π Keep Calm and Use Azure Bastion Developer SKU for Free π»
In today’s cloud-driven landscape, security is a shared responsibility for developers and engineers alike. Azure Bastion’s Developer SKU offers a lightweight way to securely connect to virtual machinesβand did I mention it’s free? π In this post, we’ll walk through setting up Azure Bastion Developer SKU using Bicep Infrastructure as Code, fostering a “security is everyone’s responsibility” mindset as we go.
What is Azure Bastion?
Let’s start with a quick recap for those who are unfamiliar with Azure Bastion.
Azure Bastion is a fully managed service provided by Microsoft that enables secure RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to virtual machines (VMs) without exposing them to the public internet. It acts like a jumpbox, providing access through a web browser. This eliminates the need for public IPs, VPNs, or separate client software.
Azure Bastion enhances security by protecting VMs within a Virtual Network (VNet) and allowing remote access only through the Azure portal. This significantly reduces the attack surface for VM access, making it a more secure and streamlined solution.
Azure Bastion is available in four SKUs:
- Developer SKU
- Basic SKU
- Standard SKU
- Premium SKU (currently in preview at the time of writing)
What makes Azure Bastion Developer SKU so special?
For starters, as mentioned, it’s free to use! Unlike the other SKUs, the Developer SKU is lightweight and specifically designed for developers, engineers, and testers who need secure VM connections but don’t require advanced Bastion features. A key difference is that the Developer SKU doesn’t deploy a dedicated host, eliminating the need for an AzureBastionSubnet and a public IP address. Instead, it operates from a shared pool. In the following sections, we’ll explore the unique deployment requirements for this SKU, as well as its pros and cons.
Microsoft Azure Bastion Developer SKU architecture. Source
Pros and Cons
Pros:
- Free to use
- Tailor made for Dev/Test
- Quick and simple to setup
- No specific network requirements
- No public IP address needed
- Upgradable to a higher SKU, fostering for future growth
Cons:
- No SLA is included
- Limited to one connection at a time
- Lacks advanced features like VNet peering, session recording, native client access
- Lacks scaling capabilities
- Limited region availability
The Developer SKU is considered best for cost-effective development needs, while the other SKUs suit production with advanced requirements. For a full feature comparison list have a look at Azure Bastion SKUs
Deploying Azure Bastion Developer SKU using Bicep
Let’s dive into the Bicep code! While the Developer SKU has its differences, its infrastructure-as-code implementation is consistent with other SKUs, using the Microsoft.Network/bastionHosts resource type. First, start with basic Bicep module scaffolding:
Next, specify the correct SKU name:
Unlike other SKUs, the Developer SKU doesn’t require an AzureBastionSubnet or ipConfigurations, but a reference to an existing virtual network is still needed. Use the existing keyword to correctly reference the virtual network resource:
Normally, this is all that’s needed. However, deploying without a workaround may cause an InternalServerError with An error occurred. message. Thanks to Reddit user Content-Revolution97, we know adding an empty tags property resolves this issue:
Finally, assemble everything with parameters and documentation. Your completed module should resemble the following:
Wrapping up
And that’s all folks! I hope you found this post educational. If you are interested in the reference material used to make this post, please visit the following links.
- Quickstart: Deploy Azure Bastion - Developer SKU
- Azure Bastion Settings
- Azure Bastion FAQ
- Microsoft.Network bastionHosts
As always, a big thanks for reading this post. If you liked it, don’t be shy and have a look at my other posts .