Azure Azure Bastion

Azure Bastion: Connect to an Azure VM without accessing the Azure portal by using a shareable link


This blog post will demonstrate how to use the Bastion Shareable Link feature* to connect to one of your Azure virtual machines (VMs) without using the Azure Portal. 

* The Bastion Shareable Link feature is currently in public preview, so you should not use it to connect to any of your production VMs. Furthermore, during the preview, connecting to VMs in peer virtual networks (VNets) that are not deployed in the same subscription or region is not supported


Like most of you will probably already know, Azure Bastion is an Azure PaaS service that you provision inside a VNet, preferably the HUB VNet. When configured, it then allows you to securely connect to your Azure VMs via RDP or SSH and this directly from the Azure portal over SSL.

But with the use of the Bastion Shareable Link feature you can now let users connect to a VM or VM scale set using Azure Bastion without accessing the Azure portal.

A shareable link is a link that can be shared, which allows the user (internal or external) who receives it to connect directly to that VM via an Azure Bastion session. After clicking on the link, the user will be redirected to the Azure portal, and after proper authentication, they can directly connect to the VM using Azure Bastion.

Because the link itself does not contain any authentication credentials, the user needs to authenticate using a username and password or a private key, depending on what you have configured for the target VM. By default, users in your organization will have only read access to shared links, which allows them to view and use shareable links, but they will not be able to create or delete a link.

So, this feature will come in handy during all kinds of IT projects or support cases where temporary or one-time access is required to perform any kind of administrative or troubleshooting tasks on one or more Azure VMs.

To enable, create and use a Bastion Shareable Link, you can follow the steps below.


Prerequisites

  • An Azure subscription.
  • An Azure Administrator account with the necessary RBAC roles.
  • An existing Azure Bastion host with the Standard SKU.
  • An existing VNet, and a subnet with an associated network security group (NSG), located in the same subscription and region as the Bastion host.
  • An existing VM, connected to the above subnet.




If you need to deploy a new Azure Bastion host or if you need to upgrade the SKU, you can always check out one of my previous blog posts: Azure Bastion: Azure PowerShell deployment scriptAzure Bastion: Upgrade Basic SKU to Standard SKU with Azure PowerShell



Enable the Bastion Shareable Link feature

Before you can create a shareable link to a VM, you must first enable the feature if it is not already enabled. To do so, first of all, logon to the Azure Portal and type in ā€œbastionā€ in the Global search bar. Then click on Bastions.


On the Bastions page, click on your bastion resource.


On the Bastion page, click Configuration. Then select Shareable Link and click Apply. Keep in mind that updating the settings for your bastion host can take up to 7 to 10 minutes.




Create and use a shareable link

In the Azure Portal, go back to your bastion resource, and on the Bastion page under Settings, click Shareable links. Then, to create your shareable link, click +Add


In the next step, you then need to specify the resource group and the VM(s) you would like to create your shareable link for.  You can select a single, multiple, or all VMs in the selected resource group.

For each VM you select, a separate shareable link will be created. When you have selected your VM(s), click Apply to create the link(s).


Once the links are successfully created, you can view them on the Shareable links page. To share the link, click on the copy button and share it with the user who requires it.


The user then just needs to paste the link into a browser, fill in a username and password in the correct fields (if it is the first time connecting, you should also click Allow in the pop-up), and click Login.



Conclusion

Azure Bastion Shareable Link is a feature that enables Azure Administrators to provide any kind of user who has the proper sign-in credentials with secure remote access to any of their Azure VMs without opening the Azure portal or utilizing any type of Azure VPN.

If you have any questions related to the use of Bastion Shareable Link in your environment, feel free to contact me through my Twitter handle (@wmatthyssen) or to just leave a comment. I am always happy to help.


0 comments on “Azure Bastion: Connect to an Azure VM without accessing the Azure portal by using a shareable link

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: