Can the Bastion service support more than one Resource group?
The Bastion service is the one that gets assinged public IP instead the individual vm's?
What would be considered best pratice when using Bastion service?
Way to set rule to 'delete' sessions after 'x' amount of time or anything like that?
how does it look for when not IT Admins try to connect or how they would connect to the VM?
-
Azure Bastion Service
-
Hello @PS4 ,
Sorry I missed this post.
Azure Bastion is deployed on a per virtual network basis. So you can use the Bastion service to connect to all of the VMs in the same virtual network.
To connect to VMs in other virtual networks, you have two choices. You can deploy Azure Bastion to the other virtual networks, or you can set up VNet peering between the vnets.
Deploying multiple instances of Azure Bastion can get expensive, but there might be business requirements that won't allow you to peer vnets.
In my demo environment, I use the peering option. I have Azure Bastion deployed to my hub vnet (this is also where my S2S VPN connects. Then when I deploy new VNets for demos/etc. I simply peer the new Vnet to the hub and can access the VMs. Then I can tear down the new Vnet when I'm done. and I don't have to deploy Azure Bastion over and over.
Currently the only session management available is a manual process. From the Azure Portal you can navigate to your Azure Bastion resource and select sessions. There you can monitor existing sessions, and force-disconnect a session.
The only way to connect to a VM using the Azure Bastion service is through the portal. A user would first connect to the portal, then browse to the VM they want to connect to and select Connect -> Bastion -> Use Bastion.
In order to make a connection, the following roles are required:
Reader role on the virtual machine
Reader role on the NIC with private IP of the virtual machine
Reader role on the Azure Bastion resourceAzure Bastion is not for everyday work by employees. It is for admins to manage VMs and the apps running on those VMs.
To provide end users with a VM, consider using Windows Virtual Desktop.
Hope this helps.
Mike Rodrick
Edutainer, ITProTV**if the post above has answered the question, please mark the topic as solved.
