Azure |Cloud |Azure |Security |Infrastructure |Modern Workplace

Understanding Jumpboxes, Bastion Hosts, and Azure Bastion

Published on: 20 June 2025

Securing remote access to virtual machines is one of the most important responsibilities in any cloud engineering architecture. Directly exposing VMs to the public internet increases risk and expands the attack surface. That’s where secure access patterns like jumpboxes, bastion hosts, and Azure Bastion come into play.

Each of these solutions provides a different level of control, visibility, and security. In this article, we’ll walk through what each method offers, with a deeper focus on how Azure Bastion simplifies secure access without requiring public IP addresses on your virtual machines.

What Is a Jumpbox or Bastion Host?

A jumpbox (sometimes called a jump server) is a virtual machine placed in a public subnet that acts as a gateway into your private environment. It is commonly used in development and test environments where teams want fast and lightweight access without setting up complex network rules.

A bastion host is a hardened version of a jumpbox used in production environments. It often has additional security measures in place, including patch management, limited user accounts, and network segmentation.

Key characteristics:

  • Deployed in a public subnet with a public IP

  • Used to initiate RDP (for Windows) or SSH (for Linux) into private resources

  • Acts as a single point of entry, limiting exposure for internal systems

While effective, both models require ongoing VM maintenance, patching, monitoring, and careful configuration of firewall rules and access policies. Organizations that need to meet strict security and compliance requirements often find these traditional approaches difficult to scale.

Azure Bastion: A Cloud-Native Approach

Azure Bastion is a fully managed service that provides secure, seamless RDP and SSH connectivity to Azure virtual machines without requiring those machines to have a public IP. Instead, users initiate sessions directly from the Azure portal over port 443 using Transport Layer Security (TLS), eliminating the need to open common RDP or SSH ports like 3389 or 22.

This approach reduces operational overhead, enhances security, and aligns with zero trust principles.

Benefits of Azure Bastion

Improved Security

  • Private IP access only: Your VMs remain private, with no public exposure

  • No inbound rules: NSGs do not need to allow inbound RDP or SSH traffic

  • TLS tunneling: Sessions use encrypted connections over port 443

  • Supports microsegmentation: Centralized access improves network defensibility

Browser-Based Access

  • No client required: SSH and RDP sessions launch directly from the Azure portal

  • Works across platforms: Compatible with Windows, macOS, and Linux, supporting modern workplace solutions

  • Identity-driven: Enforces Azure role-based access and optional Conditional Access policies

Minimal Operational Overhead

  • No VM management: Azure Bastion requires no OS patching or host monitoring

  • High availability included: Built-in redundancy and zone resilience in the Standard tier

  • No manual scaling or updates required

Role-Based Access and Policy Control

  • Granular permissions: Assign who can access which machines using RBAC

  • Policy enforcement: Use Conditional Access for MFA, device compliance, and geo-based restrictions

  • Audit logging: Monitor all access through the Azure control plane

Monitoring and Observability

  • Native logging: Send diagnostics to Log Analytics, Event Hubs, or Storage

  • Audit sessions: Track login attempts, durations, and IPs

  • Security integration: Use Azure Sentinel to detect anomalies or threats using KQL queries

Advanced Features with Azure Bastion Standard Tier

  • VNet peering support: Connect to VMs in peered networks, ideal for hub and spoke models

  • IP-based access: Option to connect to VMs directly via IP address

  • Session recording (preview): Record sessions for compliance or training, supporting frameworks such as the NIST Cybersecurity Framework

Bastion Setup and Networking Best Practices

To deploy Azure Bastion:

  • Create a dedicated subnet named AzureBastionSubnet with at least a /26 address space

  • Apply NSG outbound rules that allow internet access for the Bastion service itself (inbound rules are not required)

  • Ensure no outbound User Defined Routes (UDRs) from the Bastion subnet interfere with internet-bound traffic over port 443

  • Avoid routing Bastion through firewalls or appliances that perform NAT or SSL inspection

When using VNet peering, make sure route tables in spoke networks allow Bastion to VM communication. For broader guidance, refer to Azure security best practices and patterns from Microsoft.

Which Remote Access Model Is Right for You?

Choosing the right solution depends on your environment:

Frequently Asked Questions

What is Azure Bastion? Azure Bastion is a fully managed platform-as-a-service (PaaS) from Microsoft that provides secure RDP and SSH access to your Azure virtual machines. It connects directly through the Azure portal over TLS on port 443, so your VMs never need a public IP address or an exposed management port.

What is the difference between a jumpbox and a bastion host? A jumpbox is a general-purpose virtual machine placed in a public subnet to serve as an access point into a private network. A bastion host is a hardened version of a jumpbox, typically configured with stricter security controls such as limited user accounts, patch management, and network segmentation. Both require ongoing maintenance, whereas Azure Bastion eliminates the need to manage a host VM entirely.

Does Azure Bastion replace the need for a VPN? Azure Bastion is designed specifically for secure RDP and SSH access to Azure VMs, not as a full network-level VPN replacement. However, for teams that only need to manage virtual machines remotely, Azure Bastion can eliminate the need for a site-to-site or point-to-site VPN by providing browser-based access without exposing public IPs.

What SKU tiers does Azure Bastion offer? Azure Bastion is available in four tiers: Developer (free, shared infrastructure for dev/test), Basic (dedicated deployment with fixed capacity), Standard (adds native client support, shareable links, IP-based connections, and host scaling), and Premium (adds session recording and private-only deployment for enhanced compliance).

Final Thoughts

Azure Bastion is the modern evolution of the jumpbox. It removes the burden of managing host machines, reduces risk by keeping VMs private, and integrates tightly with Azure identity, networking, and security services.

At Exodata, our managed IT services team helps organizations design secure remote access patterns using Azure native services. Whether you’re setting up your first landing zone or enhancing an existing one, we can help align your architecture with Microsoft’s Well Architected Framework and Cloud Adoption Framework.

From infrastructure as code with Bicep to secure by default networking, our solutions prioritize long term scalability, compliance, and ease of use.

Ready to secure remote access to your Azure environment? Exodata can help you design and deploy Azure Bastion, configure zero trust networking, and build a secure cloud architecture aligned with Microsoft best practices. Contact us today to get started.

Related Posts

Azure

Import Bookmarks into Azure Virtual Desktop

Moving to a virtual desktop infrastructure like Azure Virtual Desktop (AVD) can improve security, sc...

 Azure

Why SMBs Should Choose Azure (2026)

Small businesses face a balancing act: they need reliable, secure technology to stay competitive but...

 Azure

Common Issues When Migrating to Azure Cloud Services

Cloud migration offers a wide range of benefits from scalability and automation to cost optimization...

 Azure

What Is Infrastructure as Code? IaC Guide

A beginner-friendly guide to Infrastructure as Code (IaC) — what it is, why it matters, common tools...
← Back to Blog