Identity subscription AD VM access

Question

Hi All!

I have a quick question on best practices when deploying Domain controllers in a dedicated Azure Identity subscription (as per the below):

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-landing-zones

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access-active-directory-hybrid-identity

Do best practices dictate you must use an Azure Bastion service https://learn.microsoft.com/en-us/azure/bastion/bastion-overview for access to these domain controllers? I cant find much information regarding this vs accessing using a standard RDP connection (via VPN or EXPRESSROUTE in this case).

Bar the obvious cost vs network configuration requirements, are there any other points to consider? and again would Microsoft recommend (since this is a dedicated subscription specifically for IAM) that the most secure practices be followed (for example a private-only Bastion deployment) which I believe would probably be seen as a very secure option.

Answer 1

Microsoft emphasizes secure access to domain controllers to minimize risks of unauthorized access. While there isn't an explicit mandate to use Azure Bastion for identity-focused subscriptions, it aligns well with secure access principles.

Some of the most important benefits of this approach include:

1. No Public IP Exposure: Azure Bastion eliminates the need for public IPs or opening RDP/SSH ports to the internet.
2. Secure Remote Access: Provides encrypted connectivity via the Azure portal without requiring a direct VPN connection.
3. Reduced Attack Surface: Bastion's integration into the virtual network isolates domain controllers from direct RDP/SSH access, aligning with zero-trust principles.
4. Compliance Alignment: Using Bastion can help meet regulatory requirements for secure access.

RDP via VPN or ExpressRoute considerations

1. Private Connectivity: Accessing domain controllers via VPN or ExpressRoute is secure if properly configured and eliminates public exposure risks.
2. Control Over Access: Requires robust conditional access policies, just-in-time (JIT) VM access, and logging to secure RDP connections.
3. Risk of Misconfiguration: Misconfigured VPN or RDP could expose the environment to potential risks (e.g., credential theft or lateral movement).
4. Cost Efficiency: VPN/ExpressRoute might be more cost-effective compared to Bastion, if an existing network connectivity is already in place.

• Microsoft typically recommends Azure Bastion for environments where maximum security and minimal configuration risk are priorities, especially for identity-dedicated subscriptions.
• If cost and existing network configuration are considerations, VPN/ExpressRoute can be equally secure when properly managed.
• To align with Microsoft's secure practices for IAM-dedicated subscriptions:
  • Use Azure Bastion for administrative tasks.
  • Ensure robust monitoring, conditional access, and JIT policies.
  • Regularly review and test configurations to prevent misconfigurations.

Btw. keep in mind that Bastion and ExpressRoute/VPN are not mutually exclusive - for details, refer to https://learn.microsoft.com/en-us/azure/bastion/design-architecture#private-only

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin