In GCP, it's easy to setup a IAP (hide your apps under a Google oAuth service). For more info: https://cloud.google.com/iap/docs/app-engine-quickstart
Does Azure has something similar?
Asked
Active
Viewed 2,574 times
1
-
1https://azure.microsoft.com/en-in/services/active-directory-b2c/#features ?? – TechFree Mar 12 '20 at 13:37
-
1Review Azure Active Directory P2. Azure AD P2 has more features/options than Google Context Aware Access. – John Hanley Mar 12 '20 at 16:58
-
Did you find a solution for this? – Jaap Mar 03 '21 at 15:00
3 Answers
1
Did some googling and discovered "Azure AD Application Proxy", it's pretty cool in that it can do what a normal authentication proxy can do and more (make on prem apps accessible w/o bastion/vpn). "After a single sign-on to Azure AD, users can access both cloud and on-premises applications through an external URL or an internal application portal."
https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy
This shows the UI interactions for an unauthenticated user:
https://youtu.be/Y-uTz7aXGd0?t=306
This shows the UI interactions for an authenticated user:
https://youtu.be/_2kWq5H4NhY?t=195
neoakris
- 4,217
- 1
- 30
- 32
-
AFAIK Azure AD Application Proxy is only suitable for on premises applications and setup is quite complex: https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy – Matthias M May 23 '23 at 20:37
0
FYI, this is now available with recent developments to the Bastion service, and to the Azure CLI. For me, it works as a drop in replacement in terms of user experience to GCP's IAP tunneling (but costs a minimum of £170 a month AFAICT).
I am running these commands from a host Ubuntu machine.
> uname -v
#64~20.04.1-Ubuntu SMP Fri Jan 6 16:42:31 UTC 2023
For example
> az network bastion tunnel \
--name <bastion-name> \
--resource-group <rg-name> \
--target-resource-id /subscriptions/.../resourceGroups/dev/providers/Microsoft.Compute/virtualMachines/<vm-with-no-public-ip> \
--resource-port 22 --port 2222
Opening tunnel on port: 2222
Tunnel is ready, connect on port 2222
Ctrl + C to close
will enable me to set up VSCode remote against an Azure VM which doesn't have a private IP address through the bastion.
Also, there is a convenience command to SSH to the machine (which has an AD auth option)
akhil@host > az network bastion ssh \
--name <bastion-name> \
--resource-group <rg-name> \
--target-resource-id /subscriptions/.../resourceGroups/<rg-name>/providers/Microsoft.Compute/virtualMachines/<vm-with-no-public-ip> \
--auth-type ssh-key \
--username akhil \
--ssh-key ~/.ssh/id_rsa
Command group 'az network' is in preview and under development. Reference and support levels: https://aka.ms/CLI_refstatus
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-1033-azure x86_64)
<login message>
akhil@<vm-with-no-public-ip>:~$
az-cli versions
> az version
{
"azure-cli": "2.45.0",
"azure-cli-core": "2.45.0",
"azure-cli-telemetry": "1.0.8",
"extensions": {
"azure-devops": "0.18.0",
"bastion": "0.2.1",
"ssh": "1.1.3"
}
}
Akhil Nair
- 3,144
- 1
- 17
- 32
-1
That's not quite the same thing as GCP's IAP, I believe.
GCP's IAP allows you to log onto VMs - without SSH / RDP. The Azure App Proxy is mainly for app level authentication, correct? Not a replacement for SSH/RDP onto VMs.
user2736158
- 389
- 1
- 6
- 14
-
IAP does not allow you to log into a server. IAP tunnels traffic securely into Google's network. – John Hanley May 01 '22 at 20:39