什么是 Azure Bastion?What is Azure Bastion?

Azure Bastion 是你部署的一项服务,借此可使用浏览器和 Azure 门户连接到虚拟机。Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal. Azure Bastion 服务是的一种完全平台管理的 PaaS 服务,可在虚拟网络中进行预配。The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network. 可通过 TLS 直接从 Azure 门户实现与虚拟机之间的安全无缝的 RDP/SSH 连接。It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. 通过 Azure Bastion 连接时,你的虚拟机无需公共 IP、代理或特殊的客户端软件。When you connect via Azure Bastion, your virtual machines do not need a public IP address, agent, or special client software.

Bastion 为预配它的虚拟网络中的所有 VM 提供安全的 RDP 和 SSH 连接。Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. 使用 Azure Bastion 可防止虚拟机向外部公开 RDP/SSH 端口,同时仍然使用 RDP/SSH 提供安全访问。Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

体系结构Architecture

Azure Bastion 部署是按虚拟网络进行的,而不是按订阅/帐户或虚拟机进行的。Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. 在虚拟网络中预配 Azure Bastion 服务后,即可在同一虚拟网络中的所有 VM 上获得 RDP/SSH 体验。Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.

RDP 和 SSH 是连接 Azure 中运行的工作负载的基本方法。RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. 不要通过 Internet 公开 RDP/SSH 端口,这被视为一个严重的威胁面。Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. 这通常是由于协议漏洞造成的。This is often due to protocol vulnerabilities. 若要包含此威胁面,可以在外围网络的公共端部署 bastion 主机(也称为跳转服务器)。To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion 主机服务器在设计和配置上考虑了抵御攻击。Bastion host servers are designed and configured to withstand attacks. Bastion 服务器还为位于 bastion 后以及网络内的工作负载提供 RDP 和 SSH 连接。Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.

Azure Bastion 体系结构

此图显示了 Azure Bastion 部署体系结构。This figure shows the architecture of an Azure Bastion deployment. 在此图中:In this diagram:

  • Bastion 主机部署在虚拟网络中。The Bastion host is deployed in the virtual network.
  • 用户使用任何 HTML5 浏览器连接到 Azure 门户。The user connects to the Azure portal using any HTML5 browser.
  • 用户选择要连接到的虚拟机。The user selects the virtual machine to connect to.
  • 单击一下,在浏览器中打开 RDP/SSH 会话。With a single click, the RDP/SSH session opens in the browser.
  • Azure VM 无需公共 IP。No public IP is required on the Azure VM.

主要功能Key features

提供以下功能:The following features are available:

  • 在 Azure 门户中直接使用 RDP 和 SSH 连接 :可以通过单击无缝体验直接在 Azure 门户中进行 RDP 和 SSH 会话。RDP and SSH directly in Azure portal: You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
  • 穿越防火墙,通过 TLS 进行 RDP/SSH 远程会话 :Azure Bastion 使用基于 HTML5 的 Web 客户端,该客户端自动流式传输到本地设备,使你可以安全穿越公司防火墙,在端口 443 上通过 TLS 进行 RDP/SSH 会话。Remote Session over TLS and firewall traversal for RDP/SSH: Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
  • Azure VM 无需公共 IP :Azure Bastion 使用 VM 上的专用 IP 打开与 Azure 虚拟机的 RDP/SSH 连接。No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. 虚拟机无需公共 IP。You don't need a public IP on your virtual machine.
  • 轻松管理 NSG :Azure Bastion 是 Azure 提供的完全托管平台 PaaS 服务,其内部进行了加固,以提供安全的 RDP/SSH 连接。No hassle of managing NSGs: Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. 无需在 Azure Bastion 子网上应用任何 NSG。You don't need to apply any NSGs on Azure Bastion subnet. 由于 Azure Bastion 通过专用 IP 连接到虚拟机,所以可将 NSG 配置为仅允许来自 Azure Bastion 的 RDP/SSH。Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. 这样消除了每次需要安全地连接到虚拟机时管理 NSG 的麻烦。This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
  • 端口扫描防护 :因为无需将虚拟机公开到公共 Internet,因此可防止 VM 受到虚拟网络外部的恶意用户的端口扫描。Protection against port scanning: Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
  • 防止零日漏洞。仅在一个位置强化: Azure Bastion 是完全托管平台 PaaS 服务。Protect against zero-day exploits. Hardening in one place only: Azure Bastion is a fully platform-managed PaaS service. 由于它位于虚拟网络外围,因此你无需担心如何强化虚拟网络中的每个虚拟机。Because it sits at the perimeter of your virtual network, you don't need to worry about hardening each of the virtual machines in your virtual network. Azure 平台通过使 Azure Bastion 保持强化且始终保持最新来防范零天攻击。The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

新增功能What's new?

订阅 RSS 源,并在 Azure 更新页面上查看最新的 Azure Bastion 功能更新。Subscribe to the RSS feed and view the latest Azure Bastion feature updates on the Azure Updates page.

常见问题FAQ

面向哪些区域提供?Which regions are available?

备注

我们正在努力添加其他区域。We are working hard to add additional regions. 添加区域时,我们会将其添加到此列表中。When a region is added, we will add it to this list.

Azure 中国云Azure China Cloud

  • 中国东部 2China East 2
  • 中国北部 2China North 2

我是否需要在虚拟机上有一个公共 IP?Do I need a public IP on my virtual machine?

使用 Azure Bastion 连接到 VM 时,不需要在要连接到的 Azure 虚拟机上有一个公共 IP。When you connect to a VM using Azure Bastion, you do NOT need a public IP on the Azure Virtual Machine that you are connecting to. Bastion 服务会通过虚拟网络中的虚拟机的专用 IP 打开到虚拟机的 RDP/SSH 会话/连接。The Bastion service will open the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network.

是否支持 IPv6?Is IPv6 supported?

目前不支持 IPv6。At this time, IPv6 is not supported. Azure Bastion 仅支持 IPv4。Azure Bastion supports IPv4 only.

是否需要 RDP 或 SSH 客户端?Do I need an RDP or SSH client?

无需 RDP 或 SSH 客户端即可在 Azure 门户中访问 RDP/SSH 来连接到 Azure 虚拟机。You do not need an RDP or SSH client to access the RDP/SSH to your Azure virtual machine in your Azure portal. 使用 Azure 门户 能够直接在浏览器中通过 RDP/SSH 来访问虚拟机。Use the Azure portal to let you get RDP/SSH access to your virtual machine directly in the browser.

是否需要在 Azure 虚拟机中运行代理?Do I need an agent running in the Azure virtual machine?

无需在浏览器或 Azure 虚拟机上安装代理或任何软件。You don't need to install an agent or any software on your browser or your Azure virtual machine. Bastion 服务没有代理,不需要任何其他软件即可使用 RDP/SSH。The Bastion service is agentless and does not require any additional software for RDP/SSH.

每个 Azure Bastion 支持多少个并发 RDP 和 SSH 会话?How many concurrent RDP and SSH sessions does each Azure Bastion support?

RDP 和 SSH 都是基于使用率的协议。Both RDP and SSH are a usage-based protocol. 会话的使用率高将导致堡垒主机支持的会话总数较少。High usage of sessions will cause the bastion host to support a lower total number of sessions. 下面的数字假设采用了标准的日常工作流。The numbers below assume normal day-to-day workflows.

资源Resource 限制Limit
并发 RDP 连接数Concurrent RDP connections 25*25*
并发 SSH 连接数Concurrent SSH connections 50**50**

*可能因其他正在进行的 RDP 会话或其他正在进行的 SSH 会话而有所不同。*May vary due to other on-going RDP sessions or other on-going SSH sessions.
**如果存在现有的 RDP 连接或通过其他正在进行的 SSH 会话使用,则可能会有所不同。**May vary if there are existing RDP connections or usage from other on-going SSH sessions.

RDP 会话支持哪些功能?What features are supported in an RDP session?

目前仅支持文本复制/粘贴。At this time, only text copy/paste is supported. 不支持文件复制等功能。Features such as file copy are not supported. 请随时在 Azure Bastion 反馈页上分享有关新功能的反馈。Please feel free to share your feedback about new features on the Azure Bastion Feedback page.

支持哪些浏览器?Which browsers are supported?

使用 Windows 上的 Microsoft Edge 浏览器或 Google Chrome。Use the Microsoft Edge browser or Google Chrome on Windows. 对于 Apple Mac,可使用 Google Chrome 浏览器。For Apple Mac, use Google Chrome browser. Windows 和 Mac 上也支持 Microsoft Edge Chromium。Microsoft Edge Chromium is also supported on both Windows and Mac, respectively.

Azure Bastion 将客户数据存储在何处?Where does Azure Bastion store customer data?

Azure Bastion 不会将客户数据移出部署的区域或存储到部署区域以外的区域。Azure Bastion doesn't move or store customer data out of the region it is deployed in.

是否需要通过角色来访问虚拟机?Are any roles required to access a virtual machine?

需要使用以下角色进行连接:In order to make a connection, the following roles are required:

  • 虚拟机上的读者角色Reader role on the virtual machine
  • NIC 上的读者角色(使用虚拟机的专用 IP)Reader role on the NIC with private IP of the virtual machine
  • Azure Bastion 资源上的读者角色Reader role on the Azure Bastion resource

定价是多少?What is the pricing?

有关详细信息,请参阅定价页For more information, see the pricing page.

Azure Bastion 是否需要 RDS CAL 才能在 Azure 托管的 VM 上实现管理目的?Does Azure Bastion require an RDS CAL for administrative purposes on Azure-hosted VMs?

不需要,通过 Azure Bastion 访问 Windows Server VM 时,不需要 RDS CAL(如果仅用于管理目的)。No, access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.

Bastion 远程会话期间支持哪些键盘布局?What keyboard layouts are supported during the Bastion remote session?

Azure Bastion 目前在 VM 内支持 en-us-qwerty 键盘布局。Azure Bastion currently supports en-us-qwerty keyboard layout inside the VM. 对其他区域设置的键盘布局的支持尚在开发中。Support for other locales for keyboard layout is work in progress.

Azure Bastion 子网是否支持用户定义的路由 (UDR)?Is user-defined routing (UDR) supported on an Azure Bastion subnet?

不是。No. Azure Bastion 子网不支持 UDR。UDR is not supported on an Azure Bastion subnet. 对于在同一虚拟网络中同时包含 Azure Bastion 和 Azure 防火墙/网络虚拟设备 (NVA) 的方案,无需强制流量从 Azure Bastion 子网发往 Azure 防火墙,因为 Azure Bastion 与 VM 之间的通信是专用的。For scenarios that include both Azure Bastion and Azure Firewall/Network Virtual Appliance (NVA) in the same virtual network, you don't need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private. 有关详细信息,请参阅通过 Bastion 访问 Azure 防火墙后的 VMFor more information, see Accessing VMs behind Azure Firewall with Bastion.

为什么在 Bastion 会话启动前收到了“你的会话已过期”的错误消息?Why do I get "Your session has expired" error message before the Bastion session starts?

会话只能从 Azure 门户启动。A session should be initiated only from the Azure portal. 登录到 Azure 门户,并重新开始会话。Sign in to the Azure portal and begin your session again. 如果直接从另一个浏览器会话或选项卡转到 URL,则会出现此错误。If you go to the URL directly from another browser session or tab, this error is expected. 它有助于确保会话更安全,并且该会话只能通过 Azure 门户来访问。It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal.

如何处理部署失败?How do I handle deployment failures?

查看任何错误消息并根据需要在 Azure 门户中提出支持请求Review any error messages and raise a support request in the Azure portal as needed. Azure 订阅限制、配额和约束可能会导致部署失败。Deployment failures may result from Azure subscription limits, quotas and constraints. 具体来说,客户可能会遇到对每个订阅允许的公共 IP 地址数的限制,这会导致 Azure Bastion 部署失败。Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.

后续步骤Next steps