Securely manage remote connectivity at scale

Security is paramount in the connectivity of users and administrators to cloud services. As companies continue to move mission-critical applications to the cloud, the need for secure, scalable, and reliable public remote connectivity and jumpbox services increases. With this shift, organizations are moving away from disclosing public IP addresses on virtual machines (VMs) and the cloud infrastructure on which their applications run, and instead relying on managed Jumpbox services to facilitate user connectivity. Basically, remote connectivity and managed jumpbox services must provide four core functions:

  1. Secure public access that minimizes the exposure of public IP addresses and entry points to the target applications.
  2. Individual deployments that manage connectivity across local or connected virtual (private) networks.
  3. Infrastructure scaling functions that manage the number of simultaneous remote connections.
  4. Metrics, monitoring and alerts in the infrastructure facilitate remote connectivity.

Safe public access

Traditional (local) Jumpbox solutions are often deployed in a semi-trusted management network. This network is separate from the local network, which contains application services and private endpoints. The public IP address of the Jumpbox solution is defined in the management network and connectivity to applications and private endpoints in the local target network is enabled via a Virtual Private Network (VPN) solution. The users then connect to the private IP address of the Jumpbox solution in the management network and establish remote connectivity to the target application via the VPN connection. Alternatively, some companies host applications on the management network and provide public IP addresses on the VMs that host the target applications, and users make Remote Desktop Protocol (RDP) and Secure Shell (SSH) connections directly to the application. However, this approach expands the potential attack surface by scaling public IP addresses to all VMs that require remote user connectivity. Ultimately, the need for trustworthy and secure access for corporate workloads is critical.

Azure Bastion is a fully managed Jumpbox-as-a-Service that provides secure RDP and SSH connectivity for VMs deployed on any local or peered Azure virtual network. Remote connectivity is established directly from the Azure portal via a TLS (Transport Layer Security) connection to the public IP address of Azure Bastion. From there, Azure Bastion sets up RDP and SSH sessions with the private IP address of the target VMs in the local or peered virtual network. As customers deploy additional VMs in their virtual networks, Azure Bastion facilitates remote connectivity to both the existing and newly configured VMs using a single public IP address. In addition, customers can configure network security groups (NSGs) to restrict inbound public access to the Azure Bastion public IP address, creating a more secure access perimeter.

Single deployment that manages connectivity across local or connected virtual networks

Modern organizations often use a hub-and-spoke topology when building application services. This type of architecture centralizes the management of Network Virtual Appliances (NVAs) and Jumpbox services in a hub network, and applications are deployed in connected spoke networks. The application traffic then traverses the hub network before reaching the destination spoke application.

With Azure Bastion and Virtual Network Peering, customers can continue to provide remote connectivity through a hub-and-spoke architecture in Azure. In particular, customers can deploy Azure Bastion in a virtual hub network and configure application VMs in the spoke networks. Once the customer has configured the virtual network peering between the hub and spoke networks, Azure Bastion can provide RDP and SSH connectivity to VMs within the local virtual hub network and via the peer-to-VMs in the virtual application -Spoke networks manage.

Hub-and-spoke network architecture.

Infrastructure scaling functions

One of the main reasons organizations are moving mission-critical workloads to the cloud is to leverage Platform-as-a-Service (PaaS) infrastructure scaling capabilities. In particular, with the click of a button, customers can scale and scale the infrastructure to meet any increase in demand or traffic to their applications. Also, as customers deploy additional applications on spoke networks, the traffic that traverses the hub network increases. Therefore, the infrastructure that enables NVAs and Jumpbox services deployed on the hub network must be scalable to serve the additional workload (s).

Azure Bastion now supports manual host scaling. When customers deploy a standard Azure Bastion, they can configure between 2 and 50 scale units. In addition, customers can manage the number of instances on the Azure Bastion configuration sheet after the resource has been created. RDP and SSH are usage-based protocols. Depending on the number of concurrent sessions and the workloads of each session, customers may need to scale additional instances to provide application connectivity. In particular, if customers either deploy additional applications to the spoke network (s) or connect additional spoke networks to the hub network, they may need to scale up host instances to maintain Azure Bastion connectivity. Ultimately, its support for both virtual network peering and host scaling enables Azure Bastion to manage remote connectivity globally.

Monitoring and notification of metrics

Another important benefit of cloud services is real-time metrics, monitoring and alerts on the performance, availability and traffic of Infrastructure-as-a-Service (IaaS) and PaaS resources. Organizations often monitor and enable custom notifications on metrics within these three categories to proactively identify performance issues – and more importantly, to scale infrastructure services as application needs grow before potential outages occur.

With Azure Bastion and Azure Monitor, customers can enable notifications across availability, performance, and traffic metrics. With these features, customers can monitor central processing unit (CPU) utilization, memory usage, number of sessions, and division by host instance to assess when to upscale host instances.

For a full view of supported metrics, see Configure monitoring and metrics for Azure Bastion using Azure Monitor configure.

Monitoring and metrics for Azure Bastion in Azure Monitor.

Deploy, manage and monitor the infrastructure with just one click

With these changes to Azure Bastion, customers can now reliably manage secure remote connectivity to large-scale applications. As companies continue to move production workloads to the cloud, it is imperative that cloud providers invest in PaaS offerings that reveal underlying platform benefits to customers. Ultimately, organizations should be able to provision, manage, and monitor infrastructure with one click – and redistribute the effort previously spent on infrastructure management to application development.

For more information on the new Azure Bastion Standard SKU and host scaling capabilities, see the Azure Bastion documentation.

Other resources:


Source link

Leave a Reply