Security and Compliance
Apache Guacamole as a Low-Cost Bastion Alternative
Topics: Security and Compliance
In a previous blog, I mentioned my small setup using AVD and a few VMs in an Azure demo tenant under a Microsoft MPN subscription. This means I have a limited monthly budget to spend on my environment. I initially set up Azure Bastion, but that quickly ate into my monthly MPN subscription, leaving me with fewer resources. So, I started exploring alternatives, including Apache Guacamole.
Now, the million-dollar question: Can Apache Guacamole be a cheaper alternative to Azure Bastion? In some cases, yes—it can! But, as always, it depends on your specific needs and infrastructure.
If you’re like me and looking for a cost-effective way to manage Windows and Linux VMs with secure, seamless RDP and SSH access—without needing a public IP—keep reading. This blog will help you decide if Apache Guacamole is the right solution.
What is Azure Bastion?
If you’re managing virtual machines in Azure, you’ve probably heard of Azure Bastion, a service that provides secure, seamless RDP and SSH access directly through the Azure portal. The best part is that there is no need for public IP’s, which reduces exposure to the evil internet.
When you connect to a VM using Bastion, it uses a secure connection over TLS to ensure your data is safe and protected. This allows you to access your VMs without worrying about potential vulnerabilities or open firewall ports. Here are some key reasons to use it:
- Enhanced Security: By eliminating public IPs on your VMs, Azure Bastion significantly reduces exposure to external threats and attacks.
- Seamless Integration: It works effortlessly within the Azure Portal, allowing you to access your VMs directly from your browser without extra setup.
- No More Complex Firewall Rules: Forget about manually managing intricate network security rules. Bastion simplifies access management while keeping your environment secure.
- Scalability on Demand: Azure Bastion scales automatically with your network needs, ensuring you always have the right capacity without manual adjustments.
Apache Guacamole Explained
If you’re looking for a clientless, open-source remote desktop gateway, Apache Guacamole is a powerful solution that allows users to access their desktops and servers directly from a web browser (HTML5). No client software is required—just log in and connect!
Here are some key features of Apache Guacamole and why it might be an ideal remote access tool for you:
- Clientless Access: Everything runs through your web browser, so there is no need to install separate software. This ensures accessibility from virtually any device with a modern browser.
- Supports Multiple Protocols: Apache Guacamole is highly versatile, allowing you to connect to different systems using Remote Desktop Protocol (RDP), Secure Shell (SSH) or VNC.
- Enhanced Security: Uses HTTPS to encrypt traffic and supports Two-Factor Authentication (2FA).
- SAML Authentication: Apache Guacamole supports SAML (Security Assertion Markup Language) for Single Sign-On (SSO), allowing seamless authentication via an Identity Provider (IdP).
- Flexible Deployment: While it is natively hosted on Linux distributions, Apache Guacamole can also run on Windows using Docker Desktop, and it supports multiple users and simultaneous sessions.
- Collaboration & Screen Sharing: Multiple users can join the same session, making it perfect for collaborative work and remote support.
Pros and Cons Showdown
Here are the pros and cons of Apache Guacamole based on my personal experience.
| The Pros | The Cons |
| ✅ Cost-Effective: Since it’s open source, there are no licensing fees. This makes it a budget-friendly option for many organizations. ✅ User-Friendly: No installation is needed on end-user devices. You simply access it through a web browser. ✅ Scalable: Whether you’re a small business or a large enterprise, Guacamole can be configured to meet your needs. It’s flexible enough to handle various deployment sizes. ✅ Versatile: It supports multiple platforms and protocols, making it a versatile tool for different environments. ✅ Fully Customizable: You can personalize it with your company’s branding, giving it a professional touch that aligns with your corporate identity. | ❌ Complex Installation and Management: Setting up and maintaining Guacamole requires technical know-how. It’s not the most straightforward process, and you might need some expertise to get it right. ❌ Limited Built-In Functionality: Compared to managed services like Azure Bastion, Guacamole might lack some features or require more configuration to achieve the same functionality. ❌ Self-Managed: Since it’s not a managed service, you’re responsible for updates, security, backups, and maintenance. This can be a bit daunting if you’re not prepared for it. |
The Cost Comparison
The cost of Azure Bastion varies based on factors like region and traffic volume. Generally, costs are calculated based on the following components:
- Hourly Rate: This is the price per hour for using Azure Bastion. The rate can vary depending on the chosen SKU.
- Data Consumption: These are the costs for outbound traffic from your virtual machines via Azure Bastion. The first 5 GB per month is free, and after that, charges are based on usage.
- Number of Instances: If you require multiple instances, certain SKUs (such as Standard and Premium) charge extra for each additional instance.
For accurate, up-to-date pricing, use the Azure pricing calculator. This tool helps estimate costs based on your specific usage and region. The costs for Apache Guacamole are easier to predict because it only involves a VM in my scenario. The minimum system requirements are 1 CPU, 2 GB RAM, and at least 20 GB storage for Ubuntu Server (or another supported Linux distro), Apache Guacamole, and prerequisites. For my small demo environment, a Standard_B1ms VM instance with 30 GB Standard SSD LRS is sufficient.
Additionally, you’ll need a public IP address to make the Apache Guacamole portal accessible online. While this incurs costs, they are typically low. As discussed in a previous blog, I minimize expenses by using PowerShell scripts and Azure Automation, as I don’t need everything running 24/7.
Note: The larger your Azure environment with multiple IT admins, the higher the system requirements. However, these requirements typically remain reasonable. You might need multiple Apache Guacamole VMs to handle the load.
Exploring My Guacamole Environment
I want to share how I set up my environment using Apache Guacamole. See the diagram below for an overview of the setup.
Note that Guacamole is used behind a reverse proxy, which is highly recommended for production deployments. It provides flexibility, and if your proxy is set up with SSL using Let’s Encrypt, you’ll benefit from strong encryption. I used Apache for the reverse proxy, but you could also use Nginx or Nginx Proxy Manager (hosted via Docker). Choose the option that suits your needs.
You can also host services like the reverse proxy or MariaDB server on separate VMs, or use existing VMs that already host these services. This demonstrates the flexibility and scalability of Guacamole.
Setting Up the VM in Azure
I won’t provide a step-by-step guide for setting up your system, as it depends on your choice of Linux distro, database server, reverse proxy, and more. Fortunately, Apache Guacamole offers extensive documentation, and many online how-to guides can help you set up a working environment.
For the VM in Azure, I used the Ubuntu Server 24.04 LTS image from the Azure Marketplace. Deployment is quick—just a few minutes. Below is an overview with steps to get Guacamole up and running in under an hour:
- Install Requirements for Guacamole
- Download, build, and install Guacamole
- Download and install the Apache Guacamole Web Application (Tomcat)
- Set up and configure the Guacamole Database for Authentication
- Download and install 2FA authentication (in our case, Duo Security)
- Create a properties file for Guacamole with Duo Security
- Access Apache Guacamole => Create users and set up access to VM(s)
Azure Network Security Group (NSG) Configuration
In my setup, I only opened inbound ports for HTTP and HTTPS. Port 80 remains open for Let’s Encrypt certificate requests and renewals, and Apache redirects traffic from port 80 to the secure port 443.
SSL Cert Check
I used SSL Labs Server Test to check my site serving Apache Guacamole. Why should you even care to do this? It’s basically a must for anyone serious about website security. This free to use tool thoroughly examines your SSL/TLS setup, looking at everything from validity to encryption strength. By checking your certificate’s grade and making improvements, you can ensure a safe and secure experience for everyone who visits your site.
A Glimpse into My Apache Guacamole
A look at my Guacamole environment featuring custom branding and a 2FA setup with Duo and Yubikey.
Long Story Short
If you’re looking for a cost-effective alternative to Azure Bastion, Apache Guacamole may be a strong option—depending on your infrastructure and management resources. If you value flexibility, low costs, and full control over your remote access solution, Guacamole is attractive. However, if you prioritize simplicity and seamless integration, Azure Bastion is often the better choice.
For my needs, Guacamole offers the functionality required to manage an Azure environment on a limited budget. I appreciate its flexibility and customization options, such as selecting a preferred 2FA method (Duo with Yubikey) and branding the portal. I recommend this solution primarily for organizations with smaller Azure environments, like demo or test setups.
