual subnet that that virtual 0:03:11.280000 --> 0:03:16.100000 machine is in, and that network security group should be very restrictive. 0:03:16.100000 --> 0:03:21.820000 You know, it should say, okay, I'm going to allow this particular virtual 0:03:21.820000 --> 0:03:27.380000 machine access or this particular IP, public IP address access, not the 0:03:27.380000 --> 0:03:30.360000 entire public internet, right? 0:03:30.360000 --> 0:03:33.640000 So you can do that, and my recommendation, if you're going to do that, 0:03:33.640000 --> 0:03:37.480000 if you're going to use NSGs, is to actually do that with just-in-time 0:03:37.480000 --> 0:03:42.520000 access. And in fact, just-in-time access is what I'm going to show you 0:03:42.520000 --> 0:03:50.000000 now. Now, just-in-time access is a feature within Azure, and what it does 0:03:50.000000 --> 0:03:57.460000 is it allows you to really manipulate, automatically manipulate the NSG 0:03:57.460000 --> 0:04:00.340000 rules to allow access to a virtual machine. 0:04:00.340000 --> 0:04:02.120000 Now, why does that matter? 0:04:02.120000 --> 0:04:03.540000 Okay? Why do we want to automate this? 0:04:03.540000 --> 0:04:10.920000 Let's say that I am sitting at a-you know, at a cafe, and I realize, oh, 0:04:10.920000 --> 0:04:15.080000 I've got to, you know, run this process on a virtual machine that's in 0:04:15.080000 --> 0:04:17.920000 Azure, right? So I want to be able to connect to it. 0:04:17.920000 --> 0:04:21.100000 Well, what I don't want to do is I don't want to have an NSG that would 0:04:21.100000 --> 0:04:24.920000 be completely open and let anyone connect up, right? 0:04:24.920000 --> 0:04:27.140000 Instead, what I want to do is say, you know what? 0:04:27.140000 --> 0:04:29.140000 I need access to this. 0:04:29.140000 --> 0:04:32.400000 I essentially need a hole in the firewall, and the NSG firewall, if you 0:04:32.400000 --> 0:04:35.260000 will, but I want it to be temporary. 0:04:35.260000 --> 0:04:37.340000 So I want to request access. 0:04:37.340000 --> 0:04:38.920000 I want to be given access. 0:04:38.920000 --> 0:04:44.740000 And then I want to go ahead and, you know, just-just use it. 0:04:44.740000 --> 0:04:49.520000 And then also-so I don't have to remember to close it back down. 0:04:49.520000 --> 0:04:51.400000 I want it to close down after a certain amount of time. 0:04:51.400000 --> 0:04:54.620000 And that's really what just-in-time access is. 0:04:54.620000 --> 0:05:03.040000 And my explanation is not doing it justice, so let's take a look at this. 0:05:03.040000 --> 0:05:07.820000 Okay. I have my dashboard, all right? 0:05:07.820000 --> 0:05:11.700000 So this is in Azure, Azure Portal, of course. 0:05:11.700000 --> 0:05:16.840000 And what I'm going to do is I'm going to go down to Security Center. 0:05:16.840000 --> 0:05:24.520000 And in Security Center, my poor security score not withstanding. 0:05:24.520000 --> 0:05:26.260000 It's not as bad as it looks. 0:05:26.260000 --> 0:05:31.260000 I'm going to come down to Just-in-Time VM Access. 0:05:31.260000 --> 0:05:36.240000 Okay. And right now I've got one virtual machine. 0:05:36.240000 --> 0:05:38.360000 That's going to be my demonstration machine. 0:05:38.360000 --> 0:05:42.660000 And it is set up for Just-in-Time Access. 0:05:42.660000 --> 0:05:46.600000 Okay. I can go over here to Not Configured. 0:05:46.600000 --> 0:05:50.060000 And these are the virtual machines that are, well, not configured for 0:05:50.060000 --> 0:05:52.000000 Just-in-Time Access. 0:05:52.000000 --> 0:05:55.240000 And I can see, all right, I've got three of these. 0:05:55.240000 --> 0:05:58.100000 Two of these have a high severity. 0:05:58.100000 --> 0:06:02.240000 This third one is healthy because it doesn't have a public IP address. 0:06:02.240000 --> 0:06:05.000000 So there'd be no way to get it to that unless you're going through the 0:06:05.000000 --> 0:06:08.700000 network anyways, in which case this would be kind of a non-issue. 0:06:08.700000 --> 0:06:10.940000 All right. But let's say I want to take one of these. 0:06:10.940000 --> 0:06:15.560000 Let's say I want to take the vendor fwall VM. 0:06:15.560000 --> 0:06:19.700000 And I want to enable it there. 0:06:19.700000 --> 0:06:24.120000 On Container, I want to enable JIT on that. 0:06:24.120000 --> 0:06:30.600000 It says, okay, here are the ports for which Just-in-Time VM Access will 0:06:30.600000 --> 0:06:33.700000 be applicable. And you can see these are the ports and you can change 0:06:33.700000 --> 0:06:35.520000 these. I can add more. 0:06:35.520000 --> 0:06:38.600000 Notice that the time range for these is three hours. 0:06:38.600000 --> 0:06:40.580000 I can delete them. 0:06:40.580000 --> 0:06:43.720000 I can also save this. 0:06:43.720000 --> 0:06:45.900000 Okay. And that's it. 0:06:45.900000 --> 0:06:50.320000 That ends up, if you will, subjecting that virtual machine to Just-in 0:06:50.320000 --> 0:06:52.620000 -Time Access. Very simple to set up. 0:06:52.620000 --> 0:06:58.060000 Now, and it actually went over here right away, which usually it doesn't. 0:06:58.060000 --> 0:07:01.200000 Okay. So now I've got my Just-in-Time Access. 0:07:01.200000 --> 0:07:03.300000 Fantastic. What does that do? 0:07:03.300000 --> 0:07:11.020000 Well, I'm going to go over to my virtual machine. 0:07:11.020000 --> 0:07:15.820000 And I'm going to go, let's go to the one that I just set up. 0:07:15.820000 --> 0:07:20.380000 And go to Networking. 0:07:20.380000 --> 0:07:26.460000 And what you'll notice is that I've got in Networking. 0:07:26.460000 --> 0:07:29.220000 Now, I'll go and blow that up just a little bit. 0:07:29.220000 --> 0:07:31.200000 Zoom in just a bit. 0:07:31.200000 --> 0:07:34.520000 If you look over here, under Networking, I've got inbound port rules. 0:07:34.520000 --> 0:07:36.580000 And I have this 1000 port rule. 0:07:36.580000 --> 0:07:41.240000 Now, I had a couple of other port rules that were here. 0:07:41.240000 --> 0:07:47.860000 And they got escalated, or actually deescalated, they had a higher priority 0:07:47.860000 --> 0:07:49.600000 before I did this. 0:07:49.600000 --> 0:07:51.740000 Okay. And so their priority got changed. 0:07:51.740000 --> 0:07:57.460000 And then it added a priority 1000 rule that is going to disallow, go over 0:07:57.460000 --> 0:08:01.760000 here, it is going to deny Access. 0:08:01.760000 --> 0:08:10.300000 You can see to those ports, on any protocol, from any source, to the destination 0:08:10.300000 --> 0:08:17.540000 10.0.1.4. Now, a requirement for this, a requirement for Just-in-Time 0:08:17.540000 --> 0:08:23.800000 Access, is to actually have a NNSG. 0:08:23.800000 --> 0:08:26.880000 You have to have an NNSG associated with the virtual machine directly 0:08:26.880000 --> 0:08:29.960000 or through a subnet in order for this to work. 0:08:29.960000 --> 0:08:31.820000 Which makes sense. 0:08:31.820000 --> 0:08:34.280000 And typically, I prefer to have them through the subnet. 0:08:34.280000 --> 0:08:38.180000 Also, there are other requirements, not really many, but I'll show you 0:08:38.180000 --> 0:08:41.480000 the other primary requirement in just a moment. 0:08:41.480000 --> 0:08:42.580000 Okay, but that was it. 0:08:42.580000 --> 0:08:44.300000 I now have Just-in-Time Access. 0:08:44.300000 --> 0:08:46.660000 Well, what does that do for me? 0:08:46.660000 --> 0:08:49.720000 Okay, well, what that does for me, if I, for example, go over here and 0:08:49.720000 --> 0:08:54.100000 say, you know what, I'm going to connect to this virtual machine. 0:08:54.100000 --> 0:08:56.220000 I need to connect to the virtual machine. 0:08:56.220000 --> 0:09:00.060000 Okay, and this happens to be a Linux virtual machine. 0:09:00.060000 --> 0:09:03.120000 So, I'm going to connect via SSH. 0:09:03.120000 --> 0:09:07.520000 However, as you can see, when I try to connect via SSH, it's going to 0:09:07.520000 --> 0:09:13.360000 tell me that I have to request Access now. 0:09:13.360000 --> 0:09:16.100000 Okay, so it's given me all of the information. 0:09:16.100000 --> 0:09:19.500000 Now, I can go and say, you know what, I just want to request this for 0:09:19.500000 --> 0:09:25.400000 my IP address. And I'm going to go ahead and request Access for my IP 0:09:25.400000 --> 0:09:33.340000 address. And again, I'm doing this through the interface for this particular 0:09:33.340000 --> 0:09:34.440000 virtual machine. 0:09:34.440000 --> 0:09:39.400000 Now, when I do that, so I have requested Access and it tells me Access 0:09:39.400000 --> 0:09:43.380000 was approved on port 22 from the selected IPs. 0:09:43.380000 --> 0:09:49.100000 Now, if I go up to Networking, I see there is a new security rule that 0:09:49.100000 --> 0:09:51.200000 has been added that has given me Access. 0:09:51.200000 --> 0:09:56.020000 So, I'm going to go to Access on port 22 to that destination from my IP 0:09:56.020000 --> 0:10:01.160000 address. Now, at this point, I will be able to connect via 22. 0:10:01.160000 --> 0:10:04.260000 However, it takes a little while sometimes for NSGs to actually fully 0:10:04.260000 --> 0:10:08.820000 propagate. So, I'm going to go to one I've already set up. 0:10:08.820000 --> 0:10:15.360000 Okay, and you can see this is actually a Windows virtual machine. 0:10:15.360000 --> 0:10:19.140000 And I have a kind of the exact same situation. 0:10:19.140000 --> 0:10:24.820000 I've got Security Center, I've got the Just-in-Time rule that closes all 0:10:24.820000 --> 0:10:27.840000 those ports and denies Access. 0:10:27.840000 --> 0:10:32.020000 And then I've got one that's allowing Access on port 3389 specifically 0:10:32.020000 --> 0:10:36.000000 to my IP address. 0:10:36.000000 --> 0:10:41.100000 Now, I mentioned that there are a couple of requirements for Just-in-Time 0:10:41.100000 --> 0:10:44.060000 Access. One is that you need an NSG. 0:10:44.060000 --> 0:10:50.920000 The other is that you need a very specific set of rights in order to access 0:10:50.920000 --> 0:10:54.600000 and request the JIT. 0:10:54.600000 --> 0:11:00.420000 And what I did was I actually set up a custom role, a custom role-based 0:11:00.420000 --> 0:11:03.440000 access control role definition. 0:11:03.440000 --> 0:11:09.100000 And I assigned it to a user to allow them to actually access this virtual 0:11:09.100000 --> 0:11:13.720000 machine. And what I want to do is show you that role, and because it just 0:11:13.720000 --> 0:11:18.440000 has the, there are four specific actions that you need to have access 0:11:18.440000 --> 0:11:23.060000 to in order to request JIT approval. 0:11:23.060000 --> 0:11:25.880000 And so, let's go ahead and take a look at that. 0:11:25.880000 --> 0:11:29.500000 And then I'm also going to show you kind of how that process, how it works 0:11:29.500000 --> 0:11:31.020000 when somebody's requested it. 0:11:31.020000 --> 0:11:33.940000 And I'm also going to go back into Security Center and show you some of 0:11:33.940000 --> 0:11:39.100000 the JIT features in Security Center. 0:11:39.100000 --> 0:11:47.020000 All right, now what I did was I defined a custom role, as I said. 0:11:47.020000 --> 0:11:48.680000 And this really it. 0:11:48.680000 --> 0:11:51.400000 I've got the name, the description. 0:11:51.400000 --> 0:11:55.180000 I've got the actions and there's four actions. 0:11:55.180000 --> 0:11:58.020000 These are the four actions that you need to have. 0:11:58.020000 --> 0:12:03.180000 Now the first two actions need to be applied either at the subscription 0:12:03.180000 --> 0:12:06.260000 level or at the resource group level. 0:12:06.260000 --> 0:12:10.880000 The last two, the compute and network interface, those can be applied 0:12:10.880000 --> 0:12:14.400000 at those levels or at the individual virtual machine level. 0:12:14.400000 --> 0:12:20.460000 I just went ahead and put it all in a single custom role. 0:12:20.460000 --> 0:12:21.440000 All right, and so there we go. 0:12:21.440000 --> 0:12:22.560000 That's my custom role. 0:12:22.560000 --> 0:12:28.260000 Easy enough. And I went ahead and set that and I assigned that, and I'll 0:12:28.260000 --> 0:12:29.840000 show you where I assigned it. 0:12:29.840000 --> 0:12:36.820000 If I go to Access Control and I go to Role Assignments and if I go down 0:12:36.820000 --> 0:12:41.540000 here, I've got a virtual machine, Justin Time user. 0:12:41.540000 --> 0:12:42.700000 And that's this task user. 0:12:42.700000 --> 0:12:46.100000 Now I also made the user a reader because I actually have to be able to 0:12:46.100000 --> 0:12:47.600000 get there through the portal. 0:12:47.600000 --> 0:12:51.820000 And what I want to do is show you the process that user would go through 0:12:51.820000 --> 0:12:56.960000 in order to request Justin Time access. 0:12:56.960000 --> 0:12:59.940000 So I'm going to actually go into the portal because that is where you're 0:12:59.940000 --> 0:13:05.480000 going to go. Now Justin Time access can also be requested from the command 0:13:05.480000 --> 0:13:08.080000 line using Azure's command line tools. 0:13:08.080000 --> 0:13:12.200000 It can also be requested programmatically. 0:13:12.200000 --> 0:13:14.260000 So you're not limited to just going through the portal. 0:13:14.260000 --> 0:13:17.560000 You could have a custom solution that would allow it as well. 0:13:17.560000 --> 0:13:30.380000 But in this case, I'm going to go through the portal. 0:13:30.380000 --> 0:13:41.960000 And Stay signed in. 0:13:41.960000 --> 0:13:46.460000 All right. And now I've got access as this user. 0:13:46.460000 --> 0:13:47.680000 I don't really have access to much. 0:13:47.680000 --> 0:13:53.340000 I've got access to the virtual machine and to the resource group. 0:13:53.340000 --> 0:13:57.680000 But if I go to the virtual machine, now again, I'm in as a user with very 0:13:57.680000 --> 0:14:02.700000 low permissions. 0:14:02.700000 --> 0:14:06.260000 All right. And you can see I get the exact same interface here. 0:14:06.260000 --> 0:14:08.420000 I can request access. 0:14:08.420000 --> 0:14:10.480000 Okay. And I go through there. 0:14:10.480000 --> 0:14:15.100000 Now, if I go here and request access. 0:14:15.100000 --> 0:14:18.920000 Once I request access. 0:14:18.920000 --> 0:14:27.840000 There we go. Now I can download the RDP file. 0:14:27.840000 --> 0:14:31.240000 And once I download the RDP file. 0:14:31.240000 --> 0:14:35.200000 I am connecting via RDP like I would. 0:14:35.200000 --> 0:14:38.780000 To any other system. 0:14:38.780000 --> 0:14:42.340000 Right. It's just that I've got. 0:14:42.340000 --> 0:14:47.660000 A very specific rule that's allowing me to do that. 0:14:47.660000 --> 0:14:51.160000 A very specific network security group rule that's allowing me access. 0:14:51.160000 --> 0:14:52.900000 Right. And so I go in there. 0:14:52.900000 --> 0:14:56.120000 Now, as soon as I got that login, it means I was connected except for 0:14:56.120000 --> 0:14:57.920000 the fact that apparently. 0:14:57.920000 --> 0:15:01.480000 Ah, apparently I misspelled student. 0:15:01.480000 --> 0:15:06.120000 I was pretty sure that was the right password. 0:15:06.120000 --> 0:15:10.100000 I got the complicated password right. 0:15:10.100000 --> 0:15:12.800000 I messed up the actual username. 0:15:12.800000 --> 0:15:18.880000 Okay. So now it is connecting and it is connected off screen. 0:15:18.880000 --> 0:15:19.660000 But there we go. 0:15:19.660000 --> 0:15:20.840000 There's my remote desktop. 0:15:20.840000 --> 0:15:23.240000 So I am in. Okay. 0:15:23.240000 --> 0:15:27.940000 Outstanding. Now I'm going to close it because I'm not going to do anything 0:15:27.940000 --> 0:15:29.420000 with that. All right. 0:15:29.420000 --> 0:15:31.740000 Now I'm going to go back as me and I want to take a look at some of the 0:15:31.740000 --> 0:15:37.360000 things I can do as an administrator with that adjust in time access. 0:15:37.360000 --> 0:15:40.660000 So I'm going to go to security center. 0:15:40.660000 --> 0:15:46.180000 And I'm going to go down here to adjust in time VM access. 0:15:46.180000 --> 0:15:51.840000 Okay. And so I can see both of these and it's interesting because it's 0:15:51.840000 --> 0:15:56.720000 going to tell me that there have been six approved requests on the demo 0:15:56.720000 --> 0:15:59.000000 JITVM. All right. 0:15:59.000000 --> 0:16:00.520000 It's active now. 0:16:00.520000 --> 0:16:03.640000 Right now it's got port 3389 open. 0:16:03.640000 --> 0:16:06.920000 The container VM has port 22 open. 0:16:06.920000 --> 0:16:14.180000 And if I go and I can go to properties activity log, I can edit it or 0:16:14.180000 --> 0:16:21.420000 remove it. But if I go to activity log, that is showing me really an audit 0:16:21.420000 --> 0:16:25.280000 trail of all of the activity. 0:16:25.280000 --> 0:16:29.020000 Right. And I can go in and get a little bit of information. 0:16:29.020000 --> 0:16:35.020000 That get a bit more information as to what actually happened there. 0:16:35.020000 --> 0:16:37.920000 So that is just in time. 0:16:37.920000 --> 0:16:43.160000 It is controlled by role, right, by actions. 0:16:43.160000 --> 0:16:45.200000 You can figure those as permissions, of course. 0:16:45.200000 --> 0:16:49.560000 And it's set up in your security center. 0:16:49.560000 --> 0:16:53.260000 By the way, you can also request access through security center. 0:16:53.260000 --> 0:16:56.960000 You don't have to do that through the virtual machine interface. 0:16:56.960000 --> 0:17:00.500000 In fact, you can also on the flip side of that, you can actually set up 0:17:00.500000 --> 0:17:06.280000 just in time access through the blade for the virtual machine in the portal. 0:17:06.280000 --> 0:17:09.420000 So it's kind of kind of the way it should be really you can go either 0:17:09.420000 --> 0:17:12.120000 directions kind of like if you think about backing up your virtual machine, 0:17:12.120000 --> 0:17:13.620000 you can do the same thing there. 0:17:13.620000 --> 0:17:18.020000 All right. So anyways, that is just in time access. 0:17:18.020000 --> 0:17:23.440000 Let's take a look at other ways that we can set up access. 0:17:23.440000 --> 0:17:28.960000 One other way that we can set up access is you can use a firewall, right. 0:17:28.960000 --> 0:17:31.440000 And I could set up a virtual network. 0:17:31.440000 --> 0:17:36.360000 I could have an internal subnet with my machines that I need to access. 0:17:36.360000 --> 0:17:41.520000 I could set up a firewall, whether it be an Azure firewall or a network 0:17:41.520000 --> 0:17:44.000000 virtual appliance firewall, right. 0:17:44.000000 --> 0:17:47.880000 And have that control access and get all of the security benefits of that. 0:17:47.880000 --> 0:17:51.000000 And that's absolutely a valid way of doing this. 0:17:51.000000 --> 0:17:54.780000 Now, there is another approach kind of similar to that. 0:17:54.780000 --> 0:18:01.720000 And that would be to set up a load balancer, right. 0:18:01.720000 --> 0:18:08.140000 I could use a load balancer and use that to perhaps obfuscate the actual 0:18:08.140000 --> 0:18:09.780000 administrative port, right. 0:18:09.780000 --> 0:18:14.640000 So I can set up NAT rules on an Azure load balancer, right. 0:18:14.640000 --> 0:18:17.160000 But my recommendation, don't do this. 0:18:17.160000 --> 0:18:22.560000 Okay. I only put this on here because it's a bad idea and I wanted to 0:18:22.560000 --> 0:18:27.740000 bring that up and say, I wanted the opportunity to say that's a bad idea. 0:18:27.740000 --> 0:18:29.340000 So please don't do that. 0:18:29.340000 --> 0:18:38.060000 Now, the next option, which is my second favorite approach, it's kind 0:18:38.060000 --> 0:18:41.600000 of weird that I've got a hierarchy of favorite approaches to remote access 0:18:41.600000 --> 0:18:43.320000 control of my virtual machines. 0:18:43.320000 --> 0:18:44.920000 But I do. All right. 0:18:44.920000 --> 0:18:52.420000 If you cannot set up access via a gateway tunnel, whether it's VPN or 0:18:52.420000 --> 0:18:57.560000 express route, then I highly suggest that you take a look at setting up 0:18:57.560000 --> 0:19:03.800000 Azure Bastion. And what Azure Bastion does is it allows you via an HTTPS 0:19:03.800000 --> 0:19:11.240000 connection through the Azure portal to manage your virtual machines. 0:19:11.240000 --> 0:19:15.140000 And what it does, it will open up either an RDP session if it's a Windows 0:19:15.140000 --> 0:19:21.740000 machine, or it will open up an SSH session if it's a Linux machine. 0:19:21.740000 --> 0:19:23.440000 Okay. But you're going through the portal. 0:19:23.440000 --> 0:19:29.780000 There's never a, there's never a port directly open to the virtual machine. 0:19:29.780000 --> 0:19:33.780000 Right. So you're not in any way, and I find this better than just in time 0:19:33.780000 --> 0:19:38.000000 because with just in time at some point, there is a direct administrative 0:19:38.000000 --> 0:19:45.060000 hole in the firewall, right, for 3, 3, 8, 9 or 22 or your ports. 0:19:45.060000 --> 0:19:50.240000 If you're using, you know, when are in remote management power shell. 0:19:50.240000 --> 0:19:53.300000 Okay. But this doesn't have any of that. 0:19:53.300000 --> 0:19:56.820000 What this does is okay, I'm going to connect you up, but I'm going to 0:19:56.820000 --> 0:20:00.280000 connect you up through the portal is really what it's doing. 0:20:00.280000 --> 0:20:04.940000 And I will tell you that Bastion hosts are not free. 0:20:04.940000 --> 0:20:06.900000 All right. You are paying for them. 0:20:06.900000 --> 0:20:13.440000 They're not particularly inexpensive either, but you only need one host 0:20:13.440000 --> 0:20:15.580000 per virtual network. 0:20:15.580000 --> 0:20:20.620000 Right. So if I've got, you know, let's say five different virtual machine 0:20:20.620000 --> 0:20:24.640000 servers running on a particular virtual network, rather than having to 0:20:24.640000 --> 0:20:27.740000 have five different Bastion hosts, I just installed one. 0:20:27.740000 --> 0:20:30.320000 And I use that to connect up to the virtual machines. 0:20:30.320000 --> 0:20:33.100000 And what I'd like to do now is I would like to demonstrate that. 0:20:33.100000 --> 0:20:38.460000 And I'd like to show you how you can set up and then how you can use a 0:20:38.460000 --> 0:20:51.380000 Bastion host. Now I'm going to go back to my Azure portal. 0:20:51.380000 --> 0:20:55.320000 And if I wanted to set up a Bastion host, let's take a look at my virtual 0:20:55.320000 --> 0:20:58.920000 networks first. I'm not even sure which virtual networks I could put one 0:20:58.920000 --> 0:21:03.020000 on. All right. I can put one on demo containers V net. 0:21:03.020000 --> 0:21:09.840000 Now, one thing about a Bastion host, or really just Azure Bastion is how 0:21:09.840000 --> 0:21:11.820000 you will see it referred to. 0:21:11.820000 --> 0:21:14.200000 I always refer to it as a host. 0:21:14.200000 --> 0:21:18.120000 All right. One thing about it is that it has some specific requirements, 0:21:18.120000 --> 0:21:22.580000 not much, but it needs its own dedicated subnet. 0:21:22.580000 --> 0:21:25.240000 So right now I'm on a virtual network. 0:21:25.240000 --> 0:21:27.760000 This virtual network has one subnet. 0:21:27.760000 --> 0:21:28.940000 It's got a default subnet. 0:21:28.940000 --> 0:21:31.200000 I want to make sure it's set up the address space, right? 0:21:31.200000 --> 0:21:35.160000 It did not. Now I did this quick and dirty. 0:21:35.160000 --> 0:21:37.720000 Therefore, just kind of set up like this. 0:21:37.720000 --> 0:21:41.440000 What I'm going to do is I'm going to add an address space. 0:21:41.440000 --> 0:21:49.140000 Dot. Zero. I'm cursor out of the way slash 24. 0:21:49.140000 --> 0:21:55.420000 So I'm adding an address space to the virtual network. 0:21:55.420000 --> 0:22:05.720000 All right. Now I did that because I need to add a subnet. 0:22:05.720000 --> 0:22:08.140000 So I'm going to add a subnet. 0:22:08.140000 --> 0:22:10.620000 And the subnet has to have a very specific name. 0:22:10.620000 --> 0:22:17.260000 It's going to have Azure Bastion subnet. 0:22:17.260000 --> 0:22:22.980000 And it has to have its own address range, obviously. 0:22:22.980000 --> 0:22:26.660000 It can be as low as a 27. 0:22:26.660000 --> 0:22:31.920000 I'll make it a 24 just to be lazy. 0:22:31.920000 --> 0:22:38.420000 All right. And so now I have a virtual network with an appropriate subnet. 0:22:38.420000 --> 0:22:39.940000 Now what I want to do. 0:22:39.940000 --> 0:22:42.720000 First of all, see where this is. 0:22:42.720000 --> 0:22:44.240000 East. All right. 0:22:44.240000 --> 0:22:47.560000 Now I am going to create a resource and I'm going to create a resource 0:22:47.560000 --> 0:22:49.420000 that is Bastion. 0:22:49.420000 --> 0:23:02.920000 All right. And. I'll put it there name. 0:23:02.920000 --> 0:23:12.120000 Demo Bastion. I have to put this in the same location. 0:23:12.120000 --> 0:23:17.540000 So the Bastion does have to be in the same region as the virtual network 0:23:17.540000 --> 0:23:19.040000 you're going to connect it to. 0:23:19.040000 --> 0:23:21.760000 Now it says, okay, what virtual network do you want? 0:23:21.760000 --> 0:23:24.620000 And I want demo containers. 0:23:24.620000 --> 0:23:27.420000 These are all the virtual networks that are in the East. 0:23:27.420000 --> 0:23:31.440000 And as soon as I pick that, it does pick up the Azure Bastion subnet. 0:23:31.440000 --> 0:23:34.480000 Now, if it did not have an Azure Bastion subnet, it would tell me I have 0:23:34.480000 --> 0:23:38.920000 an error. It would let me create that from here, but we're good. 0:23:38.920000 --> 0:23:44.340000 And then I'm going to create a new public IP address for my Bastion. 0:23:44.340000 --> 0:23:50.200000 And that's it. Of course, we'll also tag it because I'm responsible in 0:23:50.200000 --> 0:23:51.120000 this case. I won't. 0:23:51.120000 --> 0:23:54.560000 And I simply hit create and that's going to give me a Bastion. 0:23:54.560000 --> 0:23:57.100000 Now I already have one. 0:23:57.100000 --> 0:24:07.360000 All right. Let's go ahead and dive down into the demo JITVM. 0:24:07.360000 --> 0:24:12.060000 And I am going to connect to this virtual machine. 0:24:12.060000 --> 0:24:16.180000 This time, however, I'm going to select Bastion. 0:24:16.180000 --> 0:24:22.880000 And I'm going to go ahead and put in the username and attempt to spell 0:24:22.880000 --> 0:24:25.100000 the password. Actually, the password is not my problem. 0:24:25.100000 --> 0:24:28.100000 Problem is spelling a username right looks like I have those in right 0:24:28.100000 --> 0:24:32.260000 and I connect. And there we go. 0:24:32.260000 --> 0:24:37.480000 So I have an RDP session with that virtual machine. 0:24:37.480000 --> 0:24:43.780000 Now I can have this set up so that there's no RDP access directly 3389 0:24:43.780000 --> 0:24:46.540000 into that virtual machine over the public IP address. 0:24:46.540000 --> 0:24:48.720000 And I would certainly want to do that, right? 0:24:48.720000 --> 0:24:52.820000 But this just gives me that ability to manage the virtual machine to pop 0:24:52.820000 --> 0:24:54.600000 in and access it. 0:24:54.600000 --> 0:24:57.200000 And it's really a powerful capability. 0:24:57.200000 --> 0:25:04.800000 One thing to note, you can't have JIT and Bastion active on the same virtual 0:25:04.800000 --> 0:25:06.760000 machine. It doesn't work. 0:25:06.760000 --> 0:25:09.740000 You wouldn't have noticed that, but I forgot to take that out in the middle 0:25:09.740000 --> 0:25:11.080000 of demonstration. 0:25:11.080000 --> 0:25:14.140000 So through the magic of editing, you never saw that. 0:25:14.140000 --> 0:25:19.820000 But I did have to go in and I did have to disable the Justin's time configuration 0:25:19.820000 --> 0:25:20.980000 for the virtual machine. 0:25:20.980000 --> 0:25:26.500000 But those are a number of different ways that you can connect to a virtual 0:25:26.500000 --> 0:25:28.700000 machine for administrative access. 0:25:28.700000 --> 0:25:35.480000 You know, from setting up JIT access, again, my preferred method would 0:25:35.480000 --> 0:25:40.720000 be having a tunnel, a VPN or express route tunnel, having Justin time 0:25:40.720000 --> 0:25:46.640000 access, setting up Bastion using a firewall, whether it's Azure firewall, 0:25:46.640000 --> 0:25:50.620000 or if it's a network virtual appliance firewall. 0:25:50.620000 --> 0:25:52.200000 Many different ways of connecting. 0:25:52.200000 --> 0:25:56.180000 You want to pick the approach that works for your environment and is the 0:25:56.180000 --> 0:25:57.120000 most secure available.