DEV Community

Joy Imarah
Joy Imarah

Posted on

Building a Secure Azure Virtual Machine Environment with Azure Bastion (No Public IP Required) (Part 5)

Cloud security starts with reducing unnecessary exposure.

One common mistake when deploying virtual machines is assigning public IP addresses and opening SSH or RDP ports to the internet.

While this may work for quick testing, it significantly increases the attack surface of your infrastructure.

In this hands-on Azure lab, I explored a more secure approach by deploying Linux and Windows virtual machines that are administered entirely through Azure Bastion.

Project Goal

The objective was to deploy two virtual machines inside a secure Azure Virtual Network while ensuring that administrative access remained private.

The environment includes:

  • Azure Resource Group
  • Virtual Network
  • AzureBastionSubnet
  • Application subnet
  • Network Security Group
  • Ubuntu Server VM
  • Windows Server 2022 VM
  • Azure Bastion

The virtual machines were intentionally deployed without public IP addresses.

Architecture

Resource Group
│
├── Virtual Network
│
├── AzureBastionSubnet
│ └── Azure Bastion
│
└── subnet-webapp
 ├── Ubuntu VM
 ├── Windows Server VM
 └── Network Security Group
Enter fullscreen mode Exit fullscreen mode

This architecture follows Azure security best practices by keeping administrative services off the public internet.

Deploying the Virtual Machines

Both virtual machines were created inside the same Virtual Network.

For Linux:

Ubuntu Server 22.04 LTS
SSH Key Authentication

For Windows:

Windows Server 2022
Username & Password Authentication

Instead of assigning public IP addresses, Azure Bastion provides browser-based SSH and RDP access directly from the Azure Portal.

Security Configuration

The Network Security Group (NSG) was associated with the application subnet to manage inbound and outbound traffic for both virtual machines.

This approach simplifies administration because a single NSG protects every resource within the subnet.

nsg-overview

Key security features include:

  • No public IPs on either VM
  • Azure Bastion for secure remote access
  • Centralized traffic filtering through an NSG
  • Private Virtual Network deployment

Validation

Linux

After connecting through Azure Bastion, I verified the deployment with:

whoami
pwd
uname -a
ls -la

ssh-connect
These commands confirmed that the virtual machine was functioning correctly.

Windows

Using Azure Bastion's browser-based Remote Desktop connection, I successfully accessed:

Windows Desktop
Server Manager
Administrative tools

windows-rdp
Both operating systems were fully accessible without exposing RDP or SSH to the internet.

Challenges Encountered

The Linux virtual machine connected successfully through Azure Bastion on the first attempt.

The Windows VM, however, initially failed to establish an RDP session.

To resolve the issue, I reviewed:

  • Azure Bastion deployment
  • AzureBastionSubnet configuration
  • Virtual network settings
  • Network Security Group association
  • Windows administrator credentials

Once the networking configuration was corrected, Azure Bastion successfully connected to the Windows virtual machine.

This troubleshooting exercise reinforced the importance of validating every component of a cloud deployment instead of assuming the issue lies with a single service.

Lessons Learned

Working through this project reinforced several important Azure concepts:

  • Azure Bastion provides secure browser-based administration without exposing virtual machines to the public internet.
  • Network Security Groups can be applied at the subnet level to simplify security management.
  • Proper subnet planning is critical when deploying Azure networking resources.
  • Troubleshooting cloud infrastructure is an essential part of becoming a cloud engineer.

Final Thoughts

This lab strengthened my understanding of Azure networking, secure remote administration, and infrastructure security. More importantly, it demonstrated how Azure's native services can be combined to create environments that are both functional and secure.

The complete documentation, deployment notes, and project files are available on GitHub:

🔗 Repository: https://github.com/JoySmarty/3mtt-vm-remote-connection-lab

If you're learning Azure, I highly recommend building projects like this yourself. The lessons you gain from troubleshooting are often the ones you'll remember the longest.

I'm documenting my cloud engineering journey through hands-on Azure projects. Follow along as I continue exploring networking, security, identity, and infrastructure on Microsoft Azure.

Top comments (0)