You can record the graphical sessions for connections made to virtual machines (RDP and SSH) via the bastion host if you have activated the Azure Bastion Session recording capability. Recorded sessions are saved in a blob container inside your storage account (via SAS URL) once the session has been ended or disconnected. You can access and examine your recorded sessions on the Session Recording tab of the Azure portal once a session has ended. The Bastion Premium SKU is necessary for recording sessions.
Restrictions and requirements for recording Bastion sessions
- Premium SKU is required
- Currently, session recording is not accessible through the native client
- One container or storage account at a time is supported by session recording
- When a bastion host has session recording enabled, Bastion records EVERY session that passes through the recording-enabled bastion host
Requirements
- You have Azure Bastion installed on your virtual network
- Bastion must be configured to use Premium SKU for this feature
- The virtual machine you are connecting to needs to be either deployed to a virtual network that is directly peering to the Bastion virtual network or to the virtual network that houses the Bastion host
Activate session recording
Session recording can be configured either after Bastion has been deployed or when a new bastion host resource is created.
Deploying Bastion for the first time
You can choose the SKU tier and features at the time of deployment when you manually configure and launch a bastion host.
- In the Azure portal, select Create a Resource.
- Search for Azure Bastion and select Create
- Use the manual settings to enter the parameters, making sure to choose the Premium SKU.
- To activate the session recording option, choose Session Recording under the Advanced tab.
- After checking your information, click Create. Bastion starts building your bastion host right away. It takes roughly ten minutes to finish this operation.
Create a container for the storage account
Recording sessions are set up and specified in the container.
- Create a storage account in your resource group
- Make a Container inside the storage account. Your Bastion session recordings will be kept in this container. We advise you to make a special container for recording sessions.
- Expand Settings in the left pane on the storage account page. Choose CORS (Resource Sharing).
- Under Blob service, create a new policy and save your modifications at the top of the page.
The SAS URL should be added or updated
You need to add an SAS URL to your Bastion Session recordings setup in order to set up session recordings. In this stage, you upload the Blob SAS URL to your bastion server after generating it from your container.
Either choose Permissions and Start/expiry date and time on the Generate SAS page or in the access policy itself if you choose to create a saved access policy.
- On your storage account page, go to Data storage -> Containers.
- Locate the container you created to store Bastion session recordings, then click the 3 dots (ellipses) to the right of your container and select Generate SAS from the dropdown list.
- On the Generate SAS page, for Permissions, select READ, CREATE, WRITE, LIST
- For Start and expiry date/time, use the following recommendations:
- Set Start time to be at least 15 minutes before the present time.
- Set Expiry time to be long into the future.
- Under Allowed Protocols, select HTTPS only.
- Click Generate SAS token and URL. You’ll see the Blob SAS token and Blob SAS URL generated at the bottom of the page.
- Copy the Blob SAS URL.
- Go to your bastion host. In the left pane, select Session recordings.
- At the top of the page, select Add or update SAS URL. Paste your SAS URL, then click Upload.
You can view a recording here
When the bastion host has Session Recording enabled, sessions are automatically recorded. A built-in web player allows you to view recordings on the Azure portal.
- Navigate to your Bastion host in the Azure portal.
- Choose Session recordings from the Settings menu in the left pane.
- You should have already set up the SAS URL (before in this exercise). Use the earlier procedures to obtain and submit the Blob SAS URL, though, if your SAS URL has expired or if you need to add one.
- Choose View recording after selecting the virtual machine and recording link you wish to view.
Ref- Bastion session recording