{"id":11259,"date":"2026-05-18T12:57:36","date_gmt":"2026-05-18T17:57:36","guid":{"rendered":"https:\/\/stevepedwards.today\/DebianAdmin\/?p=11259"},"modified":"2026-05-18T12:57:36","modified_gmt":"2026-05-18T17:57:36","slug":"azure_bastion_security_summary","status":"publish","type":"post","link":"https:\/\/stevepedwards.today\/DebianAdmin\/azure_bastion_security_summary\/","title":{"rendered":"Azure_Bastion_Security_Summary"},"content":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11259\" class=\"pvc_stats all  \" data-element-id=\"11259\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>Azure Bastion Exercise Summary<\/p>\n<h1>1. Purpose of the Exercise<\/h1>\n<p>The primary goal of this exercise was to demonstrate secure administrative access to virtual machines (Linux and Windows) without exposing them to the public internet. This mirrors a professional enterprise deployment where security takes priority over direct connectivity.<\/p>\n<h1>2. Why Bastion is Used<\/h1>\n<ul>\n<li>Azure Bastion acts as a secure, managed gateway. In a traditional technician's setup, you might give a VM a Public IP to connect via SSH or RDP. However, in the 'Cloud-First' security model, Public IPs are considered vulnerabilities. Bastion is used to solve the following:<\/li>\n<li>Elimination of Public IPs: The VMs stay on a private 10.x.x.x subnet, making them invisible to external port scans.<\/li>\n<li>Reduced Attack Surface: No need to open Port 22 (SSH) or Port 3389 (RDP) on your corporate firewall or the VM's Network Security Group (NSG) to the internet.<\/li>\n<li>Secure Handshaking: Bastion only accepts traffic via SSL (Port 443) through the Azure Portal, ensuring only authenticated users can ever reach the management prompt.<\/li>\n<\/ul>\n<h1>3. Connecting via the Azure Portal ONLY<\/h1>\n<p>By using the 'Connect via Bastion' option in the Azure Portal, the browser becomes the terminal. This is the preferred method for the following security reasons:<\/p>\n<table>\n<tbody>\n<tr>\n<td>Security Control<\/td>\n<td>Description<\/td>\n<\/tr>\n<tr>\n<td>TLS Encryption<\/td>\n<td>All traffic between your PC and the Bastion host is wrapped in HTTPS (Port 443).<\/td>\n<\/tr>\n<tr>\n<td>Zero-Trust Access<\/td>\n<td>The VM never sees your home IP; it only sees traffic coming from the internal AzureBastionSubnet.<\/td>\n<\/tr>\n<tr>\n<td>No Local Tools<\/td>\n<td>Connecting via the Portal means you do not need to manage SSH keys or passwords on your local machine, reducing the risk of credential theft.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1>4. Conclusion for AZ-700 Learning<\/h1>\n<p>While it adds complexity, Bastion is the 'Golden Standard' for administrative isolation. For testing purposes (like installing NGINX or IIS), we manage the server through this private bridge. Once configured, the web traffic would typically be routed through a separate, hardened Load Balancer, keeping the management path and the user path completely separate.<\/p>\n<p>Use the Connect drop menu to access the Linux or Win VMs:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"720\" class=\"wp-image-11260\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-1.png\" srcset=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-1.png 1366w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-1-300x158.png 300w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-1-1024x540.png 1024w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-1-768x405.png 768w\" sizes=\"auto, (max-width: 1366px) 100vw, 1366px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"720\" class=\"wp-image-11261\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-2.png\" srcset=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-2.png 1366w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-2-300x158.png 300w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-2-1024x540.png 1024w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-2-768x405.png 768w\" sizes=\"auto, (max-width: 1366px) 100vw, 1366px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1366\" height=\"720\" class=\"wp-image-11262\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-3.png\" srcset=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-3.png 1366w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-3-300x158.png 300w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-3-1024x540.png 1024w, https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/uploads\/2026\/05\/word-image-11259-3-768x405.png 768w\" sizes=\"auto, (max-width: 1366px) 100vw, 1366px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_11259\" class=\"pvc_stats all  \" data-element-id=\"11259\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/stevepedwards.today\/DebianAdmin\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p>Azure Bastion Exercise Summary 1. Purpose of the Exercise The primary goal of this exercise was to demonstrate secure administrative access to virtual machines (Linux and Windows) without exposing them to the public internet. This mirrors a professional enterprise deployment where security takes priority over direct connectivity. 2. Why Bastion is Used Azure Bastion acts <a href=\"https:\/\/stevepedwards.today\/DebianAdmin\/azure_bastion_security_summary\/\" class=\"more-link\">...<span class=\"screen-reader-text\">\u00a0 Azure_Bastion_Security_Summary<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-11259","post","type-post","status-publish","format-standard","hentry","category-post"],"a3_pvc":{"activated":true,"total_views":2,"today_views":0},"_links":{"self":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/comments?post=11259"}],"version-history":[{"count":1,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11259\/revisions"}],"predecessor-version":[{"id":11263,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/posts\/11259\/revisions\/11263"}],"wp:attachment":[{"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/media?parent=11259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/categories?post=11259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/stevepedwards.today\/DebianAdmin\/wp-json\/wp\/v2\/tags?post=11259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}