question

SudeshSharma-8729 avatar image
0 Votes"
SudeshSharma-8729 asked CarlosdeSouzaJr-8499 answered

Azure Bastion Vs Azure VPN point-on-site

Hey Guys
For securing Access to azure vm,which one is better azure bastion or azure vpn point-on-site?

azure-virtual-networkazure-bastion
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered VoonSengHong-0729 commented

Hello @SudeshSharma-8729 ,


It depends on your requirement.


The Azure Bastion service is a new fully platform-managed PaaS service that you provision inside your virtual network. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address. Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. With Azure Bastion, you connect to the virtual machine directly from the Azure portal. You don't need an additional client, agent, or piece of software.
Reference : https://docs.microsoft.com/en-us/azure/bastion/bastion-overview


A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer. This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference.
With Point-to-Site, you can have other features/options such as connecting to a peered Vnet without an additional gateway, App service Vnet Integration, use Azure Private link to access services running in Azure from on-premises over the VPN tunnel etc.
Reference : https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-about
https://docs.microsoft.com/en-us/azure/app-service/web-sites-integrate-with-vnet
https://docs.microsoft.com/en-us/azure/private-link/private-link-overview


However, if your end goal is just to access your resources deployed in Azure, you could use Azure Bastion solution, instead of VPN connection to get secure shell access (RDP or SSH) without requiring public IPs on the VMs being accessed.


Hope this helps!


Kindly let us know if the above helps or you need further assistance on this issue.




Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @SudeshSharma-8729 ,

Any update on this post?

If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.


Thanks,
Gita

0 Votes 0 ·

Hello @SudeshSharma-8729 ,

Any update on this post?

If the suggested response helped you resolve your issue, please don't forget to "Accept the answer" for the benefit of other community members.


Thanks,
Gita

0 Votes 0 ·

Hello @SudeshSharma-8729 ,

Any update on this post?


Thanks,
Gita

0 Votes 0 ·

From security perspective, which one is more secure? Bastion or VPN?
If using Bastion, do we need to open 3389 RDP port? Just 443?

Thank you.

0 Votes 0 ·
CarlosdeSouzaJr-8499 avatar image
0 Votes"
CarlosdeSouzaJr-8499 answered

Hy, If want to connect to Linux VM you can try Cloud Shell deployment on Vnet, this solution is based on Azure Replay tech, that can be very usefull.

https://docs.microsoft.com/en-us/azure/cloud-shell/private-vnet


About the Azure Bastion depending of you security requiriments, you maybe need add "jump point VM's" in DMZ to access the VM, otherwise you will expose internal VM direct from a public address.


"...This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network..."

https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.