Secure SSH Connection to a VM using Azure Bastion

Running a VM in Azure is simple. Create it and it just works.

But if you need an RDP or SSH connection to it, you have to know about the security implications.

Enabling RDP or SSH on a VM will open an inbound port for the communication. And this is an invitation for hackers to try to get in using these ports.

A temporary solution is creating a really difficult password/key to get in or changing the port number on which the SSH/ RDP service is listening. But still, this is ‘like playing with fire’. Smart hackers can work around this.

What we need is some kind of terminal session to the VM without opening inbound ports.

Luckily, Microsoft offers a few solutions for this.

First of all, you can make use of the serial console page of the VM instance (as seen in a previous blog).

This is a simple solution but the console form factor is not that great and sometimes random logging messages are written over your shell access which makes it hard to do actual, serious work in this pane.

Recently, Microsoft offers a new and better solution called Azure Bastion.

Bastion enables seamless secure RDP/SSH connectivity to Azure Virtual Machines in your Azure Virtual Networks directly in your web browser and without the need of public IP on your Virtual Machines.

The relationship with VMs looks like this:

VM’s are made part of a virtual network containing a subnet called ‘AzureBastionSubnet’. Next to the VMs this Azure Bastion resource is running and that one makes it possible to create a secure SSH connection.

Note: you need to create an Azure portal connection ‘as a second channel’.

Let’s see how this works.

Doorgaan met het lezen van “Secure SSH Connection to a VM using Azure Bastion”

Azure Security Center for IoT on the Edge

During the last Microsoft Build event this year, Microsoft announced support for IoT devices in their Azure Security Center.

This is a potentially interesting solution for checking all your IoT devices for security issues and a centralized way to react to these issues. There are both recommendations and imminent alerts to respond to:

asc-for-iot-architecture

It is advertised like this:

“Azure Security Center for IoT provides visibility into the security posture and state of your Azure IoT solution – from devices to applications”

This is a promising solution for the S of security in IoT (yes, there is no security in IoT 🙂 ).

Azure Security Center for IoT is currently in public preview but we can already try out its functionality.

ASC for IoT is presented in the Azure portal as being part of the IoT Hub. There’s a thirty days trial, I have not calculated the costs yet but you can try it out for yourself here.

There is a free tier but the standard tier is much more interesting. We will see that eg. the security event collection is very powerful:

ai-06

In this blog, we check out How we can combine Azure Security Center for IoT with IoT Edge. This seems surprisingly easy.

Doorgaan met het lezen van “Azure Security Center for IoT on the Edge”