The problem

We have all been there, something breaks on one of your cloud hosted virtual machines and the quickest and easiest way of fixing them is to access the server remotely to try and diagnose the issue. This is ignoring the fact you should be treating your servers like cattle and just destroy the old one and replace it, but that is not always how the world works and sometimes you have to investigate to see what’s wrong.

Remoting onto your cloud hosted virtual machines has always been a bit fraught, exposing RDP (Remote Desktop Protocol) to the internet rarely ends well and usually ends up with a message about bitcoins and a countdown timer.

So what are the alternatives?

We have a couple of options to protect ourselves from the above ransomware entrepreneurs:

  1. Restrict inbound RDP traffic to specific IP’s i.e., the office, your home IP, etc.
  2. Create a VPN connection into your cloud environment and then connect over that.
  3. Use a Jump box hosted in the cloud provider.
  4. Use Azure Bastion or AWS Systems Manager.

Option one

This is where most people start, it is cheap fast to implement, but quickly becomes a nightmare to administrate, especially if all your Ops and Devs staff are on home internet connections and their IPs get dynamically changed every week.

Option two

This is more secure and can be audited (the network side of things at least) but has a cost, either from using the inbuilt cloud providers VPN solution, or hosting your own VPN server. Azure VPN Gateway Basic will cost around £20 a month, and AWS would cost around £22 a month (The latter is a little trickier to work out as it is consumption based – that price was based on ten staff connecting for one hour a day, every day for a month).

You also have additional network complexity, plus some more user management overhead and no real controls over where users can access once they’re in the cloud network perimeter, unless, of course, you have engineered your cloud networking to do this from the get-go.

Option three

This has most of the same problems of option two. You must pay for the resources consumed by the jump box. But you now also have the issue of securing the jump box (OS hardening, Patching, Least Privilege access, etc), because if it gets compromised then you’re going to have a bad day. Which is exactly what happened with the Cloud Hoppers APT incidents and that was a bad scene all round.

Options one, two, and three are all “old school” ways of doing things. You have a secure network perimeter, and you allow certain traffic in based on IP or credentials and once you’re in, you’re in.

Option Four

But we don’t want to do things the old way, we heard about zero-trust and we want in on the action. So, we started looking at ‘Option Four’. And depending on where you’re hosting your virtual machines, you’ll either be looking at using AWS Systems Manager (my personal favourite) or Azure Bastion.

Azure Bastion

Bastion allows you to create an RDP connection to your virtual machine using your web browser (HTML5). To create a connection, you must be signed into Azure and have the correct Role Based Access Control (RBAC) (access to connect to the resources.

NB: You must be signed into Azure.

The above quote doesn’t sound like much but implies a few particularly important things. Azure sign-ins can be made very secure. You can enforce MFA, conditional access controls, such as geo-location (so no signing in from Russia) or secured devices. They can be logged, audited, and offer least privilege using PIM (Privileged Identity Management). As well as machine learning based risky sign in blocking. So, in a nutshell you can make logging into Azure incredibly secure (more than most jump boxes could ever be).

Then once you’re signed into Azure, you then need to be granted access to resources using RBAC or ABAC (Attribute Based Access Controls), which means your IT team can very granularly allow access to virtual machines, either based on your role (usually based on tags) or what group you’re a member of, i.e., CoolApp Dev Team.

There are of course some downsides to this, you have to setup Bastion in azure, whilst not tricky there is some work involved. It also requires you to setup RBAC or ABAC groups and polices.

But the largest downside is the cost. A basic Bastion unit starts at approx. £100 a month (if you leave it running all the time), which is almost five times the cost of a VPN and precludes some SMBs from even looking at it as an option; such a shame as it is a fantastic way to increase your security posture in the cloud. This becomes even more annoying when you compare it to the price of AWS Systems Manager which provides the same functionality for £0 a month.

AWS Systems Manager

Systems Manager is an 800 lb gorilla of a tool. It can do almost anything associated with viewing or controlling your infrastructure in AWS. The part we are concerned with is the Fleet Manager.

The Fleet Manager service allows you to create an RDP connection to your virtual machine using your web browser (HTML5). To create a connection, you must be signed into AWS and have the correct RBAC (Role Based Access Control) access to connect to the resources.

Does that last sentence sound familiar? It should do, because Fleet manager allows for the exact same service as Azure Bastion, but for the princely sum of £0. If you don’t believe me, check out the pricing below for yourself AWS Systems Manager Pricing.

Similar login controls can be applied to AWS logins, as with Azure logins (or our preference is to use Azure AD as the SSO provider and login to AWS using Azure credentials for the best of both worlds).  Then RBAC and ABAC controls can be used to access virtual machines.

The only difference is that AWS Systems Manager requires an agent to be installed on the virtual machines to be connected to, this comes pre-baked into most AWS provided images or, Systems manager can install the agent for you if you’re making your own images.

As with Bastion you have the same problem of having to organise RBAC and ABAC groups and tags, but the ability to do zero-trust remote desktop logins to your cloud servers is surely worth the bragging rights.

If you would like to know more or get help with your cloud journey, please feel free to reach out for a chat – – Contact – Greystone Consulting Ltd