Azure Bastion: Secure RDP/SSH Without Public IPs for Small Business in Berlin
Every Azure virtual machine with a public IP address and an open RDP or SSH port is a target. Credential stuffing attacks against exposed RDP (port 3389) are continuous — automated scanners identify open RDP endpoints globally within minutes of provisioning. Azure Bastion eliminates this attack surface entirely by removing the need for public IPs on Azure VMs. Instead of connecting directly to a VM over the public internet, administrators connect through the Azure portal or a native client over HTTPS (port 443), and Bastion proxies the RDP or SSH session to the VM’s private IP address inside the virtual network. The VM has no public IP, no open RDP or SSH port, and is not reachable from the internet — only from inside the virtual network, through Bastion.
Architecture: How Azure Bastion Works
Azure Bastion is a fully managed PaaS service deployed into a dedicated subnet (AzureBastionSubnet) inside your virtual network. The subnet must be at minimum /26 (64 addresses). A Bastion host deployed in one virtual network can be used for VMs in peered virtual networks (with Basic SKU limited to same-VNet; Standard SKU supports VNet peering). The TLS connection from the administrator’s browser terminates at the Bastion host; Bastion then establishes an RDP or SSH connection to the target VM over the private IP. No agent is required on the VM. No additional software is required on the administrator’s workstation — any modern browser works.
Azure Bastion SKU Comparison
| Feature | Basic SKU | Standard SKU |
|---|---|---|
| RDP/SSH via browser | ✓ | ✓ |
| Native client (RDP app / SSH CLI) | ✕ | ✓ |
| VNet peering connectivity | Same VNet only | Peered VNets (shareable Bastion) |
| Concurrent sessions | 2 | 2–50 (scalable) |
| File transfer (RDP) | ✕ | ✓ |
| Copy/paste | ✓ | ✓ |
| Azure Private Link integration | ✕ | ✓ |
| IP-based connection (without VM) | ✕ | ✓ |
| Approximate monthly cost (eu-west) | ~€125/month | ~€250/month base |
Deploying Azure Bastion
- Create the AzureBastionSubnet: In the Azure portal, navigate to your Virtual Network → Subnets → Add subnet. Name it exactly
AzureBastionSubnet(the name is mandatory). Set the address range to a minimum /26. Do not deploy any other resources into this subnet. - Create a Public IP for Bastion: Bastion itself requires a Standard SKU public IP (for the admin-to-Bastion TLS connection). This is the only public IP in the architecture — it does not expose RDP or SSH ports, only HTTPS/443. Create a Standard SKU static public IP in the same region as your VNet.
- Deploy the Bastion host: In the Azure portal, search for Bastion → Create. Select your subscription, resource group, region, VNet, and the AzureBastionSubnet. Attach the public IP. Select the SKU (Basic or Standard depending on requirements). Deployment takes 5–10 minutes.
- Remove public IPs from VMs: After Bastion is deployed, disassociate public IP addresses from all VMs that only need administrative access. Update Network Security Group (NSG) rules to remove inbound RDP (3389) and SSH (22) rules from the internet. Verify that VMs remain reachable via Bastion before deleting the public IPs.
- Connect to a VM via Bastion: In the Azure portal, navigate to the VM → Connect → Bastion. Enter credentials (or use Azure AD login with the AAD extension). The RDP or SSH session opens in a browser tab. No VPN, no jump host, no public IP required.
- Configure Just-In-Time (JIT) VM Access (optional but recommended): For additional access control, enable Microsoft Defender for Cloud Just-In-Time VM Access. JIT blocks all management ports by default and opens them only when an authorised request is made, for a time-limited window, to a specific source IP. Combining JIT with Bastion means even the internal RDP path is time-gated — a defence-in-depth layer against lateral movement inside the VNet.
- Configure RBAC for Bastion: Assign the Virtual Machine Administrator Login or Virtual Machine User Login role (for Azure AD-based VM login) to administrators who need Bastion access. Restrict who can initiate Bastion sessions via Azure RBAC on the Bastion resource itself.
NSG Rules for the AzureBastionSubnet
Bastion requires specific NSG rules on the AzureBastionSubnet to function. Inbound: allow HTTPS (443) from the internet (admin browser connections) and allow GatewayManager (443) from the Azure control plane. Outbound: allow RDP (3389) and SSH (22) to the VirtualNetwork, allow AzureCloud (443) outbound for Bastion diagnostics. Block all other inbound and outbound traffic. These rules are well-documented in Azure Bastion NSG documentation and can be deployed as a Bicep or Terraform module for consistent environment replication.
Bastion vs VPN for Remote VM Access
A common question from Berlin businesses running Azure VMs: should we use Bastion or a VPN gateway for admin access? The answer depends on the use case. Bastion is purpose-built for interactive RDP and SSH sessions to Azure VMs from any location, with no client software and no VPN infrastructure to manage. A VPN gateway provides broader network-level connectivity — useful if administrators also need to reach other resources on the VNet (databases, file shares, internal APIs) beyond just VM sessions. For VM-only admin access, Bastion is simpler, cheaper, and has a smaller attack surface. For broader hybrid connectivity, an ExpressRoute or VPN gateway is appropriate, and Bastion can complement it for the VM session use case specifically.
Cost and Operational Considerations
Azure Bastion Basic SKU runs approximately €125/month in European regions. For a small business with a handful of Azure VMs, this is typically offset by the elimination of one static public IP per VM (approximately €3–4/month each) and the operational cost of managing public-facing attack surface. The more significant cost avoidance is in incident response — a single ransomware event originating from an exposed RDP endpoint easily costs more than a year of Bastion subscriptions. Bastion should be evaluated as infrastructure insurance, not as an optional add-on.
For Berlin businesses running workloads in Azure, IT Experts Berlin deploys and configures Azure Bastion as a standard component of Azure infrastructure builds — alongside Key Vault, Azure Monitor, and Defender for Cloud — to ensure that no VM management surface is exposed to the public internet. Request a free IT assessment to review your current Azure network security posture.