Simplifying Azure Bastion - 7 NSG and Firewall configurations

@20aman    Apr 20, 2021

This blog is a part of the Azure Bastion series. You can find the Index of this series here: Azure Bastion Series.

In the earlier posts, we saw how to set up the Azure Bastion service and how to connect to VMs using this service. In this post, we will see what ports are involved and on which side to allow this communication. That is which ports are involved in the outbound communication between the target VMs and Bastion host and which ports are involved in the inbound communication. You will need this information when dealing with any NSGs or Firewalls.

Key Points

Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you with secure RDP/SSH connectivity. You don't need to apply any NSGs on the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.

Note: UDR is not supported on an Azure Bastion subnet. You don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private. Therefore unless you have a complex deployment you will need to define the rules only at the NSG levels.

Inbound rules for the Azure Bastion Subnet

Note: These are the rules for the Inbound or Ingress communication for the Azure Bastion host. These are applied to the NSG for the Bastion subnet.

Navigate to the "Inbound security rules" in the NSG and click on the "+ Add" button to add individual rules. As a best practice, leave a range of 10 or higher when providing priority to the rules. Ensure that the order is correct and in the required sequence.

Add the rules for the following:

  1. Inbound on 443 from the Internet - Allow HTTPS inbound on port 443 for TCP protocol. Use the service tag of "Internet" for the Source and "Any" for the destination. This rule is required for you to be able to make HTTPS connections to the Azure Bastion host from the Azure portal.
  2. Azure Bastion control plane - Allow 443 for TCP protocol. Use the service tag of "GatewayManager" for the Source and "Any" for the destination. This rule is required for the Azure Bastion control plane, i.e. Gateway Manager to be able to talk to Azure Bastion
  3. Azure Bastion data plane communication - Allow 443 for TCP protocol. Use the service tag of "AzureLoadBalancer" for the Source and "Any" for the destination. This rule allows communication between the underlying components of Azure Bastion.
  4. Azure Load Balancer Health probes - Allow 5701 and 8080 for "Any" protocol. Use the service tag of "VirtualNetwork" for the Source and also "VirtualNetwork" for the destination. This rule enables Azure Load Balancer to detect connectivity.
Inbound for the Azure Bastion Subnet

Outbound rules for the Azure Bastion Subnet

Note: These are the rules for the Outbound or Egress communication for the Azure Bastion host. These are applied to the NSG for the Bastion subnet.

Navigate to the "Outbound security rules" in the NSG and click on the "+ Add" button to add individual rules. As a best practice, leave a range of 10 or higher when providing priority to the rules. Ensure that the order is correct and in the required sequence.

Add the rules for the following:

  1. Traffic to target VMs - Allow SSH and RDP outbound on ports 22 and 3389 for Any protocol. Use the "Any" for the Source and the service tag of "VirtualNetwork" for the destination. This rule allows Bastion to be able to connect to target VMs for SSH and RDP connectivity.
  2. Azure Bastion data plane communication - Allow outbound on ports 443 for TCP protocol. Use the "Any" for the Source and the service tag of "AzureCloud" for the destination. This rule allows outbound communication for the components of Azure Bastion to talk to each other.
  3. Azure Cloud communication - Allow outbound on ports 5701 and 8080 for Any protocol. Use the "VirtualNetwork" for the Source and also the service tag of "VirtualNetwork" for the destination. This rules is required for Azure Bastion to send diagnostics logs, metering logs, and other information to various public endpoints within Azure cloud.
  4. Internet communication - Allow outbound on port 80 for Any protocol. Use the "Any" for the Source and the service tag of "Internet" for the destination. This rule is required for session and certificate validation.
Outbound for the Azure Bastion Subnet

Inbound rules for the Target VM's NSG

Note: These are the rules for the Inbound or Ingress communication for the Target VM that you will RDP to via the Bastion host. These are applied to the NSG for the subnet of the Target VM or directly to the network interface card of the VM.

You will need to allow ports 3389 (RDP) and 22 (SSH) inbound on the target VM. This needs to be allowed for the Bastion host to be able to make the RDP and SSH connections respectively to the target VM.

Note

  1. You don't need both ports i.e. 3389 (RDP) and 22 (SSH). You should limit it to either one based on the operating system within the VM. For Windows VMs you will select the 3389 port and for the Linux VMs, you will select port number 22. This is shown as number 4 in the below screenshot.
  2. You should update the Source IP address range to the address range of the Bastion subnet i.e. "AzureBastionSubnet" subnet only. This is shown as number 5 in the below screenshot.
Inbound for the Target VM

You can read more about these in the official documentation here: Working with NSG access and Azure Bastion





Comments powered by Disqus