The new way to avoid exposing port 3389 in Azure – Bastion!

Microsoft has released the public preview for Azure Bastion, allowing an additional factor and separate subnet to be your protection from the hordes of hackers who scan the Internet every day looking for open port 3389 with easy passwords or vulnerable patch-level. And things are simpler for you as well – no more unnecessary PIP’s or jump servers to maintain, just for desktop access. Of course, many of you are already using Powershell or Azure automation, and don’t need that desktop, right?  Baston uses the HTTPS connection to Azure to then proxy your connectivity through to the specified desktops: 


The steps are simple, but for more details, check out the links at the conclusion.  First pick a region where the preview is supported (I used “East US”, otherwise provisioning may fail) and set up your vnet and put both a working subnet and a /27 subnet – the /27 actually has to have this special name “AzureBastionSubnet”:

Let’s also set up your subscription to take advantage of this new preview feature, by entering these in your cloud shell:

Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

Once you see the status “registered” (may take a while), then when you create your virtual machine, and choose “Azure Bastion” on the Operations blade, it will select everything you need, and allow you to create the Bastion, which does use a separate public IP address (PIP): 

It will take a few minutes to deploy the resource, so go get a cup of coffee, knowing that you’ve just helped make the world a safer place. When you come back, Azure Bastion will provide you with a web logon form – upon submitting and connecting with your credentials, you’ll see an RDP tab pop open with access to your VM:


In summary, Azure Bastion is a great new way to minimize your threat surface to cloud-hosted IaaS while still providing remote access for manual administrative tasks.  To read up more about this preview feature, check ou tthe documentation at or 

And if you need more step-by-step help, here’s a comprehensive guide:

For more advanced users, you can do some special tuning of the NSG’s to provide additional security:

P.S. Just announced, another preview feature (Windows Virtual Desktops) has JUST gone GENERAL AVAILABILITY (GA)!  


Leave a Reply