What Is Azure Bastion in Networking?
On This Page
What do you want to do?
Quick Definition
Azure Bastion lets you connect to your virtual machines in the cloud without giving them a public IP address. It acts like a secure tunnel that you access from your browser. This keeps your virtual machines safe from direct internet attacks. You just log in through the Azure portal and click your VM.
Common Commands & Configuration
az network bastion create --name MyBastion --resource-group MyRG --vnet-name MyVNet --public-ip-address MyPublicIPCreates an Azure Bastion host in a specified virtual network with a public IP address.
Exams test the dependency on a public IP and that Bastion must be deployed in a dedicated subnet named AzureBastionSubnet.
az network bastion list --resource-group MyRGLists all Bastion hosts in a resource group.
Used in exams to verify deployment or check Bastion existence before testing connectivity.
az network bastion show --name MyBastion --resource-group MyRGDisplays details of a specific Bastion host, including provisioning state and SKU.
Exams test that provisioning state must be 'Succeeded' for Bastion to be functional.
az network bastion delete --name MyBastion --resource-group MyRGDeletes an Azure Bastion resource.
Questions may ask about cleanup steps after Bastion is no longer needed, especially when redeploying.
az network bastion update --name MyBastion --resource-group MyRG --scale-units 4Updates the scale units (instances) of an existing Bastion host to handle more concurrent sessions.
Exams test that scale units control throughput; standard SKU allows scaling up to 50 units.
az network bastion ssh --name MyBastion --resource-group MyRG --target-resource-id /subscriptions/.../virtualMachines/MyVM --auth-type password --username azureuserConnects to a VM via SSH through Bastion using resource ID and password authentication.
Exams emphasize that Bastion uses private IPs only and supports SSH/RDP natively without public IP on VMs.
Azure Bastion appears directly in 14exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on DVA-C02. Practise them →
Must Know for Exams
Azure Bastion appears frequently in the AZ-104 (Azure Administrator) and AZ-303/304 (Azure Solutions Architect) exams, and it is also relevant to the Azure Fundamentals (AZ-900) exam at a conceptual level. For the AZ-104 exam, the objective 'Secure access to virtual machines' explicitly includes configuring Azure Bastion. Candidates are expected to understand when to use Bastion versus other connectivity options like a public IP, a point-to-site VPN, a site-to-site VPN, or ExpressRoute.
The exam may present a scenario where a company wants to allow administrators to connect to VMs in a secure manner without exposing them to the public internet, and you need to select the right solution. Bastion is often the correct choice because it is fully managed, requires no public IP on the VM, and provides browser-based access. In the AZ-900 exam, the focus is more on understanding the concept and its benefits: improving security posture and reducing management overhead.
You might see a question like 'Which Azure service allows you to connect to a VM through the portal without a public IP address?' Answer: Azure Bastion. For the AWS exams listed (cloud-practitioner, developer-associate, and solutions-architect-associate), Azure Bastion itself is not an AWS service, but the concept is analogous to AWS Systems Manager Session Manager or AWS EC2 Instance Connect.
However, because this glossary is for IT certification learners across cloud platforms, the exam relevance for AWS exams involves understanding the architectural pattern: a managed bastion/jump host solution. In AWS exam scenarios, you might need to recommend a similar architecture using AWS systems, and understanding Azure Bastion helps you compare and contrast. For the Google Cloud exams (ACE, Cloud Digital Leader), the equivalent is IAP (Identity-Aware Proxy) for TCP forwarding or the OS Login feature, which also provides secure, browser-based access.
In those exams, the core concept of not exposing public IPs for management is a recurring theme. Therefore, even if Azure Bastion is not directly testable on AWS or Google exams, the underlying principle-secure, managed access to compute resources-is a fundamental expectation across all cloud platforms. In Azure exams, question types often include: 'A company has 50 VMs in a VNet.
They want to allow administrators to connect using RDP without public IPs and without a VPN. What should they deploy?' The answer is Azure Bastion. Another pattern: 'What are the security benefits of using Azure Bastion over a jump box VM?'
You need to know that Bastion is PaaS, automatically patched, and uses Azure AD authentication, while a jump box requires manual patching and NSG management. A common trap is when a question mentions 'jump box' or 'bastion host'-candidates might think of deploying their own VM, but the exam expects you to choose the managed service (Azure Bastion) for production scenarios. Also, be prepared for questions about the AzureBastionSubnet: it must be named exactly 'AzureBastionSubnet' and have a size of at least /27.
There may be troubleshooting scenarios where connectivity fails because the subnet is named incorrectly or is too small. For Azure exams, Azure Bastion is a high-yield topic. For AWS and Google exams, treat it as a concept of 'secure managed access' that helps you understand the general pattern across clouds.
Simple Meaning
Imagine you are the manager of a very secure office building. The building has many sensitive rooms (your virtual machines, or VMs) where important work happens. Normally, to get into one of those rooms, you would need a key that is left outside the building for anyone to find.
That key is like a public IP address; it sits on the internet and anyone can try to use it to break in. Azure Bastion is like a secure, guarded reception desk at the front entrance. Instead of giving every room its own outside door with a key under the mat, you walk into the main lobby (the Azure portal), show your badge (your Azure login credentials, often with multi-factor authentication), and tell the receptionist which room you need to visit.
The receptionist then escorts you through a private, staff-only hallway that leads directly to that room. You never step outside the building, and no one on the street can see which room you entered. The hallway is built and maintained by Azure, so you do not need to rent extra space or build the hallway yourself.
The best part is that the rooms themselves still do not have any outside doors. They only have a private entrance that connects to this internal hallway. This means even if a hacker knows the building exists, they cannot directly knock on any specific room’s door because there is no door to knock on.
Azure Bastion works the same way: you connect to the Azure portal over a secure HTTPS connection, and from there, Bastion creates a secure tunnel inside Azure’s network to your VM. You never need to install a VPN client or configure complex network security rules. The traffic never goes over the public internet, and your VM never needs a public IP address that would make it a target for automated scanners and brute force attacks.
This is especially important for IT professionals who manage sensitive systems like databases or domain controllers, where any exposure to the internet is a high security risk. Azure Bastion also handles the hard work of authentication and session management, so you can focus on your work instead of worrying about network security. In short, it gives you a safe, easy, and browser-based way to manage your cloud servers without turning them into sitting ducks on the internet.
Full Technical Definition
Azure Bastion is a platform as a service (PaaS) offering from Microsoft Azure that provides secure, seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines (VMs) within an Azure virtual network (VNet) without requiring any public IP addresses to be assigned to the target VMs. The service is provisioned directly inside the VNet and uses a hardened, multi-layer architecture to broker connections. At its core, Azure Bastion acts as a reverse proxy, terminating all inbound RDP and SSH traffic at the Bastion host itself, then establishing a new, outbound-only connection to the target VM over the Azure backbone network.
This design ensures that malicious actors cannot target VMs directly from the internet because the VMs are never assigned a public IP. The Bastion service is deployed as a dedicated subnet named AzureBastionSubnet with a minimum size of /27 or larger. This subnet must be within the VNet where the target VMs reside.
The Bastion host is assigned a public IP address, but that public IP is attached only to the Bastion service, not to the VMs. All user traffic first reaches the Bastion host over HTTPS (port 443) through the Azure portal. The Bastion host validates the user's Azure Active Directory (Azure AD) credentials or, if configured, uses Azure AD authentication for the target VMs.
Once authenticated, the Bastion host opens a session and connects to the target VM over a private IP address within the VNet, using RDP (port 3389) or SSH (port 22) but only over the private network. The Bastion service supports both standard and premium tiers, with the premium tier offering additional features such as session recording, custom port forwarding, and scaling up to 50 concurrent RDP sessions or 500 concurrent SSH sessions per scaling unit. The service integrates with Azure Private Link, Azure Firewall, and network security groups (NSGs) for fine-grained access control.
The Bastion host itself is hardened against common attack vectors: it receives automatic security updates from Microsoft, it does not expose any management interfaces to the public internet beyond the necessary HTTPS endpoint, and it supports Just-In-Time (JIT) VM access for an additional layer of security. From a protocol perspective, Azure Bastion encapsulates RDP/SSH traffic within an HTTPS tunnel. The user’s browser renders the RDP or SSH session using HTML5, meaning no local client software is required beyond a modern web browser.
This is achieved through a web-based gateway that translates the remote desktop or terminal protocol into browser-compatible web sockets. The Bastion service also supports native client connections via the Azure CLI or the Bastion client for Windows, which uses a native RDP or SSH client while still using the Bastion tunnel. In terms of networking, Azure Bastion uses the Azure backbone for all traffic between the Bastion host and the target VMs.
This traffic never traverses the public internet, even if the VMs are in a different region. The VMs themselves must have the Bastion agent enabled (which is the default for most Azure marketplace images) or the Bastion must be able to communicate with the VM's guest OS via the private IP. For VMs not using the Bastion agent, the Bastion host injects the necessary credentials into the session using the VM's virtual network adapter.
Security considerations are paramount: the AzureBastionSubnet must not contain any other resources, and NSG rules can be applied to restrict inbound traffic to the Bastion subnet from only trusted IP ranges, although Microsoft recommends allowing all inbound traffic on port 443 from the internet because the Bastion host itself is the only point of entry. Azure Bastion supports Azure AD authentication for Windows VMs, enabling conditional access policies and multi-factor authentication (MFA) to be applied before the session even reaches the VM. The service is available in most Azure regions and supports VMs running Windows, Linux, and even some third-party operating systems.
Azure Bastion is not a VPN or a jump box in the traditional sense, because it does not provide general network-level access to the VNet. It only provides RDP/SSH access to specific VMs for which a user has explicit permissions. Azure Bastion is a full-featured, secure, and scalable solution for remote VM management that eliminates the operational overhead of maintaining a VPN gateway or a bastion host VM while providing enterprise-grade security controls.
Real-Life Example
Think of a large bank vault that holds many safe deposit boxes (your virtual machines). Usually, to access your safe deposit box, you would walk through the bank's main entrance, show your ID to the receptionist, sign a logbook, and then be escorted to a special room where you can open your box. The bank does not give customers a back door or a secret tunnel to their boxes from the outside.
That back door would be like a public IP address on a VM. Azure Bastion is the entire escorted experience. You enter the bank through the main public entrance (the Azure portal). The receptionist (Azure AD) checks your ID and your permission to access a specific box.
Once approved, a bank employee (the Bastion host) physically escorts you through a private corridor that only the bank can access, directly to your safe deposit box. You never walk past other customers' boxes, and no one from the street can see you. The box itself does not have a lock that is accessible from the outside of the bank.
Only the bank employee can unlock the private corridor to reach it. This is exactly how Azure Bastion works: you authenticate through the portal, and Bastion creates a private, encrypted tunnel to your VM, even though the VM itself has no public internet connection. In a traditional setup, you might have placed a jump box (a small VM) in the network and RDP to that, then RDP to other VMs.
But that jump box itself becomes a target. With Bastion, there is no jump box to maintain; the hardened, managed Bastion host does all the heavy lifting. Imagine if every time you needed to access your safe deposit box, you had to not only use the main entrance but also configure a new route through the building, install special keys, and make sure the route was secure.
That would be like setting up a VPN gateway. Azure Bastion eliminates that complexity by providing a pre-built, fully managed, and secure access route. The analogy extends to security: if someone wanted to break into your safe deposit box, they would first have to get past the receptionist, then fool the employee, and then somehow bypass the private corridor.
That is exponentially harder than trying to pick a lock on a box that has a door directly on the street.
Why This Term Matters
Azure Bastion matters because it directly addresses one of the most common security vulnerabilities in cloud environments: exposing management ports (RDP and SSH) to the internet. For years, IT administrators would assign public IP addresses to VMs just to be able to log in and manage them, or they would configure complex VPN gateways that required client software and certificate management. Azure Bastion eliminates the need for both.
By allowing secure, browser-based access to VMs inside a VNet without any public endpoints, Bastion reduces the attack surface dramatically. This is especially critical for VMs that host sensitive data, such as domain controllers, SQL servers, or application servers, because automated botnets constantly scan the internet for open RDP and SSH ports. A single misconfigured NSG can expose hundreds of VMs to brute force attacks.
Bastion removes that risk entirely at the architectural level. Bastion simplifies compliance with security policies that require all administrative access to go through a secure, audited, and centrally managed gateway. Because all connections are logged and tied to Azure AD identities, organizations can enforce multi-factor authentication, conditional access policies, and even session recording (with the Premium tier).
This makes it easier to meet standards like SOC 2, ISO 27001, and HIPAA, which require strict access controls and auditing. From an operational perspective, Bastion eliminates the overhead of maintaining a bastion host or VPN server. You no longer need to patch a jump box, manage VPN certificates, or troubleshoot split tunneling.
Bastion is a PaaS service, so Microsoft handles the infrastructure, updates, and scaling. This frees up IT staff to focus on higher-value tasks. Bastion also improves productivity; administrators can manage VMs from any device with a browser, including tablets or thin clients, without installing any client software.
This is a huge advantage in modern, remote-first workplaces. Finally, Bastion integrates with existing Azure governance tools, such as Azure Policy and Azure Role-Based Access Control (RBAC). You can enforce that only users with specific roles (e.
g., 'Virtual Machine Contributor') can access VMs through Bastion, and you can even restrict which VMs they can access. Azure Bastion is not just a convenience tool; it is a fundamental security control that should be considered a best practice for any production workload running in Azure.
It turns a complex, risky process into a simple, secure, and auditable one.
How It Appears in Exam Questions
Azure Bastion questions appear in several distinct patterns across Azure certification exams. The most common is the 'solution selection' scenario. For example: 'You have 20 Linux VMs and 10 Windows VMs deployed in a VNet.
You need to provide secure administrative access to these VMs without exposing any public IP addresses. Your solution must minimize administrative overhead. What should you deploy?'
The correct answer is Azure Bastion. The distractors might include a jump box VM with a public IP, a point-to-site VPN, or a site-to-site VPN. Candidates must identify that Azure Bastion is the only option that requires no public IPs on the VMs, provides browser-based access, and is fully managed.
Another pattern involves configuration and prerequisites. A question might state: 'You are deploying Azure Bastion. Which subnet requirement must be met?' The answer: the subnet must be named 'AzureBastionSubnet' and have a minimum size of /27.
A variation could ask about NSG rules: 'What inbound rule must exist on the AzureBastionSubnet NSG?' Answer: Allow inbound HTTPS (port 443) from the internet. There are also troubleshooting questions.
For instance: 'Users cannot connect to a VM through Azure Bastion. The VM is running and has the Bastion agent installed. What could be the issue?' Possible answers include: the VM does not have a private IP, the NSG on the VM subnet is blocking port 3389 or 22, or the user does not have the 'Virtual Machine Contributor' role.
Candidates need to know that Bastion connects to the VM over the private network, so the VM's NSG must allow inbound traffic from the AzureBastionSubnet on the appropriate port. Another question type: 'A company wants to use Azure Bastion to connect to VMs but also wants to enforce multi-factor authentication. How can this be achieved?'
The answer: configure Azure AD authentication for the VMs and enable conditional access policies. A more advanced question might involve the Premium tier: 'Which Azure Bastion tier supports session recording and scaling up to 50 concurrent RDP sessions?' Answer: Premium tier.
For the AZ-900, questions are simpler: 'True or false: Azure Bastion requires a public IP address on each VM.' Answer: false. Or 'Which service allows you to connect to a VM through the Azure portal with no client software required?'
Answer: Azure Bastion. In AWS context, the equivalent scenario might appear in the AWS Solutions Architect Associate exam: 'A company wants to provide secure RDP access to EC2 instances in private subnets without using a VPN. Which solution meets these requirements?'
The recommended answer would be AWS Systems Manager Session Manager, which is the AWS analog to Azure Bastion. Understanding Azure Bastion helps you draw the parallel. In Google Cloud exams, a similar scenario would ask about using IAP TCP forwarding.
The key is that across all exams, the underlying principle is secure, identity-based, browser-accessible management of compute resources without public exposure.
Practise Azure Bastion Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized software company, 'CloudSoft', has deployed 30 virtual machines in an Azure VNet. These VMs include a domain controller, a SQL server, and several application servers. Currently, the IT team connects to these VMs by assigning a public IP address to each VM and connecting directly via RDP.
The company's security team is alarmed because these VMs are constantly being hit by brute force attacks from the internet. The security team requires that all administrative access must go through a fully managed, auditable gateway without exposing any VMs to the public internet. They also want to ensure that administrators can connect from anywhere, including from home on their personal laptops, without needing to install a VPN client.
The IT team evaluates the options: they could set up a point-to-site VPN, which requires installing client certificates and a VPN client on every admin's machine. They could also build a jump box VM in the VNet, but then they would need to maintain that VM, patch it, and still expose its public IP. Finally, they consider Azure Bastion.
They decide to deploy Azure Bastion in the VNet. They create a subnet named AzureBastionSubnet with a /27 address range. They assign a public IP to the Bastion host. They then remove the public IP from all the VMs.
Now, when an admin needs to connect to the domain controller, they log into the Azure portal, navigate to the VM, and click 'Connect' then 'Bastion'. The portal opens a browser tab with a full RDP session. The admin enters their local admin credentials for the VM or, since they enabled Azure AD authentication, they use their corporate credentials with MFA.
The session starts. The admin can now manage the domain controller securely. All traffic goes through the Azure backbone. The security team is happy because no VM has a public IP, and all connections are authenticated through Azure AD and logged in the Azure Activity Log.
The IT team is happy because they do not have to maintain any additional infrastructure. The admins are happy because they can connect from anywhere, even using a tablet, without installing any software. This scenario illustrates exactly how Azure Bastion solves a real-world security and operational challenge.
Common Mistakes
Thinking Azure Bastion requires a public IP on each virtual machine.
Azure Bastion is designed to eliminate the need for public IPs on VMs. The Bastion host itself gets a public IP, but the VMs remain internal and are only accessible through the Bastion over the private network.
Remember: only the Bastion host has a public IP. VMs should have no public IP assigned. Bastion connects to them via private IP.
Configuring the AzureBastionSubnet with a size of /28 or smaller.
Azure Bastion requires a minimum subnet size of /27 (or larger) to accommodate the Azure Bastion resources and scaling. A /28 subnet is too small and will cause deployment failure.
Always allocate at least a /27 subnet (32 IP addresses) for the AzureBastionSubnet.
Assuming Azure Bastion requires a VPN client or a separate software installation.
Azure Bastion is accessed through a standard web browser using HTML5. No VPN client, RDP client, or SSH client is needed for basic access. For native client support, a separate client is available but optional.
Understand that the primary access method is through the browser via the Azure portal. No extra software is required for most users.
Believing Azure Bastion is just a jump box VM that you manage yourself.
Azure Bastion is a fully managed PaaS service. You do not have access to the underlying operating system, you do not need to patch it, and you cannot log into it. A jump box is an IaaS VM that you control and must maintain.
Azure Bastion is a managed service. You deploy it, but Microsoft manages the operating system, updates, and scaling. It is not a VM you can RDP into.
Expecting Azure Bastion to provide network-level access to the entire VNet.
Azure Bastion only provides RDP/SSH access to specific VMs. It is not a VPN; it does not allow you to browse the network, access file shares, or use tools like ping or tracert to other VMs. It strictly brokers RDP and SSH sessions.
Use Azure Bastion only for remote desktop and shell access. If you need full network access, use a VPN or ExpressRoute.
Thinking that Azure Bastion is free or included in all Azure subscriptions.
Azure Bastion is a paid service with two pricing tiers: Basic and Premium. The Basic tier charges per hour plus outbound data transfer. It is not included in free trials or any other free services.
Always check the Azure pricing calculator for Bastion costs. It is a paid service, so consider budget when designing a solution.
Forgetting that the VM must have the Bastion agent installed or be configured for Bastion connectivity.
Most Azure marketplace images have the Bastion agent pre-installed. Custom or migrated VMs may lack the agent, which can prevent Bastion from connecting properly. The VM must have a private IP address and network connectivity to the Bastion subnet.
Verify that target VMs are supported (most marketplace images are) and have a private IP. If using a custom image, ensure the Bastion agent is installed.
Exam Trap — Don't Get Fooled
{"trap":"A question states: 'You need to allow a group of developers to connect to a VM using RDP without exposing the VM to the internet. They also need to access a network share on another VM in the same VNet. What should you use?'
","why_learners_choose_it":"Many learners see 'RDP' and 'without exposing to the internet' and immediately choose Azure Bastion, because it is the popular secure RDP solution.","how_to_avoid_it":"Read the full requirement: they also need to access a network share on another VM. Azure Bastion only provides RDP/SSH access to a specific VM.
It does not provide network-level connectivity for file sharing. The correct solution would be a point-to-site VPN or a site-to-site VPN that grants full network access to the VNet. The trap is focusing on the first half of the requirement and ignoring the second half."
Commonly Confused With
Azure VPN Gateway provides network-level access to an entire virtual network, allowing all protocols and resources to be accessible from on-premises or remote clients. In contrast, Azure Bastion provides only browser-based RDP/SSH access to individual VMs, not the whole VNet. VPN Gateway is for full network connectivity, Bastion is for secure management access.
Use VPN Gateway if you need to access a file share or a web app on a VM. Use Bastion if you only need to remotely manage the operating system of the VM.
A jump box is a traditional virtual machine deployed in the VNet that you RDP or SSH into first, and then from there connect to other VMs. It is an IaaS resource that you manage, patch, and secure yourself. Azure Bastion is a managed PaaS service that does the same job but without the management overhead. The jump box requires a public IP (or VPN access) and an NSG to secure it, while Bastion handles that natively.
A jump box is like a security guard you hire and train yourself. Azure Bastion is like an external security company with trained guards that you just call and they show up fully equipped.
Azure Firewall is a managed network security service that filters traffic at the network and application layers. It controls what traffic goes in and out of a VNet based on rules you define. Azure Bastion does not filter traffic; it provides a secure channel for RDP/SSH only. They are complementary: you might use Azure Firewall to protect the VNet and Azure Bastion to manage VMs inside it.
Firewall is the bouncer at the club deciding who can enter. Bastion is the VIP escort that takes you directly to your table without standing in line.
Azure AD Application Proxy provides secure remote access to on-premises web applications through an Azure AD authenticated reverse proxy. It is designed for application-level access (HTTP/HTTPS), not for RDP/SSH to VMs. Azure Bastion is specifically for VM management traffic. They serve different use cases: one for user-facing apps, one for admin-facing VM management.
Use Application Proxy to let employees access an internal HR web app from home. Use Bastion to let IT admins log into the server that hosts that HR app.
JIT VM Access is a security feature that temporarily opens RDP/SSH ports on a VM's NSG when a request is made and then closes them after a set time. It still requires the VM to have a public IP (or be accessible via a VPN). Azure Bastion eliminates the need for public IPs entirely and provides a persistent, secure gateway. JIT reduces exposure time, Bastion eliminates exposure altogether.
JIT is like leaving a door unlocked but only for 10 minutes when you need to go in. Bastion is like having a secret tunnel entrance that only you know about and is always guarded.
Step-by-Step Breakdown
Plan the Architecture
Before deploying, determine the VNet that hosts the target VMs. You will need a dedicated subnet named 'AzureBastionSubnet' with a minimum size of /27 (32 IPs). This subnet cannot be used for any other resources. Also, you need a public IP address for the Bastion host, and you must decide on the tier (Basic or Premium) based on features like session recording and scaling.
Create the AzureBastionSubnet
In the Azure portal, navigate to the target VNet and add a new subnet. You must name it exactly 'AzureBastionSubnet'. The address range must be at least /27. If you foresee high usage, consider a larger range like /26 for future scaling. The subnet is reserved exclusively for Azure Bastion resources.
Create a Public IP Address
Azure Bastion requires a standard public IP address resource. This public IP is attached to the Bastion host and is the only public endpoint. You create this IP separately in the same region as the VNet. It uses a static assignment by default. This IP will be used for the HTTPS gateway that users access through the Azure portal.
Deploy the Azure Bastion Service
In the Azure portal, search for 'Azure Bastion' and select 'Create'. You fill in the required fields: resource group, name, region, VNet, the AzureBastionSubnet you created, and the public IP address you created. You also choose the tier (Basic or Premium) and the scaling units if Premium. Then you review and create the resource. The deployment typically takes 5 to 10 minutes.
Confirm Target VM Configuration
Ensure that the target VMs you want to connect to are in the same VNet as the Bastion host. They must have a private IP address and must not have a public IP attached (optional but recommended). The VM must also be running and have the Bastion agent installed; most Azure marketplace images have it by default. For Linux VMs, the SSH service must be running on port 22. For Windows VMs, RDP must be enabled on port 3389.
Configure NSG for the AzureBastionSubnet
By default, Azure creates an NSG for the Bastion subnet that allows inbound HTTPS (port 443) from the internet. You can customize this NSG to allow only specific source IP ranges if needed, but generally, you allow the internet because the Bastion host itself is hardened. On the target VM's NSG, you must allow inbound traffic from the AzureBastionSubnet address range on port 3389 (for RDP) or port 22 (for SSH). This ensures the Bastion host can connect to the VM.
Establish a Connection from the Azure Portal
Once the Bastion host is deployed, open the Azure portal, navigate to any VM in the VNet, and click on 'Connect' then 'Bastion'. The portal will open a new browser tab. You will be prompted to enter credentials: either the local VM username and password, or your Azure AD credentials if you enabled Azure AD authentication for the VM. After authentication, the session appears in the browser as a native RDP or SSH session. The entire traffic is encapsulated in HTTPS and goes through the Bastion host.
Monitor and Audit Connections
Azure Bastion logs all connection attempts and activity in the Azure Activity Log and, if you have the Premium tier, supports session recording. You can monitor who connected, when, and for how long. This information can be used for compliance reporting and security audits. You can apply conditional access policies through Azure AD to enforce MFA before the Bastion session starts.
Scale and Manage the Service
If you are using the Premium tier, you can adjust the number of scaling units (1 to 50) to handle more concurrent sessions. You can also enable features like custom port forwarding and session recording from the Bastion configuration panel. For the Basic tier, scaling is not available, but you can upgrade to Premium later. The service is fully managed, so Microsoft handles all patching and updates.
Remove Public IPs from Target VMs (Optional but Recommended)
For maximum security, after Bastion is deployed and tested, you should remove any public IP addresses from the target VMs. This eliminates direct internet exposure. The VMs are now only reachable through the Bastion host. This step significantly reduces the attack surface and is considered a best practice for production environments.
Practical Mini-Lesson
Azure Bastion is a service that many IT professionals encounter early in their cloud journey, but its depth goes beyond just 'click connect in the portal'. Understanding how it works in practice is essential for both exams and real-world implementation. First and foremost, you must plan the subnet carefully.
The AzureBastionSubnet must exist in the same VNet as your target VMs. If you have VMs in multiple VNets, you need a separate Bastion host for each VNet, or you can use VNet peering and configure the Bastion in a hub VNet. However, even with peering, each VNet can have its own Bastion, which is useful for isolation.
When you create the subnet, the name is case-sensitive and must be exactly 'AzureBastionSubnet'. A common mistake is using a different name or a smaller subnet, which causes deployment failure. The subnet size is critical because Azure reserves several IPs for the Bastion infrastructure itself.
For example, a /27 subnet gives you 32 IPs, but only about 25 are usable for scaling units. If you plan to have many concurrent users, consider a /26. Next, the public IP address you create must be in the same region as the VNet.
It is a standard SKU public IP, and you cannot change it after creation. You cannot use a basic SKU IP. The Bastion host listens on port 443 for HTTPS traffic. When a user connects through the portal, the Azure portal initiates a WebSocket connection to the Bastion host's public IP.
The Bastion host then verifies the user's Azure AD token and IP address. After authentication, it creates a secure channel to the target VM using its private IP. This is why the VM's NSG must allow inbound traffic from the AzureBastionSubnet's address range.
If the VM's NSG blocks port 3389 or 22 from that subnet, the connection will fail. Also, if the VM is in a different subnet, the VM's NSG rule must explicitly allow the Bastion subnet. A very practical aspect is the authentication flow.
For Windows VMs, you can enable Azure AD authentication. This is a game-changer because it allows you to manage VM access using Azure AD identities and conditional access policies. Without it, you must use local VM credentials, which can be cumbersome to manage across many VMs.
For Linux VMs, you can use SSH public key authentication stored in the VM or use Azure AD authentication if you configure the SSHd with the Azure AD extension. In practice, you should use Azure AD authentication whenever possible for better security and auditability. Another practical consideration is cost.
Azure Bastion is billed per hour plus data transfer. The Basic tier is cheaper but lacks scaling and session recording. The Premium tier is more expensive but allows up to 50 concurrent RDP sessions per scaling unit.
If you have only a few administrators, Basic is sufficient. However, if you need to support a large operations team, Premium is necessary. Also, be aware that Bastion charges for outbound data transfer from the Bastion host to the user's browser.
This can be significant if you transfer large files over RDP. It is better to use other methods for file transfers, like Azure Files, to avoid high data costs. Performance-wise, Bastion introduces some latency because the traffic goes through the browser and the Bastion host.
For typical administrative tasks like running PowerShell commands or making configuration changes, the latency is acceptable. But if you need to perform graphic-intensive work or video editing, Bastion is not suitable. Also, keep in mind that Bastion does not support clipboard or drive redirection in all scenarios, though the browser-based client supports some features.
In a production environment, you should also set up monitoring. Use Azure Log Analytics to track Bastion connection logs. You can set up alerts for failed login attempts, which could indicate a brute force attack, even though the Bastion host itself is hardened.
Also, consider integrating Bastion with Azure Policy to enforce that all VM connections must go through Bastion. For example, you can create a policy that denies the creation of VMs with public IPs in critical subnets. This enforces the principle of least exposure.
Finally, always test the connection after deployment. Connect to each VM type (Windows and Linux) to ensure the NSG rules are correct and authentication works. If you encounter issues, check the VM's guest OS firewall, as it may block RDP or SSH even if the NSG allows it.
For Linux VMs, ensure the SSH service is running and the port is not being blocked by iptables or firewalld. Azure Bastion is a powerful tool that, when configured correctly, can significantly improve your security posture. But it requires careful planning around subnet sizing, NSG rules, authentication, and cost.
The practical professional knows to always remove public IPs from VMs, use Azure AD authentication, monitor logs, and test thoroughly.
Troubleshooting Clues
Bastion deployment fails with 'Subnet missing or invalid'
Symptom: Deployment returns error: 'The subnet ... does not exist or is not configured correctly.'
Azure Bastion requires a dedicated subnet named 'AzureBastionSubnet' with a /26 or larger prefix in the virtual network.
Exam clue: Exams frequently ask about the required subnet name and size for Bastion as a trick question with similar names.
Cannot connect to VM via Bastion - 'Connection timed out'
Symptom: SSH or RDP connection fails with timeout after several seconds.
The target VM must have a private IP in the same or peered virtual network, and the VM's NSG must allow inbound traffic from Bastion's IP range (AzureLoadBalancer service tag).
Exam clue: Exams test that NSG rules must allow traffic from AzureLoadBalancer tag and port 3389 (RDP) or 22 (SSH).
Bastion shows 'Provisioning state: Failed'
Symptom: Bastion status in portal is 'Failed' and does not accept connections.
Common causes: insufficient permissions (e.g., missing Microsoft.Network/virtualNetworks/subnets/join/action), or resource quota exceeded.
Exam clue: Exams include questions about role-based access control requiring 'Network Contributor' on the virtual network.
Session disconnected after 10 minutes of inactivity
Symptom: RDP or SSH session drops automatically after idle time.
Azure Bastion has a default idle timeout of 10 minutes for Standard SKU and 5 minutes for Basic SKU, configurable via Bastion settings.
Exam clue: Exams test the difference between Basic and Standard SKU features, including idle timeout values.
Unable to download files via Bastion - 'Copy' button disabled
Symptom: The copy/paste or file download options are grayed out in the Bastion portal.
File transfer and clipboard features require the Standard SKU and must be enabled explicitly in Bastion's configuration.
Exam clue: Exams ask which SKU supports file transfer and clipboard; Basic SKU lacks these features.
Bastion connection shows 'Authentication failed' for Azure AD-joined VMs
Symptom: Login prompt appears but credentials rejected even though they work directly on the VM.
Azure AD authentication via Bastion requires the VM to be domain-joined or have Azure AD login extension; Bastion does not directly support Azure AD credentials without proper setup.
Exam clue: Exams test that Bastion uses local VM credentials or Azure AD for authentication only with Azure AD-joined VMs and RDP.
Bastion not appearing in region selection
Symptom: During creation, some regions show Bastion as unavailable or disabled.
Azure Bastion is not available in all Azure regions; it's gradually rolling out and requires a supported region with capacity.
Exam clue: Exams may include questions about regional availability or require checking Azure region support for Bastion.
Learn This Topic Fully
This glossary page explains what Azure Bastion means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
AZ-104AZ-104 →CLF-C02CLF-C02 →ACEGoogle ACE →AZ-900AZ-900 →CDLGoogle CDL →SAA-C03SAA-C03 →DVA-C02DVA-C02 →200-301Cisco CCNA →N10-009CompTIA Network+ →220-1101CompTIA A+ Core 1 →PCAGoogle PCA →Related Glossary Terms
A local text file on Unix-like operating systems that manually maps hostnames to IP addresses, overriding DNS for specified entries.
/etc/resolv.conf is a configuration file on Linux and Unix-like systems that tells the computer which Domain Name System (DNS) servers to use when converting domain names like google.com into IP addresses.
Azure Kubernetes Service (AKS) is a managed container orchestration service on Microsoft Azure that simplifies deploying, managing, and scaling containerized applications using Kubernetes.
Anthos is a Google Cloud platform that lets you run applications consistently across different computing environments, like on-premises data centers and multiple public clouds.
App Engine is a fully managed serverless platform from Google Cloud that lets developers build and deploy applications without worrying about the underlying infrastructure.
An App Service plan is a set of compute resources that defines the infrastructure, pricing tier, and scaling capabilities for one or more Azure App Service applications.
Quick Knowledge Check
1.Which subnet must be created in a virtual network to deploy Azure Bastion?
2.What is the minimum CIDR prefix size required for the AzureBastionSubnet?
3.Which Azure Bastion SKU supports file transfer and clipboard features?
4.How does Azure Bastion connect to target VMs?
5.What is the default idle timeout for a Standard SKU Azure Bastion session?
6.Which service tag must be allowed in the VM's NSG for Azure Bastion connectivity?