Global Azure 2026 - Securing VM Access On Azure

Transcript

1. karnwong.me Securing VM Access On Azure Global Azure 2026-04-18

2. karnwong.me Karn Wong Loves optimization Has too much fun cranking

   out benchmarks AWS Community Builder GDG Bangkok Core Team Independent Consultant

3. karnwong.me Application Deployment Landscape Function* Container* Kubernetes* Bare Metal (VM-based)

   *Available as self-managed or serverless

4. karnwong.me VM Use Cases in Production Always-on workloads that don’t

   change often Debugging production issues Stress test systems

5. karnwong.me How to Access a VM VPC VM User Username/password

   auth SSH key auth Public vs private ip access SSH port (default: 22!!!)

6. karnwong.me Multiple VMs VPC A's SSH Key A's SSH Key

   B's SSH Key VM A VM B User A User B 2 users, one SSH keypair each SSH keypair per each VM for admin Can you tell who can access which VMs? This does not scale well

7. karnwong.me Add / Delete VMs & Users Add VM Add

   users’ SSH key to VM Delete VM Just delete a VM Add User Add user’s SSH key to VMs Delete User Remove user’s SSH key from VMs

8. karnwong.me Does this really scale?

9. karnwong.me Azure Bastion Managed bastion host on Azure https://learn.microsoft.com/en-us/azure/bastion/bastion-overview

10. karnwong.me Azure Bastion Tiers Premium Session recording Standard Native client,

    shareable links, IP-based connections, custom ports, file transfer Basic Supports more than one VM at a time Developer Free Supports one VM at a time

11. karnwong.me Which Tier to Use for Production? Standard tier for

    native client & file transfer Premium tier for session recording

12. karnwong.me Azure Bastion Architecture Dedicated deployment

13. karnwong.me What about SSH Keys? Microsoft Entra ID auth does

    not require SSH keys https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-ssh-linux

14. karnwong.me Access Management VPC A's SSH Key A's SSH Key

    B's SSH Key VM A VM B User A User B Remember this?

15. karnwong.me Role-Based Access Control (RBAC) Assign permissions to groups Attach

    users to groups Easier to setup and maintain Can assign ad-hoc & special permissions on a case-by-case basis

16. karnwong.me RBAC Demo VPC VM A VM D VM B

    VM C User 1 User 4 User 2 User 3 User 5 Group A Group B Group C

17. karnwong.me Azure Bastion Authentication via Microsoft Entra ID with Conditional

    Access Policies https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview

18. karnwong.me I’m on Azure But I Don’t Want to Pay

    for Azure Bastion Basic tier is $208.8/month So this can happen… https://azure.microsoft.com/en-us/pricing/details/azure-bastion

19. karnwong.me Warpgate Supports using Microsoft Entra ID for Single Sign-On

    Might not always be cheaper than Azure Bastion Have to factor-in operational costs OSS alternative https://warpgate.null.page https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/what-is-single-sign-on

20. karnwong.me Takeaways VM access setup should be secure Use RBAC

    to manage users & access permissions Self-managed solution can be cheaper But might require more maintenance → 💸💸💸

21. Feedback Form Download slides at karnwong.me