Ensure an Azure Bastion Host Exists

Overview

The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. It provides this access using TLS over 443/TCP and subscribes to hardened configurations within an organization's Azure Active Directory service.

Rationale

The Azure Bastion service allows organizations to access Azure Virtual Machines over the Internet more securely without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service include Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.

Impact

The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features.

Default Value

By default, the Azure Bastion service is not configured.

Remediation guidance

Remediate from Azure Portal

Click on Bastions
Select the Subscription
Select the Resource group
Type a Name for the new Bastion host
Select a Region
Choose Standard next to Tier
Use the slider to set the Instance count
Select the Virtual network or Create new
Select the Subnet named AzureBastionSubnet. Create a Subnet named AzureBastionSubnet using a /26 CIDR range if it doesn't already exist.
Select the appropriate Public IP address option.
If Create new is selected for the Public IP address option, provide a Public IP address name.
If Use existing is selected for Public IP address option, select an IP address from Choose public IP address
Click Next: Tags >
Configure the appropriate Tags
Click Next: Advanced >
Select the appropriate Advanced options
Click Next: Review + create >
Click Create

Remediate from Azure CLI

az network bastion create --location <location> --name <name of bastion host> --public-ip-address <public IP address name or ID> --resource-group <resource group name or ID> --vnet-name <virtual network containing subnet called "AzureBastionSubnet"> --scale-units <integer> --sku Standard [--disable-copy-paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false]

Remediate from PowerShell

Create the appropriate Virtual network settings and Public IP Address settings.

$subnetName = "AzureBastionSubnet"
$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 
$virtualNet = New-AzVirtualNetwork -Name <virtual network name> -ResourceGroupName <rg_name> -Location <location> -AddressPrefix  -Subnet $subnet
$publicip = New-AzPublicIpAddress -ResourceGroupName <rg_name> -Name <public IP address name> -Location <location> -AllocationMethod Dynamic -Sku Standard

Create the Azure Bastion service using the information within the created variables from above.

New-AzBastion -ResourceGroupName <rg_name> -Name <bastion name> -PublicIpAddress $publicip -VirtualNetwork $virtualNet -Sku "Standard" -ScaleUnit <integer>

Multiple Remediation Paths

Azure

SERVICE-WIDE (RECOMMENDED when many resources are affected): Assign Azure Policy initiatives at management group/subscription scope and trigger remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

ASSET-LEVEL: Apply the resource-specific remediation steps above to the listed non-compliant resources.

PREVENTIVE: Embed Azure Policy checks into landing zones and IaC workflows to block or auto-remediate drift.

References for Service-Wide Patterns

Azure Policy overview: https://learn.microsoft.com/en-us/azure/governance/policy/overview
Azure Policy remediation: https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources
Azure Policy initiative structure: https://learn.microsoft.com/en-us/azure/governance/policy/concepts/initiative-definition-structure

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

Azure: assign policy initiatives at management group/subscription scope and run remediation tasks.

az policy assignment create --name <assignment-name> --scope /subscriptions/<subscription-id> --policy-set-definition <initiative-id>
az policy remediation create --name <remediation-name> --policy-assignment <assignment-id>

2. Remediate Existing Affected Assets

Execute the control-specific Console/CLI steps documented above for each flagged resource.
Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

Re-scan after each remediation batch.
Track exceptions with owner and expiry date.
Add preventive checks in IaC/CI pipelines.

Query logic

These are the stored checks tied to this control.

Azure connectors without Bastion Hosts

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: { cloudProvider: "azure", bastionHosts_SOME: null }) {
    ...AssetFragment
  }
}