Just in case someone came across a problem defining proper nsg rules for Azure Bastion…
Well, here they are:
Works like a charm 😀
And below the ARM for it:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"projectPrefix": {
"type": "string",
"metadata": {
"description": "Prefix for the name of resources."
}
},
"resourceLocation": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
}
},
"variables": {
"nsgName": "[concat(parameters('projectPrefix'), 'NSG-Bastion')]"
},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-09-01",
"name": "[variables('nsgName')]",
"location": "[parameters('resourceLocation')]",
"properties": {
"securityRules": [
{
"name": "InboundFromAny",
"properties": {
"description": "Allow connection from any host on https.",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"name": "InboundFromGM",
"properties": {
"description": "This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "GatewayManager",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 120,
"direction": "Inbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"name": "OutboundToVNET_SSH",
"properties": {
"description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and SSH port",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 120,
"direction": "Outbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"name": "OutboundToVNET_RDP",
"properties": {
"description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and RDP port",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 110,
"direction": "Outbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"name": "OutboundHTTPStoAzureCloud",
"properties": {
"description": "Egress Traffic to other public endpoints in Azure",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "AzureCloud",
"access": "Allow",
"priority": 100,
"direction": "Outbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
}
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-09-01",
"name": "[concat(variables('nsgName'), '/InboundFromAny')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
],
"properties": {
"description": "Allow connection from any host on https.",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-09-01",
"name": "[concat(variables('nsgName'), '/InboundFromGM')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
],
"properties": {
"description": "This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.",
"protocol": "TCP",
"sourcePortRange": "*",
"sourceAddressPrefix": "GatewayManager",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 120,
"direction": "Inbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
"443",
"4443"
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-09-01",
"name": "[concat(variables('nsgName'), '/OutboundHTTPStoAzureCloud')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
],
"properties": {
"description": "Egress Traffic to other public endpoints in Azure",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "AzureCloud",
"access": "Allow",
"priority": 100,
"direction": "Outbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-09-01",
"name": "[concat(variables('nsgName'), '/OutboundToVNET_RDP')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
],
"properties": {
"description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and RDP port",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "3389",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 110,
"direction": "Outbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
},
{
"type": "Microsoft.Network/networkSecurityGroups/securityRules",
"apiVersion": "2019-09-01",
"name": "[concat(variables('nsgName'), '/OutboundToVNET_SSH')]",
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]"
],
"properties": {
"description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and SSH port",
"protocol": "TCP",
"sourcePortRange": "*",
"destinationPortRange": "22",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Allow",
"priority": 120,
"direction": "Outbound",
"sourcePortRanges": [
],
"destinationPortRanges": [
],
"sourceAddressPrefixes": [
],
"destinationAddressPrefixes": [
]
}
}
]
}
