When you create an Azure Bastion instance Microsoft creates in the backend an optimized Azure VM that runs all the processes they are needed for Azure Bastion. This Azure VM is called a Instance and had some limitations. In general when you deploy the Azure Bastion Basic SKU Microsoft deploys two instances which supports 20-24 concurrent sessions which means each instance support 10-12 sessions.
The Standard SKU allows you to specify the number of instances called as host scalling.
Please note that when using an Azure Bastion Standard SKU, the AzureBastionSubnet size should be increased to a subnet size of approximately /26 or larger.
up to 50
Max. supported concurrent sessions
up to 500
Azure Portal, Powershell, CLI
Only Azure Portal
Deploy an Azure Bastion Standard SKU
Only the Azure Portal allows to deploy an Azure Bastion Standard SKU with the host scalling feature, because the feature is in public preview.
Over the past few months, I have conducted many customer workshops, designed and implemented Landing Zones, and migrated or placed VMs into Azure. One of the most common customer questions has been about best practices for Azure VMs to maximize performance and efficiency, minimize costs, increase security, and reduce management overhead. This article is based on my real-world experience and recommendations based on several Azure projects.
In the past Thomas Naunheim and I do a lot of architecture and designing prinicple for integrating Azure in company environments. We have the idea to create a Azure Governance Best Practices session in the last couple of months to give the community our insights and best practices for Starting/Integrating Azure environments. The goal is to give you insights, where you can find the best documentations to start with a Cloud journey and which technical Azure features help to bring and hold your environment in an compliant and secure state.
The session contains the following topics:
Cloud Adoption Framework
Insights about Azure Policies and Azure Security Center
Azure Enterprise Scale architecture
Identity and Access Management
We are exited to hold the session at the GermanyClouds Meetup on november 26. Did you interested in this topics or you are in the beginning or implementig phase, join us. We will happy to see you there and get your questions.
In the last few days I have created some Azure Landingzones. To secure access to Azure resources within the landing zone with different users, customers use a P2S connection through the Azure VPN Gateway using Azure AD for authentication.
Sometimes I see some mistakes in the Azure VPN Point-to-site configuration blade that results in the Error: “Server did not respond properly to vpn control packets” when trying to connect to the VPN Gateway over the Azure VPN Client.
These error messages are often due to incorrect settings in the basic settings. To resolve this issue it is really important to configure the three points: Tenant & Audience & Issuer correctly.
Please pay close attention to the following settings:
The Tenant field must be specified in the following notation “https://login.microsoftonline.com/your-Azuread-Tenant-ID-here/” at the end do not miss the backforwardslash /
Audience field must be only contains the Enterprise Application ID of the Azure VPN client (this is the same for all Tenants) “41b23e61-6c1e-4545-b367-cd054e0ed4b4” without any other characters or spaces
The Issuer field must be specified in the following notation “https://sts.windows.net/your-Azuread-Tenant-ID-here/” at the end do not miss the backslash /
Please be aware of the difference between the Tenant- (begins with https://login….) and Issuer field (begins with https://sts.win…).
Please contact me if you have any questions or if you find further errors and solutions 🙂
Short note, I am pleased to announce that I support some Microsoft Ignite sessions as an ATE (Ask the Experts). Which this means? I support the Product Team in the Live sessions with answer additional questions. There are many possibilities to get in touch with the Microsoft Product owner of each service, so view the Session scheduler and join relevant sessions to ask the Product owner about services, features, possibilities and more.
I reveived a cool mail some days ago with an information, that I had passed successful the new Azure Administrator Exam Az-104 and get the renewal of the Microsoft Certified: Azure Administrator Associate.
Two years ago Microsoft released the first new Rolebased exams with the Az-100/Az-101. I´ve passed both exams, but the exams are only valid for two years after passing. With the new Az-104 I got a renewal of the title for the next two years.
The Az-104 certification is a further development of the Az-103, as it will be discontinued at the end of July. To see the necessary skills and the differences to the Az-103, please have a look at the document “Az-104 Skills measured“.
Preparation and study guides
In preparation, all I can say is practice, practice, practice. Create different Azure Services, manage and administer them and interact with them. This helps a lot to understand the individual service and the different functions.
Azure allows to use IaaS and PaaS solution together over the same network. But all Azure PaaS services using a public interface for connection. When configure the PaaS firewall to allow traffic only from internal VNETs the public interface still exists. With Azure Private Link there is a new service to disable the public interface and add a private endpoint to secure connect to PaaS from your own VNET.
When configuring the internal service Firewall to block all traffic from outside the VNET, the Firewall make a mapping from internal VNET traffic to the Public IP and block all other IP- Adress ranges – and here comes the new Azure Service Private Link into play. This blog post will cover how Private Link works and how to configure this service for your environment including own DNS solution to get a complete private based Azure VNET.
In the past I have taken several Azure exams, and yesterday I took the Azure Security exam Az-500. I am really glad that I passed the exam. In this article I will give you a brief overview of the topics I saw in the exam and what materials I used to prepare for the exam. I can say directly that the best way to succeed in the exam is practice.
I updated the article based on the latest information around Azure Bastion. One big announcement is the support for peered VNETs for Azure Bastion – this is also integrated in this article. Please feel free to share and comment 🙂
Azure Bastion is a new service to reaches Azure VMs in a secure way without needing a Jump host in the same VNET or to publish an Public IP for a VM. Many customers using Public IPs to reach VMs (Windows and Linux) in Test and Dev environment. Please avoid managing Azure VMs over a Public IP, this is unsecure – use Azure Bastion.