Azure Bastion inheritance

Hi Nicolas

Thanks for the issue report and thanks for starting a new thread to track this. The prior thread was getting too long to manage the different requests and issue reports.

With regard to "Use entry name as Resource name" not working when the Bastion VPN is inherited, I'm opening a ticket to track this. I expect the fix is straightforward and this was just missed in the last round of updates. I'll post back once I have an update for this.

With regard to variables not resolving for the subscription and resource group: if it was working (partially) before (at least for resource groups), that was actually a side-effect of the implementation and not something I'd considered at the time. Some internal changes in RDM broke the resource info overrides around the 2023.3 version, and that was what the last round of updates should have resolved - but in those changes we clearly lost the ability to use variables here.

That said, I do consider this to be a useful feature - I'm opening a second ticket for that and in both cases (subscription ID and resource group) I'm classifying it as a feature request. I will however try to get to this done the short term; I'll aim to have that implemented for a 2023.3 release rather than waiting for 2024.1.

With regard to the mechanism of variable resolution, I'll lease with the RDM team to see what they think fits best. I do think the pre-2023.3.25 behaviour is the proper one.

Thanks for your feedback and patience.

Kind regards,

Hi Nicolas

I've just added the fix for the "Use entry name as Azure resource name" not working with an inherited VPN, and that will be available on the next release (2023.3.33). I do apologize for the inconvenience, that property was an oversight in the last round of fixes.

Out of interest - were you the customer we originally discussed that feature with over a related support ticket? We implemented it specifically to try and support Kerberos scenarios with Azure Bastion, but without a development setup on my side it was all theoretical. If that's what you're using this feature for, I'm curious to know if it's working well for you.

As always, if you have questions or comments please don't hesitate to post back.

Thanks and kind regards,

Hi Richard,

thank your very much for implementing this for us very helpful feature and also this quick :)

Yes I initially created this request and will test and report back as soon as possible. I was already able to test this setup once and it work (I think it was around the Beta release for 2023.3). Important to know, as you suspected in the initial ticket, it is not the Bastion Service who does the Kerberos part (at least with the TCP Tunnel). You as a client need direct access to a domain controller.

Bastion itself does support Kerberos, but currently only for VMs not created by a custom image or azure migrate Azure Bastion Kerberos Support for non native VMs · Community and many other considerations.

I will test this behavior further with 2023.3.33 and also the native RDP.

Kind Regards,
Nicolas

Hi Nicolas

Thanks for the information. The 2023.3.33 release should be imminent (within the next few days).

I'm still working on prioritizing variable resolution for the Azure resource info, I will keep you posted.

Thanks once again and kind regards,

Hi Richard,

long holidays, many other things to do :D Thanks for being patient with me :)

Here a small update from me regarding this topic

• Inheritance works as expected now. Thanks!!
• Only works with TCP Tunnel (known Microsoft issue with token length, where you already commented on the corresponding github issue). So I could not test it with native RDP
• Because of the missing possibility to use variables, I checked the Powershell Module to set the folder name to the VPN.AzureResourceGroup property. While doing that I found out that the Property "UseEntryNameAsAzureResourceName" is missing when retrieving the entry with "Get-RDMEntry"

-> I can do that via batch edit for now

Kind Regards,
Nicolas

Hi Nicolas

Thanks to you for your patience.

I'm still trying to find time to fix variable resolution in the Azure resource settings; I do apologize for this and will give you some feedback once this is available.

In the meantime, I'm raising that specific PowerShell issue with the relevant team internally.

Thank you for the feedback on the inheritance and the token length problem.

As always, please let me know any further questions or if something isn't clear

Kind regards,

Hi Nicolas

I've fixed variable usage for both the subscription and resource group. That should be available in the next release.

ecause of the missing possibility to use variables, I checked the Powershell Module to set the folder name to the VPN.AzureResourceGroup property. While doing that I found out that the Property "UseEntryNameAsAzureResourceName" is missing when retrieving the entry with "Get-RDMEntry"

Thanks for bringing this up. It should be fixed on the next release of the PowerShell module.

As always, please let me know any further questions or if something isn't clear.

Kind regards,

Hi Richard,

I was finally able to test it and it works as expected. Thank you very much!

Hi Nicolas

Great news. Thank you for the feedback and your patience.

As always, please let me know any further questions.

Kind regards,