Introduction
Remote administration is essential for modern IT environments. However, providing secure, auditable, and compliant access to internal workloads remains a constant challenge. With the rise of hybrid infrastructure, Azure Local (Azure Stack HCI with SDN Express) empowers organizations to leverage cloud-native security tools on-premises. In this guide, we walk through building robust Bastion/Jumpbox solutions for administrators, tightly integrated with Microsoft Entra authentication and SDN controls for secure ingress and comprehensive monitoring.
You will learn how to:
- Architect a secure Bastion host using Azure Local SDN and Entra authentication
- Configure access policies, conditional access, and multifactor authentication
- Deploy and manage jumpbox VMs using PowerShell and Bicep
- Monitor, audit, and alert on remote access events with modern SIEM integration
Table of Contents
- Understanding Bastion Hosts and Zero Trust
- Solution Architecture Overview
- Entra Authentication for Bastion Access
- Network Design with Azure Local SDN
- Step-by-Step Deployment Tutorial
- Prerequisites
- Network configuration (VNet, Subnet, NSG, SLB)
- Bastion VM deployment
- Entra integration
- Automated Provisioning with PowerShell and Bicep
- Monitoring and Auditing Remote Access
- Best Practices and Common Pitfalls
- Conclusion
Understanding Bastion Hosts and Zero Trust
A Bastion host (or jumpbox) is a hardened system placed on a network boundary that administrators use as a secure entry point to manage servers inside private subnets. Unlike exposing RDP or SSH ports to the world, the Bastion model limits attack surface and makes auditing straightforward.
Zero Trust principles require verifying every access request, enforcing least privilege, and constantly monitoring activity. Integrating Microsoft Entra authentication and Azure Local SDN, organizations can:
- Eliminate the need for VPNs for admin access
- Enforce strong identity-based access (with Conditional Access and MFA)
- Centrally control and monitor ingress points
Solution Architecture Overview
Here’s how a typical Entra-powered Bastion on Azure Local SDN is structured:
Key components:
- Bastion Host: Single ingress point, hardened, no public IP required
- Microsoft Entra: Controls admin authentication (with optional Just-in-Time access)
- SDN NSG/SLB: Network segmentation and access control
- Log Analytics/SIEM: Centralized auditing and alerting
Entra Authentication for Bastion Access
Why Entra?
Microsoft Entra (formerly Azure Active Directory) provides identity-driven access control for all cloud and hybrid resources. For Bastion deployments, Entra enables:
- Single sign-on for admins
- Conditional Access policies (location, device, risk)
- Multifactor Authentication (MFA)
- Fine-grained role assignment (RBAC)
Setting up Entra for Bastion Access
- Register the Bastion App:
In Entra, create an enterprise application for your Bastion or RDP gateway, if not using native Azure Bastion. - Assign Admin Roles:
Use built-in or custom roles to restrict access. Assign only the required users/groups. - Configure Conditional Access:
Define rules for allowed locations, devices, MFA requirements, session controls, and more. - Enable MFA:
Enforce MFA for all privileged users. - Audit Sign-In Logs:
Set up Log Analytics or forward to SIEM for ongoing monitoring.
Network Design with Azure Local SDN
SDN Components in Azure Local
- Virtual Networks (VNets): Logical network segmentation
- Subnets: Network zones for Bastion, workloads, and management
- Network Security Groups (NSGs): Control ingress/egress per subnet or NIC
- Software Load Balancer (SLB): Distributes admin traffic if deploying a Bastion cluster
Sample Topology
| Subnet Name | Purpose | Example Address Range |
|---|---|---|
| BastionSubnet | Bastion host only | 10.10.1.0/27 |
| WorkloadSubnet | Application servers | 10.10.2.0/24 |
| ManagementSubnet | Management-only traffic | 10.10.3.0/24 |
Tip: Use NSG rules to allow only Entra-authenticated traffic to the Bastion and deny all public inbound connections except from approved locations.
Step-by-Step Deployment Tutorial
Prerequisites
- Azure Local (Azure Stack HCI) with SDN Express deployed
- Admin access to Entra and Azure Stack HCI
- PowerShell 7+ on your admin machine
- Network planning completed
1. Define and Deploy Network Segments
PowerShell Example:
# Connect to your Azure Stack HCI host
Connect-AzAccount
$rg = "SDNResourceGroup"
$location = "local"
# Create a VNet
New-AzVirtualNetwork -ResourceGroupName $rg -Location $location `
-Name "SDNVNet" -AddressPrefix "10.10.0.0/16"
# Add subnets
Add-AzVirtualNetworkSubnetConfig -Name "BastionSubnet" -AddressPrefix "10.10.1.0/27"
Add-AzVirtualNetworkSubnetConfig -Name "WorkloadSubnet" -AddressPrefix "10.10.2.0/24"
2. Create NSG Rules for Bastion Access
- Allow inbound HTTPS (if using web-based Bastion), RDP, or SSH only from trusted IPs or Entra conditional access.
- Deny all other public inbound.
Example NSG Rule:
# Allow inbound RDP from trusted admin IP range
Add-AzNetworkSecurityRuleConfig -Name "Allow-RDP-Admins" `
-Protocol "Tcp" -Direction "Inbound" -Priority 100 `
-SourceAddressPrefix "AdminOfficeIP/32" -SourcePortRange "*" `
-DestinationAddressPrefix "*" -DestinationPortRange 3389 -Access "Allow"
3. Deploy the Bastion Host VM
Provision a hardened Windows or Linux VM on the BastionSubnet.
Bicep Example:
resource bastionVM 'Microsoft.Compute/virtualMachines@2023-03-01' = {
name: 'BastionHost01'
location: location
properties: {
hardwareProfile: { vmSize: 'Standard_D2s_v3' }
osProfile: {
computerName: 'BastionHost01'
adminUsername: 'adminuser'
adminPassword: 'securePasswordHere!'
}
networkProfile: {
networkInterfaces: [
{
id: nic.id
}
]
}
# Harden with minimum services, update regularly, disable unused ports
}
}
4. Integrate Bastion Host with Entra
- Join the Bastion VM to Entra or your hybrid Entra domain.
- Configure Remote Desktop to use Entra authentication (Windows 11 and Server 2022 support Entra sign-in).
- Restrict local admin rights and enforce just-in-time access if possible.
5. Enable Monitoring and Alerting
- Install the Azure Monitor or Log Analytics agent on the Bastion host.
- Forward security logs (RDP, SSH, login attempts, privilege escalation) to your SIEM.
- Set up alerts for suspicious events (failed logins, privilege changes, out-of-hours access).
Sample Kusto Query for Login Monitoring:
SecurityEvent
| where AccountType == "User" and EventID == 4624
| where TargetUserName contains "admin"
| project TimeGenerated, TargetUserName, IpAddress, Computer
Automated Provisioning with PowerShell and Bicep
Combining Bicep and PowerShell scripts streamlines the deployment of repeatable Bastion environments.
Sample Workflow:
- Admin runs a PowerShell script that triggers Bicep template deployment
- Bicep provisions VNet, subnets, NSGs, Bastion VM, and connects to Entra
- Post-deployment script applies custom hardening and monitoring agents
PowerShell Deployment Example:
New-AzResourceGroupDeployment -ResourceGroupName $rg -TemplateFile './bastion.bicep'
Monitoring and Auditing Remote Access
Centralized logging is non-negotiable for secure remote access.
- Enable Audit Logs: Capture all sign-in, session, and privileged activity via Entra and Windows Security logs
- Forward to SIEM: Use Azure Monitor, Log Analytics, or a third-party SIEM like Splunk
- Set Alerts: Notify on failed logins, escalation attempts, and configuration changes
- Regular Reviews: Schedule periodic audits of access logs and policy compliance
| Log Source | What to Monitor |
|---|---|
| Entra Sign-in Logs | Unusual login attempts |
| Bastion VM | RDP/SSH/console sessions |
| NSG Flow Logs | Unexpected traffic patterns |
| SLB Logs | Load balancing anomalies |
Best Practices and Common Pitfalls
Best Practices:
- Always enforce MFA for Bastion access
- Use Just-in-Time VM access to reduce attack surface
- Harden Bastion OS and regularly update
- Segregate Bastion subnet from all workloads
- Limit user permissions to the minimum required
Common Pitfalls:
- Leaving default RDP/SSH ports open to all
- Skipping NSG or SLB rule audits
- Failing to monitor or alert on remote access activity
- Not enforcing conditional access and MFA
Conclusion
Securing remote admin access in hybrid environments is critical for operational integrity and compliance. With Azure Local SDN and Entra-powered Bastion hosts, organizations gain a flexible, scalable, and cloud-aligned way to control, monitor, and audit all privileged ingress, without exposing unnecessary risk. By combining strong identity management, robust network controls, and comprehensive monitoring, your IT team can embrace hybrid operations confidently and securely.
Disclaimer: The views expressed in this article are those of the author and do not represent the opinions of Microsoft, my employer or any affiliated organization. Always refer to the official Microsoft documentation before production deployment.
Introduction Modern organizations demand security that is both dynamic and intelligent. As enterprises move to hybrid and on-premises cloud models, enforcing Conditional...