DEV Community

 Onuoha Chiemerie
Onuoha Chiemerie

Posted on

Tech Crush Assignment 5

  1. Research: How to Access (Connect to) an Azure VM Without Opening an Inbound Port Introduction

Traditionally, connecting to an Azure VM requires opening inbound ports in a Network Security Group (NSG), for example:

SSH → Port 22 (Linux VM)
RDP → Port 3389 (Windows VM)

However, exposing these ports publicly increases the attack surface because attackers can scan and attempt brute-force attacks.

A DevOps/security best practice is to use Azure Bastion or Azure Private Access methods so the VM does not need any inbound public access.

Method 1: Azure Bastion
What is Azure Bastion?

Azure Bastion is a managed Azure service that provides secure RDP/SSH access to virtual machines through the Azure Portal.

The VM:

Does NOT need a public IP address
Does NOT require inbound NSG rules for SSH/RDP
Is accessed securely over HTTPS (443)

Architecture:


                Internet
                    |
                    |
              Azure Portal
                    |
                 HTTPS 443
                    |
            Azure Bastion Host
                    |
              Private IP Network
                    |
              Azure VM
        (No Public IP / No Port 22)
Enter fullscreen mode Exit fullscreen mode

Implementation Process
Step 1: Create a Virtual Network

Example:

VNet:
10.0.0.0/16

Subnet:
10.0.1.0/24
Step 2: Create Azure Bastion Subnet

Azure Bastion requires a dedicated subnet:

Subnet Name:
AzureBastionSubnet

Address:
10.0.2.0/27

The subnet name must be exactly:

AzureBastionSubnet
Step 3: Deploy Azure Bastion

Azure creates:

Bastion public IP
Secure gateway
HTTPS connection endpoint
Step 4: Create VM without a public IP

VM configuration:

Example:

VM Name:
devops-vm01

Private IP:
10.0.1.4

Public IP:
None

Network Security Group:

No rule:

Allow SSH 22 from Internet
Allow RDP 3389 from Internet
Step 5: Connect Through Bastion

Azure Portal:

Virtual Machine
       |
       |
Connect
       |
       |
Bastion
       |
       |
Enter Username/Password
       |
       |
Connect
Enter fullscreen mode Exit fullscreen mode

The connection happens internally through Azure's backbone network.

Benefits of Azure Bastion
Traditional SSH Azure Bastion
Requires port 22 open No port 22
Requires public IP Private VM
Exposed to internet scans Protected
Manual firewall rules Managed service
Higher attack surface Zero-trust approach

  1. Create Azure Virtual Network and Virtual Machine Using Script

Using Azure CLI

Prerequisites

Install Azure CLI:

az login

Check subscription:

az account show
Script: Create Resource Group

az group create \
--name devops-rg \
--location eastus
Create Virtual Network
az network vnet create \
--resource-group devops-rg \
--name devops-vnet \
--address-prefix 10.0.0.0/16 \
--subnet-name devops-subnet \
--subnet-prefix 10.0.1.0/24
Enter fullscreen mode Exit fullscreen mode

Created:

VNet:
devops-vnet

CIDR:
10.0.0.0/16

Subnet:
devops-subnet

CIDR:
10.0.1.0/24

Create Network Security Group

az network nsg create \
--resource-group devops-rg \
--name devops-nsg
Attach NSG to Subnet
az network vnet subnet update \
--resource-group devops-rg \
--vnet-name devops-vnet \
--name devops-subnet \
--network-security-group devops-nsg
Create Linux VM Attached to VNet
az vm create \
--resource-group devops-rg \
--name devops-vm01 \
--image Ubuntu2204 \
--size Standard_B1s \
--vnet-name devops-vnet \
--subnet devops-subnet \
--admin-username azureuser \
--generate-ssh-keys
Enter fullscreen mode Exit fullscreen mode

Verify VM Network Attachment

Get VM details:

az vm show \
--resource-group devops-rg \
--name devops-vm01 \
--query networkProfile

Enter fullscreen mode Exit fullscreen mode

Expected:

devops-vnet
       |
       |
devops-subnet
       |
       |
devops-vm01
Verify Private IP
az vm list-ip-addresses \
--resource-group devops-rg
Enter fullscreen mode Exit fullscreen mode

Output example:

Private IP:
10.0.1.4

No public IP required if using Bastion.

DevOps Automation Flow

Final deployment flow:

Developer
    |
Azure CLI Script
    |
Resource Group
    |
Virtual Network
    |
Subnet
    |
NSG
    |
Virtual Machine
    |
Private Networking
    |
Azure Bastion Access
Enter fullscreen mode Exit fullscreen mode

Top comments (0)