Azure IoT devices send telemetry to the cloud in a secure and reliable way. Although these devices are designed to be robust and probably are configurable in a zero-touch manner, sometimes it is still needed to log in to these devices using e.g. an RDP or SSH session.
For this, we do not want to create an inbound port in the firewall offering a public inbound session; this makes the devices vulnerable to attacks from the outside world.
This blog is part two of a series about setting up a jump box in Azure to access local devices from the cloud. Part one ended with a private VM in the cloud which was accessible using a secure Azure Bastion connection:
In this blog post, we will discover how to connect local devices (both running Windows or Ubuntu) from the cloud in a secure way, making use of the already existing VNet and the Bastion connection:
We will dive into creating a point-to-site VPN connection, generating certificates to secure the communication, and attaching various VPN clients, including one running on OpenVPN.
When you work with Azure and Azure IoT, at some point you have to think about a jump box (aka jump server).
This is a device in your network that supports access to other devices in a secure way.
Yes, you can probably access devices in some sort of secure way already using device-specific credentials. Think about an RDP session or using an SSH connection. Still, credentials once remembered by a user, are hard to forget.
The trick with a jump box is to work with multiple layers of security.
First, you have to log in to one device. From there, you ‘jump’ to the next one:
The jump box should be made accessible using other credentials apart from the other connection.
Even better, if these credentials are put in AAD so the login credentials are related to the user logging in, access can be revoked once people are not part of that trusted group of users anymore (e.g. when someone is resigning or fired).
Last year, I wrote this blog post about Azure Bastion already because it is a service that we can use for exactly this:
Using Azure Bastion, only people having access to the Azure portal can make use of that service to access other specific Azure resources (living in the same virtual network, on one or more subnets).
The opposite is true. Azure Bastion only works while using the Azure portal.
Let’s set up a jump box in Azure in a number of blog posts. Let’s start with Azure Bastion. Later on, we look at securing connections to the next device.