Azure Bastion Meeting - razmipatel/Random GitHub Wiki

Purpose of the Call

  • Review feasibility and options for enabling secure access to production resources for DBAs and other teams.

  • Compare approaches (on-prem jump servers vs Azure-hosted jump servers with Bastion).

  • Identify support model, security, and operational considerations.

Requirements Identified

  • Secure access for DBAs and teams to production workloads (SQL, other resources).

  • Integration with CyberArk PSM, MFA (Ping ID), and Just-in-Time (PIM).

  • Session recording, hardened images, no public IPs, MFA enforcement.

  • File transfer support (OneDrive, file shares).

  • High availability and controlled updates.

  • Segregation, tenant restrictions, and prevention of data exfiltration.

  • Ability for teams to install/manage required tooling.

Options Discussed

Option A – Existing On-Prem Jump Servers

  • Already used by Identity, O365, HCL.

  • Accessible via Tech VDI → CyberArk PSM → RDP.

  • File transfers via mapped drives.

  • Lower cost, follows established patterns, uses existing patching.

  • Cons: Shared jump hosts, session not sandboxed, file transfer cumbersome.

Option B – Azure Jump Servers + Bastion

  • Azure-based Windows jump servers, accessed via Bastion in browser.

  • Managed through Entra ID groups (admin/user access).

  • Pros: Modern auth, JIT access, no inbound RDP exposure.

  • Cons: Bastion does not support Entra ID auth for Windows RDP (only Linux SSH).

  • Higher cost, patching/HA responsibilities, more design work needed.

Alternative Considerations

  • Azure Virtual Desktop (AVD) for flexible, per-team desktops with custom tooling.

  • Windows 365 dismissed (too rigid, fixed images).

  • Dedicated jump servers per function/team in Azure, hybrid-joined, patched via MECM.

  • Support model key:

    • If server OS → teams own patching and tooling.

    • If client OS (Windows 11/AVD) → could be HCL-supported like existing VDIs.

Key Concerns Raised

  • Risk of creating a “mini desktop estate” requiring support (session resets, malware, licensing).

  • Bastion’s lack of Entra ID support for Windows makes it unviable.

  • Support ownership unclear (Windows team vs HCL vs teams themselves).

  • Teams need flexibility to install/manage varied tools.

  • Security concerns over credentials being left on shared systems.

Agreed Direction / Next Steps

  1. Discount Bastion – not feasible due to missing Entra ID integration for Windows.

  2. Preferred Approach:

    • Deploy Azure-hosted jump servers (likely server OS, hybrid joined).

    • Integrated with CyberArk, CrowdStrike, firewalled/segmented.

    • Teams responsible for application-level management.

  3. Option 1A: Server OS jump servers in Azure (continuation of today’s model, but cloud-hosted).

  4. Option 1B: Client OS / AVD solution supported by HCL (if accepted as Desktop-as-a-Service).

  5. Escalate to Mark to confirm whether DaaS/AVD is viable.

    • If yes → pursue AVD with HCL support.

    • If no → fallback to server OS jump servers managed by teams.

Bottom line:

  • Bastion is ruled out.

  • Decision is between Azure server OS jump servers (team-managed) vs AVD (HCL-supported).

  • Needs leadership alignment (Mark) before final design.

Would you like me to draft this into a concise decision paper format (with pros/cons table and recommendation) so you can circulate it back to the group?

You said:
yes please
ChatGPT said:

Got it 👍 — here’s a concise decision paper draft you can circulate to the group:

Decision Paper – Azure Jump Servers (J7MP Servers)

Purpose

To agree on a secure, supportable design pattern for enabling DBA and infrastructure teams to access production workloads and Azure resources.

Requirements

  • Secure access to production environments.

  • Integration with CyberArk PSM, MFA (Ping ID), and PIM (Just-in-Time).

  • Session recording, hardened images, no public IPs, MFA enforcement.

  • File transfer capability (OneDrive/internal shares).

  • Support for multiple teams and tooling flexibility.

  • High availability and controlled patching/updates.

  • Prevent data exfiltration via tenant restrictions.

Options Considered

Option 1A – Azure Jump Servers (Server OS, Team-Managed)

  • Azure-hosted Windows Server VMs.

  • Hybrid-joined, patched via MECM.

  • Integrated with CyberArk, CrowdStrike, Azure Firewall segmentation.

  • Teams install/manage their own tooling.

Pros

  • Follows existing enterprise pattern (low change).

  • Flexible for teams to install tools.

  • Integrated with current security stack.

  • Scalable per team/vertical or shared (DBA/midrange).

Cons

  • Creates a “mini desktop estate” → requires operational oversight.

  • Application/tooling patching burden on teams.

  • Potentially high support overhead for session resets, compliance, etc.

Option 1B – Azure Virtual Desktop (Client OS, HCL-Supported)

  • Azure Virtual Desktop (AVD) multi-session Windows 11.

  • Supported by HCL like existing VDIs.

  • Users sign in with AAD/Entra accounts, local admin rights for tooling.

Pros

  • Dedicated support model (HCL).

  • Session resets, patching, and compliance offloaded to central team.

  • Flexible to install/manage required tooling.

  • Cleaner end-user experience.

Cons

  • Requires leadership approval to treat AVD as enterprise DaaS.

  • Cost may be higher than server OS jump servers.

  • Operational readiness may not yet be in place.

Option 2 – Azure Jump Servers + Bastion

  • Discounted – Bastion does not support Entra ID authentication for Windows RDP.

Recommendation

  • Discount Bastion (Option 2).

  • Preferred path:

    • Option 1B (AVD / Client OS) if leadership (Mark) agrees to expand DaaS support.

    • Fallback Option 1A (Server OS Jump Servers) if DaaS not supported.

Next Steps

  1. Escalate to Mark for decision on AVD vs server OS approach.

  2. If AVD supported → engage HCL to define support model and rollout.

  3. If not → proceed with Azure-hosted server jump servers (hybrid joined, team-managed).

  4. Document final design including:

    • Security integration (CyberArk, PIM, MFA, CrowdStrike).

    • Network/firewall segmentation.

    • Support model and responsibilities (teams vs HCL).

Bottom Line:

  • Bastion is not feasible.

  • The decision is between AVD (HCL-supported) vs Server OS (team-managed).

  • Requires leadership confirmation before build-out.

Jump Server Options – Pros & Cons

Option Description Pros Cons
1A – Azure Jump Servers (Server OS, Team-Managed) Azure-hosted Windows Server VMs, hybrid-joined, patched via MECM. Teams install/manage own tools. - Follows existing enterprise pattern- Flexible (teams install tooling)- Integrated with CyberArk, CrowdStrike, Azure Firewall- Scalable per team or shared - Creates “mini desktop estate”- Teams responsible for app/tooling patching- Higher support overhead (session resets, compliance)- Not centrally supported
1B – Azure Virtual Desktop (Client OS, HCL-Supported) Azure Virtual Desktop (AVD) multi-session Windows 11, supported by HCL. Users get admin rights for tooling. - Dedicated support model (HCL)- Patching, resets, compliance offloaded- Flexible tooling installs- Cleaner user experience - Requires leadership approval (enterprise DaaS)- Potentially higher cost- May need operational readiness uplift
2 – Bastion Azure Bastion with Entra ID auth. - No inbound RDP exposure- Modern auth, JIT access - Not supported for Windows RDP (only Linux SSH)- Higher cost & added complexity- Not viable
⚠️ **GitHub.com Fallback** ⚠️