Azure Azure Bastion Azure PowerShell

Azure Bastion: Upgrade Basic SKU to Standard SKU with Azure PowerShell


This blog post will show you how you can upgrade Azure Bastion from the Basic SKU to the Standard SKU (Tier) via the use of an Azure PowerShell script.

Azure Bastion is an Azure PaaS service that you provision inside a virtual network (VNet), recommendable the HUB VNet. It allows you to securely connect to your Azure virtual machines (VMs) via RDP or SSH and this directly from the Azure portal over SSL. When you use Azure Bastion, your VMs do not need a Public IP Address (PIP)agent or special client software to be able to connect to them.

Currently Azure Bastion is available in two SKUs: Basic and Standard.

  • The Basic SKU provides basic functionality, which enables Azure Bastion to manage RDP/SSH connectivity to virtual machines (VMs) without exposing public IP addresses (PIP) on any to those VMs.
  • The Standard SKU enables premium features, like host scaling, specify custom inbound ports when using Azure Bastion, etc.

If you want to read some more about Azure Bastion SKUs, you can do so via the following Microsoft Docs link: Azure Bastion SKUs documentation


You can upgrade Azure Bastion Basic SKU to the Standard SKU trough the Azure Portal, but to automate and fasten up this proces, I wrote the below Azure PowerShell script which does all of the following:

  • Check if the PowerShell window is running as Administrator (when not running from Cloud Shell), otherwise the Azure PowerShell script will be exited.
  • Suppress breaking change warning messages.
  • Create Bastion resource variable for later use.
  • Store the specified set of Azure Bastion host tags in a hash table.
  • Upgrade Bastion to Standard SKU if Basic SKU is currently set.


To use the script copy and save it as Upgrade-AzureBastion-Basic-SKU-to-Standard-SKU.ps1 or download it from GitHub. Then run the script with Administrator privileges from Windows TerminalVisual Studio Code, or Windows PowerShell. Or you can simply run it from Cloud Shell.

If you want, you can also look at my previous blog posts which can help you to securely deploy and configure Azure Bastion and all associated resourcesAzure Bastion: Azure PowerShell deployment scriptAzure Bastion: Set the minimum required roles to access a virtual machine and Azure Bastion: Set Azure Bastion NSG Inbound security rules on the Target VM Subnet with Azure PowerShell


Prerequisites

  • An Azure subscription.
  • An Azure Administrator account with the necessary RBAC roles.
  • An existing Azure Bastion host.
  • At least Azure Az PowerShell module version 8.1.0 and Az.Network module version 4.18.1
  • Change all the variables in the script where needed to fit your needs.



Azure PowerShell script

If you are not running the script from Cloud Shell, don’t forget to sign in with the Connect-AzAccount cmdlet to connect your Azure account. And if you are using multiple Azure subscriptions, select the proper subscription with the Set-AzContext cmdlet before running the script.


If you want to validate or know the Bastion SKU for your Bastion host before running the script and without opening the Azure Portal, you can run following Azure PowerShell cmdlets:

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Get Bastion SKU

$bastion = Get-AzBastion  | Where-Object Name -Match <your Bastion host name or abbreviation>
Write-Host $bastion.SkuText

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




<#
.SYNOPSIS

A script used to upgrade Azure Bastion Basic SKU to Standard SKU with an instance count of two.

.DESCRIPTION

A script used to upgrade Azure Bastion Basic SKU to Standard SKU with an instance count of two.
The script will do all of the following:

Check if the PowerShell window is running as Administrator (when not running from Cloud Shell), otherwise the Azure PowerShell script will be exited.
Suppress breaking change warning messages.
Create Bastion resource variable for later use.
Store the specified set of Azure Bastion host tags in a hash table.
Upgrade Bastion to Standard SKU if Basic SKU is currently set.

** Keep in mind upgrading Bastion to the Standard SKU can take up to 6 minutes. **

.NOTES

Filename:       Upgrade-AzureBastion-Basic-SKU-to-Standard-SKU.ps1
Created:        03/10/2022
Last modified:  05/10/2022
Author:         Wim Matthyssen
Version:        1.2
PowerShell:     Azure Cloud Shell or Azure PowerShell
Requires:       PowerShell Az (v8.1.0) and Az.Network (v4.18.0)
Action:         Change variables were needed to fit your needs. 
Disclaimer:     This script is provided "As Is" with no warranties.

.EXAMPLE

Connect-AzAccount
Get-AzTenant (if not using the default tenant)
Set-AzContext -tenantID "<xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx>" (if not using the default tenant)
Set-AzContext -Subscription "<SubscriptionName>" (if not using the default subscription)
.\Upgrade-AzureBastion-Basic-SKU-to-Standard-SKU <"your Bastion host name here"> 

-> .\Upgrade-AzureBastion-Basic-SKU-to-Standard-SKU bas-hub-myh-01

.LINK

https://wmatthyssen.com/2022/10/04/azure-bastion-upgrade-basic-sku-to-standard-sku-with-azure-powershell/
#>

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Parameters

param(
    # $bastionName -> Name of the Azure Bastion host
    [parameter(Mandatory =$true)][ValidateNotNullOrEmpty()] [string] $bastionName
)

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Variables

$bastionSkuStandard = "Standard"
$bastionScaleUnit = "2"

$global:currenttime= Set-PSBreakpoint -Variable currenttime -Mode Read -Action {$global:currenttime= Get-Date -UFormat "%A %m/%d/%Y %R"}
$foregroundColor1 = "Red"
$foregroundColor2 = "Yellow"
$writeEmptyLine = "`n"
$writeSeperatorSpaces = " - "

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Check if PowerShell runs as Administrator (when not running from Cloud Shell), otherwise exit the script

if ($PSVersionTable.Platform -eq "Unix") {
    Write-Host ($writeEmptyLine + "# Running in Cloud Shell" + $writeSeperatorSpaces + $currentTime)`
    -foregroundcolor $foregroundColor1 $writeEmptyLine
    
    ## Start script execution    
    Write-Host ($writeEmptyLine + "# Script started. Without any errors, it can take up to 6 minutes to complete" + $writeSeperatorSpaces + $currentTime)`
    -foregroundcolor $foregroundColor1 $writeEmptyLine 
} else {
    $currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
    $isAdministrator = $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

        ## Check if running as Administrator, otherwise exit the script
        if ($isAdministrator -eq $false) {
        Write-Host ($writeEmptyLine + "# Please run PowerShell as Administrator" + $writeSeperatorSpaces + $currentTime)`
        -foregroundcolor $foregroundColor1 $writeEmptyLine
        Start-Sleep -s 3
        exit
        }
        else {

        ## If running as Administrator, start script execution    
        Write-Host ($writeEmptyLine + "# Script started. Without any errors, it can take up to 6 minutes to complete" + $writeSeperatorSpaces + $currentTime)`
        -foregroundcolor $foregroundColor1 $writeEmptyLine 
        }
}

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Suppress breaking change warning messages

Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Create Bastion resource variable

$bastion = Get-AzBastion | Where-Object Name -Match $bastionName

Write-Host ($writeEmptyLine + "# Bastion variable created" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Store the specified set of Azure Bastion host tags in a hash table

$bastionTags = (Get-AzResource -ResourceGroupName $bastion.ResourceGroupName -ResourceName $bastion.Name).Tags

Write-Host ($writeEmptyLine + "# Specified set of tags available to add" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Upgrade Bastion to Standard SKU if Basic SKU is currenlty set

$bastionName = $bastion.Name

# Upgrade Bastion host to Standard SKU and 2 Scale Units
Set-AzBastion -InputObject $bastion -Sku $bastionSkuStandard -ScaleUnit $bastionScaleUnit -Force | Out-Null

# Set tags on Bastion host
Set-AzBastion -InputObject $bastion -Tag $bastionTags -Force | Out-Null

Write-Host ($writeEmptyLine + "# Bastion host $bastionName running with Standard SKU and $bastionScaleUnit Scale Units" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor2 $writeEmptyLine

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

## Write script completed

Write-Host ($writeEmptyLine + "# Script completed" + $writeSeperatorSpaces + $currentTime)`
-foregroundcolor $foregroundColor1 $writeEmptyLine 

## ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------




I hope this Azure PowerShell script is useful for you whenever you need to upgrade an existing Bastion host to the Standard SKU.

If you have any questions or recommendations about it, feel free to contact me through my Twitter handle (@wmatthyssen) or to just leave a comment.


1 comment on “Azure Bastion: Upgrade Basic SKU to Standard SKU with Azure PowerShell

%d bloggers like this: