Using Azure Bastion Tunneling on Mac to Connect to Windows Servers

Recently, I wanted to prove out a scenario for using Azure Bastion to connect to an Azure Windows Server from my Mac. This actually turned out to be a simple task but there are a few important principles that were re-enforced along the way. Before we start out on the solution, let me talk about what problem led me here.

I had a customer that desperately needed to implement an Azure Landing Zone. An Azure Landing is an Azure environment that adheres to 8 design principles. You can find more information here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/

While Azure Landing Zones strives to provide guidelines that help the customer make an informed decision, it stops short of prescribing particular resources to achieve those goals, leaving the customer to choose what is best for their scenario. Many customers have a hybrid scenario; however, I find that some organizations prefer to start with cloud only infrastructure and then either remain cloud only and modernized their authentication patterns or implement a hybrid infrastructure later. That is completely valid. Some of these customers, however, fall victim to more lax practices either because of lack a cloud adoption maturity or lack of the shared responsibility model that customer has with Azure. Microsoft provides the tools to help customers remain secure in Azure, but you do have to implement them according to best practices. One of the most common mistakes that I see are customers implementing their IaaS VMs with public IP addresses. Even with a Network Security Group in place, no organization with a mature security posture implements access to servers in this fashion. Ideally, no one should.

Queue Azure Bastion, a managed service that you can use to access VMs in the same or peered virtual network securely through the Azure portal or a native client. In order to prove the scenario out for the customer, I created the following resources:

Here is a list of the resources pictured above:

1. 2 virtual networks peered together.

2. One Azure Bastion resource in a virtual network, Standard SKU. Ensure that you select native client support on the configuration page of Azure Bastion. Azure bastion provisions the public IP address.

3. One Windows virtual machine in the other network. Along with this comes the disk and NIC.

4. (Optional) For the Azure Bastion subnet, an NSG configured with appropriate rules: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg

5. Another NSG for the virtual machine subnet, configured to allow RDP between virtual network service tags.

The first virtual network where Azure Bastion is provisioned requires a subnet of a certain name and size. You can find the technical details here: https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#subnet

Once we have the proper configuration describe above, we then turn to our local machines. You can access your virtual machine through the portal by clicking on the VM, then Connect in the left-hand menu and selecting Azure Bastion from the available options. This is a great method; however, customers have clients that they use from their own machines. I, myself, use a Mac for work. So, how can I connect to my Windows Server from my local machine through Azure Bastion? I feel as though there are not a lot of tutorials out there showing this specific option.

If you are connecting from a Linux client to a Windows server, or vice versa, then you will need to ensure that you are using Azure Bastion Standard SKU. The next step is to open a terminal window so that you can open a tunned from your machine to the Windows Server using Azure Bastion using the az network bastion tunnel command. From my Mac terminal, I ran:

az network bastion tunnel --name "<Azure Bastion name>" --resource-group "<Azure Bastion Resource Group>" --target-resource-id "/subscriptions/<subscription ID>/resourceGroups/<Target Server Resource Group>/providers/Microsoft.Compute/virtualMachines/<Target VM Name in Azure Portal>" --resource-port "<Target Port (3389 for RDP, 22 for SSH) for the Azure VM Target>" --port "<Source Port on your Local Machine>"

The --port option can be any port that you choose, just ensure that it is not a well-known port or currently in use. I used port 50022. Once I ran that command. I was met with a successful tunnel connection, displaying this message:

Now to choose a client to connect. On my Mac I use Microsoft Remote Desktop to connect to Windows Machines. Here are the connection settings for a new connection in the Remote Desktop app:

Yes, that's correct: you are connecting right on the localhost address, using the source VM port that you specified in the az network bastion tunnel command, 50022. Once I enter the settings, I click on Save and then double click on the newly created connection and voila! I have successfully and securly connected to my server in Azure without a risky public IP Address on my VM: