Understanding Jumpboxes, Bastion Hosts, and Azure Bastion

Image
Manuel Arce

June 18, 2025

Understanding Jumpboxes, Bastion Hosts, and Azure Bastion

When managing virtual machines (VMs), especially in cloud environments, secure remote access is crucial. Exposing VMs directly to the internet increases the attack surface, which is why secure access patterns—like using jumpboxes or bastion hosts—are essential.

Microsoft Azure offers a native service called Azure Bastion that simplifies and strengthens this remote access model.

In this guide, we will explore the differences between traditional solutions and Azure Bastion, and help you determine the best fit for your environment.

What Is a Jumpbox or Bastion Host?

A jumpbox (or jump server) is a VM placed in a public subnet that acts as an entry point into a private network. A bastion host is a hardened and more secure versio n of a jumpbox, typically used in production environments.

Key characteristics:

  • Deployed in a public subnet with a public IP.
  • Used to access private VMs via RDP (Windows) or SSH (Linux).

Acts as a gatekeeper, minimizing exposure of internal systems.

Azure Bastion: A Cloud-Native Approach

AzureBastion is a fully managed PaaS (Platform-as-a-Service) offering from Microsoft that provides secure and seamless RDP and SSH connectivity to Azure virtual machines without requiring a public IP address on the target VM. Connections are initiated via theAzure Portal over TLS (port 443), eliminating the need to open inbound ports like 3389 or 22.

This model significantly reduces the attack surface, aligns with zero trust principles, and simplifies access for IT admins, DevOps teams, and support personnel.

Improved Security Posture

  • Public IPs Required: VMs remain fully private. Even administrative access does not expose them to the internet
  • No Inbound NSG Rules: With Bastion, you do not need to allow inbound RDP/SSH ports in NSGs. Only the Bastion subnet (Azure Bastion Subnet) requires specific egress access.
  • TLS-based Access: Sessions are brokered through Bastion using secure TLS tunnels on port 443, ensuring encrypted communications.
  • Defensible Architecture: Enables microsegmentation by centralizing access while keeping workloads isolated in private subnets

Browser-Based Access

  • Azure Portal Integration: Users initiate SSH/RDP directly from the Azure Portal—no need for client software or VPN.
  • Platform-Agnostic Access: Works on Windows, macOS, or Linux without additional client dependencies.
  • Identity-Based Access: Combined with RBAC and optionally Conditional Access, you can enforce contextual policies (e.g., location, MFA) on who can initiate sessions.

No VM Management Required

  • No OS Patching: Unlike self-managed jumpboxes, you don’t need to monitor or patch the host machine.
  • Built-in HA: Azure Bastion is deployed in a zone-resilient, fully managed configuration (if using Standard tier in a supported region), eliminating the need for HA     setups.
  • Reduced Operational Overhead: Frees up engineering resources that would otherwise be spent managing IaaS jumpboxes or hardened servers.

RBAC and Conditional Access Integration

  • Fine-Grained Access Control: Use built-in or custom Azure RBAC roles to control who can use Bastion and which VMs they can connect to.
  • Auditable Access: Since access is gated through the Azure control plane, actions can be monitored and logged.
  • Conditional Access Enforcement: Integrate with Entra ID (formerly Azure AD) to enforce policies like device compliance, MFA, and user risk levels.

Monitoring and Auditing

  • Azure Monitor Integration: Bastion supports diagnostic settings to send logs to Log Analytics, Event Hubs, or Storage Accounts.
  • Session Logs: You can capture user connection attempts, IP addresses, session start/end times, and more for audit trails.
  • Insights for SecOps: Enable threat hunting or suspicious behavior detection using KQL queries in Azure Sentinel (Microsoft Defender XDR).

AdditionalFeatures (Standard Tier Only)

  • VNet Peering Support: Azure Bastion Standard can connect to VMs in peered VNets—ideal for hub-and-spoke or landing zone architectures.
  • Native IP-Based Connection: Option to connect to VMs using IP address (vs only Azure resource reference).
  • Session Recording (Preview): Microsoft is introducing session recording for auditing and compliance purposes.

Comparison: Azure Bastion Basic vs. Standard

NSG and Route Table Setup Recommendations for Azure Bastion

Azure Bastion Subnet Requirements

You must create a dedicated subnet named Azure Bastion Subnet with at least a /26 address space.

NSG (Network Security Group) Rules

Apply an NSG to the AzureBastionSubnet with only the following outbound rules:

Note: No inbound rules are required because connections are initiated by the platform.

User Defined Route (UDR) Considerations

  • Avoid routing traffic to the internet from the Bastion subnet through on-premise or a firewall appliance (like Azure Firewall or NVA).
  • Bastion must be able to reach the internet over port 443 without interception or NAT modification.
  • Route tables for spoke VNets (when using VNet peering) should not block Bastion-to-VM communication.
SecureRemote Access to Azure VMs using Azure Bastion – A Lunavi-Architected Design Following Azure Well-Architected Framework and Cloud Adoption FrameworkPrinciples.

Which Option Should You Choose?

Final Recommendations

Choosing the right remote access model depends on your environment, risk tolerance, and operational requirements:

  • Quick access or testing environments? Use a jumpbox for fast, low-overhead connectivity.
  • Need strong security and fine-grained control? Deploy a bastion host with hardened configurations.
  • Looking for a modern, Azure-native experience     with minimal maintenance? Adopt Azure Bastion for seamless,     browser-based access without exposing your VMs to the internet.

At Lunavi, we help organizations architect secure, scalable, and enterprise-ready Azure environments. We go beyond basic deployments by leveraging:

  • TheAzure Well-Architected Framework (WAF) to ensure reliability, security, performance efficiency, cost optimization, and operational excellence.
  • Microsoft’s Cloud Adoption Framework (CAF) to ensure alignment with governance, compliance, and landing zone architecture standards.
  • Bicep infrastructure-as-code to automate deployments with consistency, security, and traceability across environments.

Whether you are modernizing legacy infrastructure or building new workloads in the cloud, our team ensures your remote access solutions are secure by design, policy-driven, and aligned with Azure best practices.

Related Topics:
Cloud
Azure
Security

Previous post

Enhancing AI Assistant Accuracy Through AI-Driven Automated Testing

Next post

Celebrating Our Team: Lunavi Is Now a Microsoft Solutions Partner for Security
We're always talking about what's next in technology.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

We're here to help you tackle what's next in your digital journey.

SolutionsIndustriesContact Us
Case StudiesBlog
About usPartnershipsCareers
Follow Us:
© Lunavi, Inc. All Rights Reserved. 2025
 Privacy Policy |
Acceptable Use