何謂 Azure Bastion?What is Azure Bastion?

Azure Bastion 是您部署的一種服務,可讓您使用瀏覽器和 Azure 入口網站連線到虛擬機器。Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. Azure Bastion 服務是您可在虛擬網路內佈建的完全平台受控 PaaS 服務。The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. 其透過 TLS 直接從 Azure 入口網站提供與虛擬機器之間安全且順暢的 RDP/SSH 連線。It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. 透過 Azure Bastion 連線時,虛擬機器不需要公用 IP 位址、代理程式或特殊用戶端軟體。When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.

Bastion 可為佈建所在虛擬網路中的所有 VM 提供安全的 RDP 和 SSH 連線。Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. 使用 Azure Bastion 來保護您的虛擬機器免於向外公開 RDP/SSH 連接埠,同時提供使用 RDP/SSH 的安全存取。Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

架構Architecture

Azure Bastion 部署依虛擬網路來進行,而非以訂用帳戶/帳戶或虛擬機器為依據。Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. 您在虛擬網路中佈建 Azure Bastion 服務後,即可對同一個虛擬網路中的所有 VM 提供 RDP/SSH 體驗。Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.

RDP 和 SSH 是一些基本的方式,讓您可以與 Azure 中執行的工作負載連線。RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. 透過網際網路公開 RDP/SSH 連接埠並非預期,而且會視為重大威脅。Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. 這通常是因為通訊協定弱點。This is often due to protocol vulnerabilities. 若要控制這個威脅,您可以周邊網路的公用端部署堡壘主機 (也稱為跳板機)。To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. 堡壘主機伺服器是設計及設定來防禦攻擊。Bastion host servers are designed and configured to withstand attacks. 堡壘伺服器也會提供與位於堡壘後方 (以及進一步的網路內) 工作負載的 RDP 和 SSH 連線。Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.

Azure Bastion 架構

此圖顯示 Azure Bastion 部署的架構。This figure shows the architecture of an Azure Bastion deployment. 在此圖表中:In this diagram:

  • 防禦主機部署在包含 AzureBastionSubnet 子網(最小/27 個前置詞)的虛擬網路中。The Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /27 prefix.
  • 使用者使用任何 HTML5 瀏覽器連線到 Azure 入口網站。The user connects to the Azure portal using any HTML5 browser.
  • 使用者選取要連線的虛擬機器。The user selects the virtual machine to connect to.
  • 只要按一下,RDP/SSH 工作階段就會在瀏覽器中開啟。With a single click, the RDP/SSH session opens in the browser.
  • Azure VM 上不需要公用 IP。No public IP is required on the Azure VM.

主要功能Key features

提供下列功能:The following features are available:

  • 在 Azure 入口網站直接進行 RDP 和 SSH 連線: 您可以使用按一下無縫體驗,在 Azure 入口網站中直接進入 RDP 和 SSH 工作階段。RDP and SSH directly in Azure portal: You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
  • RDP/SSH 透過 TLS 和防火牆周遊的遠端工作階段: Azure Bastion 使用 HTML5 型 Web 用戶端,它會自動串流到您的本機裝置,讓您透過 TLS 在連接埠 443 上進入 RDP/SSH 工作階段,安全地周遊在公司防火牆上。Remote Session over TLS and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
  • Azure VM 上不需要公用 IP: Azure Bastion 會使用您 VM 上的私人 IP,開啟與您 Azure 虛擬機器的 RDP/SSH 連線。No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. 您在虛擬機器上不需要公用 IP。You don't need a public IP on your virtual machine.
  • 管理 NSG 不麻煩: Azure Bastion 是 Azure 的完全受控平台 PaaS 服務,在內部經過強化,為您提供安全的 RDP/SSH 連線。No hassle of managing NSGs: Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. 您在 Azure Bastion 子網路上不需要套用任何 NSG。You don't need to apply any NSGs on Azure Bastion subnet. 因為 Azure Bastion 是透過私人 IP 連線到您的虛擬機器,所以您可以設定您的 NSG 只允許來自 Azure Bastion 的 RDP/SSH。Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. 這樣會減輕每次想要安全地連線到虛擬機器時就需要管理 NSG 的負擔。This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
  • 針對連接埠掃描的保護: 因為您不需要將虛擬機器公開到公用網際網路,所以您的 VMs 受到保護,免於位在虛擬網路外部惡意使用者所做的連接埠掃描。Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
  • 保護免於零時差攻擊。僅在一個地方強化: Azure Bastion 是完全平台受控 PaaS 服務。Protect against zero-day exploits. Hardening in one place only: Azure Bastion is a fully platform-managed PaaS service. 因為它位在您虛擬網路的周邊網路,所以您不需要擔心要對虛擬網路中的每一部虛擬機器進行強化。Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. Azure 平台會藉由保持 Azure Bastion 強化及維持最新狀態,保護您免於零時差攻擊。The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

新功能What's new?

訂閱 RSS 摘要,並在 Azure 更新頁面上檢視最新的 Azure Bastion 功能更新。Subscribe to the RSS feed and view the latest Azure Bastion feature updates on the Azure Updates page.

常見問題集FAQ

我的虛擬機器上是否需要公用 IP 才能透過 Azure Bastion 進行連線?Do I need a public IP on my virtual machine to connect via Azure Bastion?

否。No. 使用 Azure Bastion 連線至 VM 時,要與 VM 連線的 Azure 虛擬機器上不需要公用 IP。When you connect to a VM using Azure Bastion, you don't need a public IP on the Azure virtual machine that you are connecting to. Bastion 服務將會透過虛擬網路中的虛擬機器私人 IP,開啟 RDP/SSH 工作階段/連線至您的虛擬機器。The Bastion service will open the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network.

是否支援 IPV6?Is IPv6 supported?

目前不支援 IPv6。At this time, IPv6 is not supported. Azure Bastion 僅支援 IPv4。Azure Bastion supports IPv4 only.

我可以使用 Azure 防禦來搭配 Azure 私人 DNS 區域嗎?Can I use Azure Bastion with Azure Private DNS Zones?

目前不支援使用 Azure 防禦與 Azure 私人 DNS 區域。The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. 在您部署 Azure 防禦資源之前,請確定主機虛擬網路未連結至私人 DNS 區域。Before you deploy your Azure Bastion resource, please make sure that the host virtual network is not linked to a private DNS zone.

我需要 RDP 或 SSH 用戶端嗎?Do I need an RDP or SSH client?

否。No. 您不需要 RDP 或 SSH 用戶端,即可在 Azure 入口網站中對您的 Azure 虛擬機器進行 RDP/SSH 存取。You don't need an RDP or SSH client to access the RDP/SSH to your Azure virtual machine in your Azure portal. 使用 Azure 入口網站可讓您直接在瀏覽器中對虛擬機器進行 RDP/SSH 存取。Use the Azure portal to let you get RDP/SSH access to your virtual machine directly in the browser.

我需要在 Azure 虛擬機器中執行代理程式嗎?Do I need an agent running in the Azure virtual machine?

否。No. 您不需要在瀏覽器或 Azure 虛擬機器上安裝代理程式或任何軟體。You don't need to install an agent or any software on your browser or your Azure virtual machine. Bastion 服務沒有代理程式,不需要任何其他 RDP/SSH 軟體。The Bastion service is agentless and doesn't require any additional software for RDP/SSH.

每個 Azure Bastion 可支援多少個並行 RDP 和 SSH 工作階段?How many concurrent RDP and SSH sessions does each Azure Bastion support?

RDP 和 SSH 都是以使用方式為基礎的通訊協定。Both RDP and SSH are a usage-based protocol. 工作階段的高使用量會導致堡壘主機支援較低的工作階段總數。High usage of sessions will cause the bastion host to support a lower total number of sessions. 以下數字是正常的日常工作流程假設。The numbers below assume normal day-to-day workflows.

工作負載類型 *Workload Type* 限制 * *Limit**
淺色Light 100100
Medium 5050
大量Heavy 55

* 這些工作負載類型定義如下: 遠端桌面工作負載*These workload types are defined here: Remote Desktop workloads
* * 這些限制是以 Azure 防禦的 RDP 效能測試為基礎。**These limits are based on RDP performance tests for Azure Bastion. 這些數位可能會因為其他正在進行的 RDP 會話或其他正在進行的 SSH 會話而有所不同。The numbers may vary due to other on-going RDP sessions or other on-going SSH sessions.

RDP 工作階段中支援哪些功能?What features are supported in an RDP session?

目前僅支援文字複製/貼上功能。At this time, only text copy/paste is supported. 不支援檔案複製之類的功能。Features, such as file copy, are not supported. 請不吝在 Azure Bastion 意見反應頁面分享關於新功能的意見反應。Feel free to share your feedback about new features on the Azure Bastion Feedback page.

強化的 Bastion 是否會與已加入 AADJ VM 擴充功能的 VM 搭配運作?Does Bastion hardening work with AADJ VM extension-joined VMs?

這項功能不適用於使用 Azure AD 之使用者且已加入 AADJ VM 擴充功能的電腦。This feature doesn't work with AADJ VM extension-joined machines using Azure AD users. 如需詳細資訊,請參閱 Windows Azure VM 和 Azure ADFor more information, see Windows Azure VMs and Azure AD.

支援哪些瀏覽器?Which browsers are supported?

在 Windows 中,請使用 Microsoft Edge 瀏覽器或 Google Chrome。Use the Microsoft Edge browser or Google Chrome on Windows. 若為 Apple Mac,請使用 Google Chrome 瀏覽器。For Apple Mac, use Google Chrome browser. Windows 和 Mac 也支援 Microsoft Edge Chromium。Microsoft Edge Chromium is also supported on both Windows and Mac, respectively.

Azure Bastion 會將客戶資料儲存在何處?Where does Azure Bastion store customer data?

Azure Bastion 不會將客戶資料移動或儲存到其部署所在的區域外。Azure Bastion doesn't move or store customer data out of the region it is deployed in.

需要哪些角色權限才能存取虛擬機器?Are any roles required to access a virtual machine?

若要建立連線,必須具備下列角色:In order to make a connection, the following roles are required:

  • 虛擬機器上的讀取者角色Reader role on the virtual machine
  • 虛擬機器的私人 IP 位址與 NIC 上的讀取者角色Reader role on the NIC with private IP of the virtual machine
  • Azure Bastion 資源上的讀取者角色Reader role on the Azure Bastion resource

價格為何?What is the pricing?

如需詳細資訊,請參閱價格頁面For more information, see the pricing page.

Azure Bastion 是否需要 RDS CAL 才能在 Azure 裝載的虛擬機器上進行管理?Does Azure Bastion require an RDS CAL for administrative purposes on Azure-hosted VMs?

否,當 Azure Bastion 僅用於管理目的時,不需要 RDS CAL 也可以存取 Windows Server VM。No, access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.

Bastion 遠端工作階段期間支援哪些鍵盤配置?Which keyboard layouts are supported during the Bastion remote session?

Azure Bastion 目前在 VM 內支援 en-us-qwerty 鍵盤配置。Azure Bastion currently supports en-us-qwerty keyboard layout inside the VM. 鍵盤配置的其他地區設定支援正在進行中。Support for other locales for keyboard layout is work in progress.

Azure Bastion 子網路是否支援使用者定義的路由 (UDR)?Is user-defined routing (UDR) supported on an Azure Bastion subnet?

否。No. Azure Bastion 子網路不支援 UDR。UDR is not supported on an Azure Bastion subnet.

若是相同的虛擬網路中同時包含 Azure Bastion 和 Azure 防火牆/網路虛擬設備 (NVA),您無需強制將 Azure Bastion 子網路的流量導向 Azure 防火牆,因為 Azure Bastion 和您的 VM 間採用私人通訊。For scenarios that include both Azure Bastion and Azure Firewall/Network Virtual Appliance (NVA) in the same virtual network, you don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private. 如需詳細資訊,請參閱透過 Bastion 從 Azure 防火牆後方存取 VMFor more information, see Accessing VMs behind Azure Firewall with Bastion.

為何在 Bastion 工作階段開始之前,收到「您的工作階段已過期」錯誤訊息?Why do I get "Your session has expired" error message before the Bastion session starts?

您應該只能從 Azure 入口網站起始工作階段。A session should be initiated only from the Azure portal. 登入 Azure 入口網站並再次開始您的工作階段。Sign in to the Azure portal and begin your session again. 如果您直接從另一個瀏覽器工作階段或索引標籤移至 URL,則預計會發生此錯誤。If you go to the URL directly from another browser session or tab, this error is expected. 這有助於確保您的工作階段更加安全,而且只能透過 Azure 入口網站存取工作階段。It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal.

我該如何處理部署失敗?How do I handle deployment failures?

檢閱任何錯誤訊息,並視需要在 Azure 入口網站提出支援要求Review any error messages and raise a support request in the Azure portal as needed. 部署失敗的原因可能是 Azure 訂用帳戶限制、配額和條件約束Deployment failures may result from Azure subscription limits, quotas, and constraints. 具體而言,客戶可能會遇到每個訂用帳戶允許的公用 IP 位址數目限制,進而導致 Azure Bastion 部署失敗。Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.

如何在我的災害復原方案中納入 Azure Bastion?How do I incorporate Azure Bastion in my Disaster Recovery plan?

Azure Bastion 會部署在 VNet 或對等互連 VNet 內,並與 Azure 區域相關聯。Azure Bastion is deployed within VNets or peered VNets, and is associated to an Azure region. 您必須負責將 Azure Bastion 部署到災害復原 (DR) 網站 VNet。You are responsible for deploying Azure Bastion to a Disaster Recovery (DR) site VNet. 發生 Azure 區域失敗時,請執行 VM 到 DR 區域的容錯移轉作業。In the event of an Azure region failure, perform a failover operation for your VMs to the DR region. 然後,使用在 DR 區域中部署的 Azure Bastion 主機來連線到現在在該處部署的 VM。Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.

後續步驟Next steps