Merge pull request #310780 from asudbring/tsk544780-sfi-bastion

Stacyrch140 · web-flow · commit a67f34b2e5f9 · 2026-01-22T15:09:47.000-05:00
Replace RDP/DNAT with Azure Bastion in tutorial-firewall-deploy-portal.md
diff --git a/articles/firewall/tutorial-firewall-deploy-portal.md b/articles/firewall/tutorial-firewall-deploy-portal.md
@@ -25,7 +25,7 @@ Network traffic is subjected to the configured firewall rules when you route you
 
 For this article, you create a simplified single virtual network with two subnets for easy deployment.
 
-For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own virtual network. The workload servers are in peered virtual networks in the same region with one or more subnets.
+For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own virtual network. The workload servers are in peered virtual networks in West US with one or more subnets.
 
 * **AzureFirewallSubnet** - the firewall is in this subnet.
 * **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
@@ -40,7 +40,7 @@ In this article, you learn how to:
 > * Create a default route
 > * Configure an application rule to allow access to www.google.com
 > * Configure a network rule to allow access to external DNS servers
-> * Configure a NAT rule to allow a remote desktop to the test server
+ > * Deploy Azure Bastion for secure VM access
 > * Test the firewall
 
 > [!NOTE]
@@ -64,7 +64,7 @@ The resource group contains all the resources used in this procedure.
 2. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Then select **Create**.
 4. For **Subscription**, select your subscription.
 1. For **Resource group** name, type **Test-FW-RG**.
-1. For **Region**, select a region. All other resources that you create must be in the same region.
+1. For **Region**, select **West US**. All other resources that you create must be in West US.
 1. Select **Review + create**.
 1. Select **Create**.
 
@@ -81,7 +81,7 @@ This virtual network has two subnets.
 1. For **Subscription**, select your subscription.
 1. For **Resource group**, select **Test-FW-RG**.
 1. For **Virtual network name**, type **Test-FW-VN**.
-1. For **Region**, select the same region that you used previously.
+1. For **Region**, select **West US**.
 1. Select **Next**.
 1. On the **Security** tab, select **Enable Azure Firewall**.
 1. For **Azure Firewall name**, type **Test-FW01**.
@@ -103,17 +103,20 @@ This virtual network has two subnets.
 Now create the workload virtual machine, and place it in the **Workload-SN** subnet.
 
 1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
-2. Select **Windows Server 2019 Datacenter**.
+2. Select **Ubuntu Server 22.04 LTS**.
 4. Enter these values for the virtual machine:
 
    |Setting  |Value  |
    |---------|---------|
    |Resource group     |**Test-FW-RG**|
    |Virtual machine name     |**Srv-Work**|
-   |Region     |Same as previous|
-   |Image|Windows Server 2019 Datacenter|
-   |Administrator user name     |Type a user name|
-   |Password     |Type a password|
+   |Region     |West US|
+   |Image|Ubuntu Server 22.04 LTS - x64 Gen2|
+   |Size|Standard_B2s|
+   |Authentication type|SSH public key|
+   |Username     |**azureuser**|
+   |SSH public key source|Generate new key pair|
+   |Key pair name|**Srv-Work_key**|
 
 4. Under **Inbound port rules**, **Public inbound ports**, select **None**.
 6. Accept the other defaults and select **Next: Disks**.
@@ -124,6 +127,7 @@ Now create the workload virtual machine, and place it in the **Workload-SN** sub
 1. Accept the defaults and select **Next: Monitoring**.
 1. For **Boot diagnostics**, select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.
 1. Review the settings on the summary page, and then select **Create**.
+1. On the **Generate new key pair** dialog, select **Download private key and create resource**. Save the key file as **Srv-Work_key.pem**.
 1. After the deployment is complete, select **Go to resource** and note the **Srv-Work** private IP address that you'll need to use later.
 
 [!INCLUDE [ephemeral-ip-note.md](~/reusable-content/ce-skilling/azure/includes/ephemeral-ip-note.md)]
@@ -147,7 +151,7 @@ For the **Workload-SN** subnet, configure the outbound default route to go throu
 1. Select **Create**.
 1. For **Subscription**, select your subscription.
 1. For **Resource group**, select **Test-FW-RG**.
-1. For **Region**, select the same location that you used previously.
+1. For **Region**, select **West US**.
 1. For **Name**, type **Firewall-route**.
 1. Select **Review + create**.
 1. Select **Create**.
@@ -209,24 +213,34 @@ This is the network rule that allows outbound access to two IP addresses at port
 1. For **Destination Ports**, type **53**.
 2. Select **Add**.
 
-## Configure a DNAT rule
+## Deploy Azure Bastion
 
-This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.
+Now deploy Azure Bastion to provide secure access to the virtual machine.
 
-1. Select the **NAT rule collection** tab.
-2. Select **Add NAT rule collection**.
-3. For **Name**, type **rdp**.
-4. For **Priority**, type **200**.
-5. Under **Rules**, for **Name**, type **rdp-nat**.
-6. For **Protocol**, select **TCP**.
-7. For **Source type**, select **IP address**.
-8. For **Source**, type **\***.
-9. For **Destination address**, type the firewall public IP address.
-10. For **Destination Ports**, type **3389**.
-11. For **Translated address**, type the Srv-work private IP address.
-12. For **Translated port**, type **3389**.
-13. Select **Add**.
+1. On the Azure portal menu, select **Create a resource**.
+1. In the search box, type **Bastion** and select it from the results.
+1. Select **Create**.
+1. On the **Create a Bastion** page, configure the following settings:
+
+   | Setting | Value |
+   |---------|-------|
+   | Subscription | Select your subscription |
+   | Resource group | **Test-FW-RG** |
+   | Name | **Test-Bastion** |
+   | Region | West US |
+   | Tier | **Developer** |
+   | Virtual network | **Test-FW-VN** |
+   | Subnet | Select **Manage subnet configuration** |
+
+1. In the **Subnets** page, select **+ Subnet**.
+1. Configure the new subnet:
+   - **Name**: **AzureBastionSubnet** (this name is required)
+   - **Subnet address range**: **10.0.4.0/26**
+1. Select **Save** and close the subnets page.
+1. Select **Review + create**.
+1. After validation passes, select **Create**.
 
+   The Bastion deployment takes about 10 minutes to complete.
 
 ### Change the primary and secondary DNS address for the **Srv-Work** network interface
 
@@ -244,19 +258,35 @@ For testing purposes, configure the server's primary and secondary DNS addresses
 
 Now, test the firewall to confirm that it works as expected.
 
-1. Connect a remote desktop to the firewall public IP address and sign in to the Srv-Work virtual machine.
-1. Open Internet Explorer and browse to `https://www.google.com`.
-4. Select **OK** > **Close** on the Internet Explorer security alerts.
+1. In the Azure portal, navigate to the **Srv-Work** virtual machine.
+1. Select **Connect**, then select **Connect via Bastion**.
+1. Select **Use SSH Private Key from Local File**.
+1. For **Username**, type **azureuser**.
+1. Select the folder icon and browse to the **Srv-Work_key.pem** file you downloaded earlier.
+1. Select **Connect**.
+1. At the bash prompt, run the following commands to test DNS resolution:
+
+   ```bash
+   nslookup www.google.com
+   nslookup www.microsoft.com
+   ```
+
+   Both commands should return answers, showing that your DNS queries are getting through the firewall.
 
-   You should see the Google home page.
+1. Run the following commands to test the application rule:
 
-5. Browse to `https://www.microsoft.com`.
+   ```bash
+   curl https://www.google.com
+   curl https://www.microsoft.com
+   ```
 
-   The firewall should block you.
+   The `www.google.com` request should succeed, and you should see the HTML response.
+   
+   The `www.microsoft.com` request should fail, showing that the firewall is blocking the request.
 
 So now you verified that the firewall rules are working:
 
-* You can connect to the virtual machine using RDP.
+* You can connect to the virtual machine using Bastion and SSH.
 * You can browse to the one allowed FQDN, but not to any others.
 * You can resolve DNS names using the configured external DNS server.
 
