While preparing for the AZ-305: Designing Microsoft Azure Infrastructure Solutions exam, many candidates struggle with designing secure and compliant remote management access for Azure VMs. In the enterprise world, this decision often hinges on balancing security enforcement via identity and network controls versus operational complexity and cost. Let’s drill into a simulated hybrid management scenario.
The Scenario #
Symetra Manufacturing operates a constellation of 10 critical virtual machines hosted within a single Azure virtual network named ProdNet01. These VMs run a mix of Windows and Linux workloads pivotal to their supply chain operations. The enterprise requires secure remote management access to these machines from the internet, but due to compliance with industry security standards and governance policies, the following must be guaranteed:
- All remote connections must be authenticated using Azure Multi-Factor Authentication (MFA) before network connectivity is granted.
- Remote connections must use Transport Layer Security (TLS) over TCP port 443.
- Administrative access should support both RDP (for Windows VMs) and SSH (for Linux VMs).
Symetra鈥檚 Identity team manages Conditional Access policies and expects a solution that enforces least privilege access in line with Microsoft鈥檚 Cloud Adoption Framework security pillars.
Key Requirements #
Design a secure solution to allow Symetra鈥檚 IT admins and support engineers to remotely manage the 10 virtual machines with the constraints of enforced MFA, encrypted connection over TCP 443, and both RDP/SSH protocols supported.
The Options #
- A) Just-in-Time (JIT) VM Access
- B) Assign cloud app condition access policy for Azure Windows VM login
- C) Azure Bastion
- D) Microsoft-managed Conditional Access policy
- E) Web Application Firewall (WAF) in Azure Front Door
- F) Azure Identity Governance Access Packages
Correct Answer #
Option C: Azure Bastion
Step-by-Step Winning Logic #
Azure Bastion is architected for secure management of Azure VMs without exposing RDP/SSH ports over public internet, eliminating direct exposure to port 3389/22 by tunneling connectivity through an SSL-encrypted session on TCP 443. Integrated with Azure AD Conditional Access policies, this enables MFA enforcement prior to VM access. This design prioritizes the following Well-Architected Framework pillars:
- Security: No public IPs required on VMs; all communications over hardened TLS; supports MFA via Conditional Access.
- Reliability: Managed platform service with SLA; avoids configuration drift from manual jump boxes.
- Operational Excellence: Simplifies access management, reduces firewall rule complexity and attack surface.
- Cost Optimization: Avoids additional VPN or bastion host VM overheads.
- Performance Efficiency: Low-latency native connectivity via Azure backbone.
馃拵 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
馃攼 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
馃攼 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
- A) JIT VM Access: Provides time-limited NSG openings for RDP/SSH but does not enforce MFA prior to network access. Also relies on exposing VM ports, increasing attack surface.
- B) Cloud App Conditional Access policy for VM sign-in: Controls access at the identity/token level but does not secure the underlying network channel (port 443 + TLS enforcement).
- D) Microsoft-managed Conditional Access policy: Generic control for Azure services but doesn鈥檛 specifically address the connectivity mechanism or encryption port requirement for remote VM management.
- E) Azure Front Door WAF: Designed for web application traffic; cannot proxy RDP/SSH sessions and does not enforce VM-level access control.
- F) Azure Identity Governance Access Packages: Manages entitlement lifecycle; does not establish secure network connectivity for VM access.
馃攼 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs鈥攁nd the failure points of simpler options鈥攊mmediately clear.
Mermaid Diagram illustrating Azure Bastion connectivity flow:
graph TD
User([Admin User]) -->|RDP/SSH over TLS 443| AzureBastion[AWS Bastion Host]
AzureBastion -->|Private RDP/SSH| VM1[Virtual Machines in VNet]
AzureBastion -->|Private RDP/SSH| VM10[Virtual Machines in VNet]
style AzureBastion fill:#0078D4,stroke:#333,color:#fff
style VM1 fill:#5C2D91,stroke:#333,color:#fff
style VM10 fill:#5C2D91,stroke:#333,color:#fff
Diagram Note: Users connect securely from internet to Azure Bastion over TLS, which brokers VM management sessions over the private virtual network.
馃攼 The Decision Matrix #
This matrix compares all options across cost, complexity, and operational impact, making the trade-offs explicit and the correct choice logically defensible.
At the professional level, the exam expects you to justify your choice by explicitly comparing cost, complexity, and operational impact.
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) JIT VM Access | Medium (NSG automation, manual enable) | Low (no extra service charge, minimal compute) | Minimal cost; time-limited exposure reduces risk | Does not enforce MFA prior to connection; exposes external ports |
| B) Cloud App CA Policy | Low (policy only) | None | Controls identity access; simple to apply | Does not control network connectivity or TLS enforcement |
| C) Azure Bastion | Low (PaaS deploy, no infra maintenance) | Moderate (~$150/month) | Secured tunnel via TLS 443, supports MFA via Conditional Access, no exposed VM ports | Slight service cost; limited to Azure VMs |
| D) MS-Managed CA Policy | None | None | Out-of-the-box policies; broad coverage | Not tailored for VM remote session scenarios |
| E) Azure Front Door WAF | High (app routing config) | High (Premium SKU pricing) | Protects web apps; prevents OWASP threats | Cannot proxy RDP/SSH, not relevant for VM remote management |
| F) Azure Identity Governance Packages | Medium (entitlement mgmt) | Moderate | Automates user entitlement to resources | Adds governance but no secure access channel |
馃攼 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made鈥攁nd often misjudged鈥攊n practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
For the AZ-305 exam, always pick Azure Bastion when the scenario requires secure, MFA-enforced remote VM access over TLS 443 supporting RDP/SSH without exposing management ports.
Real World #
In enterprise hybrid scenarios, Azure Bastion simplifies compliance by tightly integrating with Azure AD and Conditional Access. For on-prem or multi-cloud VM management, solutions such as Azure Arc with private links may complement Bastion鈥檚 native capabilities.