When you create an Azure Bastion instance Microsoft creates in the backend an optimized Azure VM that runs all the processes they are needed for Azure Bastion. This Azure VM is called a Instance and had some limitations. In general when you deploy the Azure Bastion Basic SKU Microsoft deploys two instances which supports 20-24 concurrent sessions which means each instance support 10-12 sessions.
The Standard SKU allows you to specify the number of instances called as host scalling.
Please note that when using an Azure Bastion Standard SKU, the AzureBastionSubnet size should be increased to a subnet size of approximately /26 or larger.
up to 50
Max. supported concurrent sessions
up to 500
Azure Portal, Powershell, CLI
Only Azure Portal
Deploy an Azure Bastion Standard SKU
Only the Azure Portal allows to deploy an Azure Bastion Standard SKU with the host scalling feature, because the feature is in public preview.
The corona situation brings new opportunities and one of them is that Microsoft Ignite going to a virtual conference twice a year. It used to be an in-person event only once a year. Last week the Microsoft Ignite 2021 spring conference started and in this article I will cover most of the highlights from my perspective. I would really appreciate your feedback on how valuable the article is.
With Windows Server 2022 there coming the next Major release for as Windows Server OS. This release coming as the next LTSC release with lots of new features, such as new hybrid and security capabilities. Take a look at the MS Ignite Session about latest Azure innovation for SQL and Windows Servers
To prevent phishing attacks Microsoft is part of the FIDO2 alliance. Azure AD supports long time ago the login with FIDO2 keys, but the service are in public preview. With this Ignite Microsoft move the service from Public Preview state into GA state and add some new capabilities, like the Temporary access pass. To unterstand how FIDO2 and TAP works, take a look at the short video. Passwordless authentication with FIDO2 keys, brings Identity Security to a new level. This prevents custom user passwords, enable higher security and preventing phishing attacks.
Due do the covid pandamy, many organizations in Germany are in a challenging phase as many employees need to be given the opportunity to work from home. Many companies have not yet made this option available to their employees, or only to a few. Microsoft has created a new option with Windows Virtual Desktop to give employees the ability to work from anywhere and the clients are always hosted in Azure and accessible via an app or browser.
I am very happy to have received an invitation to the WVD Tech Fest. The first conference only focusing on WVD with three parallel tracks around everything you need to know about Windows Virtual Desktop. The agenda is pretty complete and the organizers Simon Binder and Patrick Köhler are doing a great job. The conference will take place on 25/02/21 and is free. So take a look at the Website, plan your Agenda and grab your Ticket.
Azure Files is one of my favorite topics and due to many WVD projects in the past, I will address the question is Azure Files the optimal WVD profile store solution. And I can say: it depends – but you will learn more in my session on Thursday between 10:50 – 11:20 AM 🙂
Take this oppurtunity to learn more about Windows Virtual Desktop and hopefully this can be a solution for your organization to enable more people to work from anywhere and get everyone safely through these challenging time. I hope to see many of you there 🙂
Over the past few months, I have conducted many customer workshops, designed and implemented Landing Zones, and migrated or placed VMs into Azure. One of the most common customer questions has been about best practices for Azure VMs to maximize performance and efficiency, minimize costs, increase security, and reduce management overhead. This article is based on my real-world experience and recommendations based on several Azure projects.
In the last few days I have created some Azure Landingzones. To secure access to Azure resources within the landing zone with different users, customers use a P2S connection through the Azure VPN Gateway using Azure AD for authentication.
Sometimes I see some mistakes in the Azure VPN Point-to-site configuration blade that results in the Error: “Server did not respond properly to vpn control packets” when trying to connect to the VPN Gateway over the Azure VPN Client.
These error messages are often due to incorrect settings in the basic settings. To resolve this issue it is really important to configure the three points: Tenant & Audience & Issuer correctly.
Please pay close attention to the following settings:
The Tenant field must be specified in the following notation “https://login.microsoftonline.com/your-Azuread-Tenant-ID-here/” at the end do not miss the backforwardslash /
Audience field must be only contains the Enterprise Application ID of the Azure VPN client (this is the same for all Tenants) “41b23e61-6c1e-4545-b367-cd054e0ed4b4” without any other characters or spaces
The Issuer field must be specified in the following notation “https://sts.windows.net/your-Azuread-Tenant-ID-here/” at the end do not miss the backslash /
Please be aware of the difference between the Tenant- (begins with https://login….) and Issuer field (begins with https://sts.win…).
Please contact me if you have any questions or if you find further errors and solutions 🙂
Azure allows to use IaaS and PaaS solution together over the same network. But all Azure PaaS services using a public interface for connection. When configure the PaaS firewall to allow traffic only from internal VNETs the public interface still exists. With Azure Private Link there is a new service to disable the public interface and add a private endpoint to secure connect to PaaS from your own VNET.
When configuring the internal service Firewall to block all traffic from outside the VNET, the Firewall make a mapping from internal VNET traffic to the Public IP and block all other IP- Adress ranges – and here comes the new Azure Service Private Link into play. This blog post will cover how Private Link works and how to configure this service for your environment including own DNS solution to get a complete private based Azure VNET.
I updated the article based on the latest information around Azure Bastion. One big announcement is the support for peered VNETs for Azure Bastion – this is also integrated in this article. Please feel free to share and comment 🙂
Azure Bastion is a new service to reaches Azure VMs in a secure way without needing a Jump host in the same VNET or to publish an Public IP for a VM. Many customers using Public IPs to reach VMs (Windows and Linux) in Test and Dev environment. Please avoid managing Azure VMs over a Public IP, this is unsecure – use Azure Bastion.
Gestern fand der erste Azure Saturday in Köln statt. Organisiert wurde dieser von Jennifer, Raphael und Martin und es war ein gelungener Auftakt. Eine tolle Orga und eine absolut hervoragende Location bei der Gothar sorgten für einen gelungene Veranstaltung. Dazu noch viele verschiedene Speaker und eine große Themenbandbreite, die für viel Austausch und Networking sorgten.
Am Nachmittag durfte ich mit zwei Sessions selbst einen kleinen Teil zum Azure Saturday Cologne beitragen.
Azure Bastion ist ein ganz neuer Service im Azure Universum, der den Remote Zugriff auf eure Azure VMs via RDP/SSH deutlich vereinfacht und absichert.
Bisher gab es zwei Möglichkeiten, um sich zu Azure VMs via RDP oder SSH zu verbinden.
Es besteht Zugriff auf das VNET, in dem die Azure VM liegt. Dazu war eine VPN Verbindung zum VNET notwendig oder ein Jump Host der in Azure ausgerollt wurde.
Oder die Azure VM erhielt eine öffentliche IP-Adresse, um RDP oder SSH nach außen zu veröffentlichen. Damit einhergehend öffneten sich eine Menge Sicherheitslücken.
Mit Azure Bastion gibt es nun eine 3. Möglichkeit.
Azure Bastion wird als Platform-as-a-Service bereitgestellt und ermöglicht eine nahtlose Verbindung über das Azure Portal zur entsprechenden Azure VM. Durch diese Funktion sind beide oben genannten Möglichkeiten obsolet und ein direkter Zugriff auf Azure VMs, ohne Public IP, ist immer möglich. Azure Bastion stellt auf seine Art einen entsprechenden Jump Host im jeweiligen VNET bereit und benötigt seinerseits eine Public IP für die entsprechende Funktionalität.