Let me first start by saying I LOVE Azure Bastion for connecting to my virtual machines. It negates the need for poking any holes in my tightly secured virtual networks. Bastion allows me to connect to the virtual machines through SSH using the Azure Portal while still keeping my network security groups as secure as possible.
For everyone claiming Bastion is (too) expensive, the resource certainly comes at a cost, but on the one hand, it is hard to put a price on good security measures, and on the other hand, you can usually share the Bastion resource across virtual networks and spread out the costs a bit.
As I need to set up and configure the network infrastructure I usually end up having the Contributor role, so Bastion usually just works for me, but recently we needed to set up an account just needing it to connect to the virtual machine.
Microsoft provides us with some excellent documentation explaining all the steps in setting up Bastion and provides us with the bare minimum rights in the prerequisites. The user account needs a Reader role on the virtual machine, the network interface card (NIC), and the Bastion resource itself. In addition, we need to configure our network security groups to allow RDP port 3389.
Unfortunately, if you follow all these steps in de the documentation, you can still end up with an error message when using Bastion to connect to the virtual machine: Unable to query Bastion data
This issue had been reported to Microsoft some time ago, but fortunately, there is an easy workaround which usually is an acceptable solution. If we grant the user account the Reader role on the virtual network containing the ‘AzureBastionSubnet’ and the virtual network containing the virtual machine (NIC) the user is able to connect to the virtual machine using Bastion through the Azure portal fine.
Leave a Reply