Azure Bastion with Secured Virtual Hub

Chia-Chun Shih 1 Reputation point
2021-11-20T10:27:52.557+00:00

We would like to build a shared Bastion service, where VNET peering is based on a secured virtual hub.

So, we build two virtual networks, one for Bastion and the other for VMs. The two virtual networks are peered through a secured virtual hub. We also refer to the NSG rules to configure firewall to allow communication between the two virtual networks through port 22,3389, 5701, 8080. But it still doesn't work.

How could Bastion work with secured virtual hub?
Thanks.

Azure Virtual WAN
Azure Virtual WAN
An Azure virtual networking service that provides optimized and automated branch-to-branch connectivity.
182 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
238 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Steve Down 96 Reputation points
    2022-04-06T15:09:39.31+00:00

    @ChaitanyaNaykodi-MSFT - your answer suggests to place the bastion in the Hub VNet. That would require adding an AzureBastionSubnet to it. You can't add a subnet without a VNet, and the VNet of a hub is not exposed - it's internally managed - so how would one place a Bastion service in the Hub?

    1 person found this answer helpful.
    0 comments No comments

  2. ChaitanyaNaykodi-MSFT 21,651 Reputation points Microsoft Employee
    2021-11-23T18:58:16.32+00:00

    Hello @Chia-Chun Shih , Thank you for reaching out, and apologies for the delayed response here. If I have understood the question correctly you have a hub and spoke architecture where one spoke VNET has Bastion host and the other spoke VNET has the VM's. The Hub VNET is secured using Azure Firewall.

    If my understanding of the question is correct. As per the FAQ documentation here UDR is not supported on an Azure Bastion subnet so you can use bastion for VNETS that are directly peered. The solution in this scenario will be to either move the bastion host to Hub VNET or peer Spoke VNETs together. Additionally, you don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private.

    Hope this helps. Please let me know if you have any additional questions here I will be glad to continue with our discussion. Thank you!

    0 comments No comments