This chapter provides a comprehensive deep dive into Azure Bastion, a fully managed PaaS service that enables secure and seamless RDP/SSH connectivity to your Azure VMs directly from the Azure portal, without exposing public IP addresses. For the AZ-104 exam, Azure Bastion falls under domain 4 (Networking) and objective 4.5, which covers connectivity and security solutions. While not a heavy topic, you can expect 1-2 questions that test your understanding of when to use Bastion, its prerequisites, SKU tiers, and key limitations. Mastering this service is critical for designing secure remote access architectures and avoiding common misconfigurations that lead to exam traps.
Jump to a section
Imagine a high-security data center with rows of servers, each containing sensitive data. Employees need to occasionally access these servers for maintenance, but you can't allow direct network access from the outside world because that would create vulnerabilities. Instead, you build a small, hardened room called an "airlock" attached to the data center. Employees enter the airlock through a single, well-monitored door, undergo identity verification (badge scan and PIN), and then use a dedicated console inside the airlock to connect to the servers via a local network. The servers never have public IP addresses and never accept connections from outside the data center. The airlock itself is the only way in, and it logs every keystroke. Azure Bastion works exactly like this: it's a fully managed PaaS service that sits inside your virtual network. Instead of exposing your VMs to the internet via public IPs, Bastion provides a secure RDP/SSH session through the Azure portal. When you connect, a Bastion agent on the VM establishes an outbound connection to the Bastion host over port 443 (TLS). The Bastion host then relays the session to your browser over WebSockets. The VM never has a public IP, and no inbound firewall rules are needed. The Bastion host itself is hardened and managed by Microsoft, and all connections are authenticated via Azure AD and RBAC.
What is Azure Bastion and Why Does It Exist?
Azure Bastion is a fully managed Platform-as-a-Service (PaaS) offering that provides secure, seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Azure virtual machines (VMs) directly through the Azure portal, over TLS. Its primary purpose is to eliminate the need for public IP addresses on VMs for remote management, thereby reducing the attack surface. Without Bastion, administrators often resort to creating VMs with public IPs and opening RDP (port 3389) or SSH (port 22) to the internet, which is a leading cause of brute-force attacks and compromises. Alternatively, they might use a jump box — a VM with a public IP that acts as a gateway — but that still requires managing, patching, and securing that VM. Azure Bastion replaces the jump box model with a Microsoft-managed, hardened service that is automatically updated and patched.
How Azure Bastion Works Internally
Azure Bastion is deployed inside a virtual network (VNet) in a dedicated subnet named AzureBastionSubnet (minimum /27). It is not a VM; it is a PaaS resource that scales automatically based on the number of concurrent sessions. Here's the step-by-step mechanism:
User initiates connection from the Azure portal by navigating to a VM and clicking "Connect" > "Bastion".
Authentication: The user must be authenticated to Azure AD and have appropriate RBAC roles (e.g., Virtual Machine Administrator Login or Reader with access to the VM and Bastion).
TLS tunnel establishment: The browser initiates a WebSocket connection over HTTPS (port 443) to the Bastion host's public endpoint. The Bastion host is the only component with a public IP.
Bastion agent relay: Inside the VM, a Bastion agent (installed automatically or via extension) establishes an outbound connection to the Bastion host over the same TLS tunnel. This connection is initiated from the VM to the Bastion host — never the reverse. This is critical: the VM only needs outbound HTTPS access to the Bastion host (or its private IP if using private-only SKU).
Session relay: The Bastion host relays RDP/SSH traffic between the browser (WebSocket) and the VM (TCP over TLS). The Bastion host acts as a transparent proxy, injecting credentials (username/password or SSH key) provided by the user.
Data flow: All traffic is encrypted end-to-end: browser to Bastion (TLS 1.2+) and Bastion to VM (TLS 1.2+). The Bastion host never stores credentials; they are passed through and discarded.
Key Components, Values, Defaults, and Timers
- AzureBastionSubnet: Must be named exactly AzureBastionSubnet (case-sensitive). Minimum prefix length /27 (e.g., 10.0.0.0/27 gives 32 addresses, of which 11 are used by Azure). Must be in the same VNet as the VMs you want to connect to. You cannot use a different VNet for Bastion and VMs unless you use VNet peering (supported).
- SKU Tiers:
- Basic: Supports up to 2 concurrent RDP/SSH connections per scale unit. No premium features. No support for private-only endpoints. Default if not specified.
- Standard: Supports up to 50 concurrent connections per scale unit. Includes features like IP-based connections, private-only access (no public IP on Bastion), and session recording (preview).
- Scale Units: Each scale unit provides a certain number of concurrent sessions. For Basic: 2 sessions/unit. For Standard: 50 sessions/unit. You can scale up to 50 units (100 sessions Basic, 2500 sessions Standard).
- Connection Timeout: Idle timeout for Bastion sessions is 30 minutes. The session is terminated after 30 minutes of inactivity.
- Ports: Bastion uses port 443 for HTTPS/WebSocket traffic. The VM must allow outbound HTTPS to the Bastion host's private IP (or to AzureCloud service tag if using public endpoint). No inbound ports need to be open on the VM.
- Authentication Methods: Azure AD authentication (password or MFA) for Windows VMs (requires Azure AD login extension), local username/password, SSH keys (for Linux). For Azure AD login, the VM must be domain-joined or have the AADSSHLoginForLinux extension.
Configuration and Verification Commands
To deploy Bastion using Azure CLI:
# Create resource group
az group create --name MyBastionRG --location eastus
# Create VNet and subnet (must be named AzureBastionSubnet)
az network vnet create --name MyVNet --resource-group MyBastionRG --location eastus --address-prefix 10.0.0.0/16
az network vnet subnet create --name AzureBastionSubnet --resource-group MyBastionRG --vnet-name MyVNet --address-prefixes 10.0.1.0/27
# Create public IP (optional, required for Basic SKU)
az network public-ip create --name MyBastionPublicIP --resource-group MyBastionRG --location eastus --sku Standard
# Create Bastion host
az network bastion create --name MyBastion --resource-group MyBastionRG --vnet-name MyVNet --public-ip-address MyBastionPublicIP --location eastusTo verify Bastion status:
az network bastion show --name MyBastion --resource-group MyBastionRG --query "provisioningState"To connect to a VM via Bastion using CLI (requires Azure CLI bastion extension):
az network bastion ssh --name MyBastion --resource-group MyBastionRG --target-resource-id $(az vm show -g MyVMResourceGroup -n MyVM --query id -o tsv) --auth-type password --username azureuserInteraction with Related Technologies
Network Security Groups (NSGs): Bastion does not require any inbound NSG rule on the VM subnet. The VM only needs outbound HTTPS to the Bastion host's private IP or to the AzureCloud service tag. However, if you use NSGs on the AzureBastionSubnet, you must allow inbound from the internet (if using public IP) or from the VNet (if using private-only). Best practice is to not apply NSGs to AzureBastionSubnet; Azure manages it.
Azure Firewall: If you force-tunnel traffic through Azure Firewall, you must ensure that outbound HTTPS from the VM to the Bastion host is allowed. Bastion host's private IP should be added to an exception.
VNet Peering: Bastion can connect to VMs in peered VNets as long as the peered VNet has the AzureBastionSubnet in the same region. Cross-region peering is not supported for Bastion.
Azure AD Authentication: For Windows VMs, you need the AADLoginForWindows extension. For Linux, the AADSSHLoginForLinux extension. Bastion uses Azure AD tokens for authentication if enabled.
Private Endpoints: With Standard SKU, you can deploy Bastion without a public IP, using a private endpoint. This keeps all traffic within the Microsoft backbone.
Deploy AzureBastionSubnet
Before creating the Bastion host, you must have a subnet in your VNet named exactly `AzureBastionSubnet` with a minimum /27 prefix. Azure reserves 5 addresses within this subnet for its own use (gateway, Azure DNS, etc.). The subnet cannot contain any other resources. If you create it via portal, Azure automatically validates the name and size. You can also use CLI: `az network vnet subnet create --name AzureBastionSubnet ...`. A common mistake is using a different name or a subnet smaller than /27; deployment will fail.
Create Public IP (if using Basic SKU)
For Basic SKU, a Standard SKU public IP address is required. This IP is assigned to the Bastion host's frontend and is used for inbound connections from the internet. The public IP must be in the same region as the Bastion host. For Standard SKU with private-only mode, you skip this step and instead configure a private endpoint. The public IP must be Standard SKU and not be zone-redundant (unless using Availability Zones).
Provision the Bastion Host
Using the portal, CLI, or PowerShell, you create the Bastion resource. You specify the name, region, VNet, subnet, and public IP (if used). The provisioning process takes about 5-10 minutes. During this time, Azure deploys the Bastion backend in the Microsoft-managed tenant. You cannot connect to any VMs until provisioning is complete. The Bastion host is billed per hour plus per GB of data transfer.
Configure VM for Bastion Access
No agent installation is required for basic username/password or SSH key access. However, for Azure AD authentication, you must install the appropriate VM extension: AADLoginForWindows or AADSSHLoginForLinux. The VM must also have outbound HTTPS (port 443) connectivity to the Bastion host's private IP (or to the AzureCloud service tag if using public endpoint). If the VM is in a different subnet, ensure routing allows this. The VM does not need a public IP.
Initiate Connection via Portal
In the Azure portal, navigate to the target VM, click 'Connect' > 'Bastion'. You select the Bastion host (if multiple exist in the VNet), provide credentials (username/password, SSH key, or Azure AD login), and optionally specify port (default 3389 for RDP, 22 for SSH). The browser establishes a WebSocket connection over HTTPS to the Bastion host's public IP (or private IP if using private-only). The Bastion host then connects to the VM using the provided credentials. The session appears as a new browser tab with the remote desktop or terminal.
Enterprise Scenario 1: Secure Remote Administration for a Financial Services Company
A financial services company with strict compliance requirements (PCI-DSS, SOC 2) must allow its IT team to manage hundreds of VMs in Azure. They cannot expose any VM to the internet with a public IP. Previously, they used a jump box VM with a public IP, but that jump box itself became a target and required constant patching. They deployed Azure Bastion (Standard SKU) in a hub VNet with private-only mode, peered with multiple spoke VNets containing the VMs. The Bastion host has no public IP; all traffic stays within the Microsoft backbone. IT staff authenticate using Azure AD with MFA. The VMs have the AADLoginForWindows extension, so they don't need local accounts. The Bastion host is scaled to 5 scale units (250 concurrent sessions) to handle peak maintenance windows. They monitor session activity using Bastion's diagnostics logs sent to Log Analytics. The result: reduced attack surface, simplified compliance, and no jump box to maintain.
Enterprise Scenario 2: Remote Support for a Global SaaS Provider
A SaaS provider has developers and support engineers across the globe who need occasional RDP/SSH access to customer-facing VMs. They use Azure Bastion Basic SKU with a public IP. The Bastion host is deployed in the same VNet as the VMs. Because the Basic SKU only supports 2 concurrent sessions per scale unit, they set up multiple Bastion hosts in different regions for load distribution. They use RBAC to restrict which users can connect to which VMs. They found that the 30-minute idle timeout is sometimes too short for long debugging sessions; they must train users to keep the session active. They also discovered that if the Bastion host's public IP is blocked by a corporate firewall, users must connect from a network that allows outbound HTTPS to Azure.
Common Misconfigurations and Pitfalls
Subnet name not exactly `AzureBastionSubnet`: Deployment fails with a generic error. Always double-check the name.
Subnet too small: A /28 subnet (16 addresses) will fail because Azure needs at least 11 addresses for its own use. Minimum /27 (32 addresses).
Using Basic SKU for high concurrency: Basic SKU only supports 2 sessions per scale unit. If you need more than a few concurrent connections, you must use Standard SKU.
Forgetting outbound HTTPS on VM: If the VM has a restrictive NSG that blocks outbound HTTPS to the Bastion host's IP, the connection fails. Add an outbound rule allowing HTTPS to the Bastion host's private IP or to the AzureCloud service tag.
Not using Azure AD authentication when required: If you want to use Azure AD credentials, you must install the VM extension. Otherwise, you must use local credentials.
What AZ-104 Tests on Azure Bastion (Objective 4.5)
The exam focuses on understanding the purpose, prerequisites, and limitations of Azure Bastion. You are expected to know:
When to use Bastion vs. a jump box vs. a VPN/ExpressRoute.
The subnet name and size requirement (AzureBastionSubnet, /27 minimum).
The SKU differences (Basic vs. Standard) and their concurrent session limits.
That Bastion does not require a public IP on the VM.
That Bastion supports RDP and SSH over TLS on port 443.
That Bastion can connect to VMs in peered VNets (same region only).
That Bastion does not support custom ports (except for RDP/SSH default ports).
Common Wrong Answers and Why Candidates Choose Them
"Bastion requires the VM to have a public IP." This is the most common trap. Candidates confuse Bastion with the traditional RDP/SSH approach. The whole point of Bastion is to eliminate public IPs on VMs. The Bastion host itself has a public IP (unless private-only SKU).
"Bastion can be deployed in any subnet." The subnet must be named AzureBastionSubnet. Many candidates think they can use an existing subnet. The exam will test this exact requirement.
"Bastion supports any port number." Bastion only supports RDP (3389) and SSH (22) by default. You cannot use Bastion to connect to a VM on port 8080 or 1433. There is a preview for IP-based connections that allows custom ports, but this is not GA and not tested.
"Bastion can connect to VMs in a different region." VNet peering must be in the same region. Cross-region peering is not supported for Bastion.
Specific Numbers and Terms That Appear on the Exam
Subnet name: AzureBastionSubnet (case-sensitive)
Minimum subnet size: /27 (32 addresses)
Basic SKU: 2 concurrent sessions per scale unit
Standard SKU: 50 concurrent sessions per scale unit
Port: 443 (TLS)
Protocols: RDP and SSH only
Idle timeout: 30 minutes
Authentication: Azure AD, local username/password, SSH keys
Edge Cases and Exceptions
Private-only Bastion (Standard SKU): This is a newer feature that allows Bastion to be accessed without a public IP. The exam may ask if Bastion always requires a public IP. The answer is no for Standard SKU.
VM in a different VNet: Bastion can connect to VMs in peered VNets, but only if the peering is in the same region. Also, the AzureBastionSubnet must be in the same region as the VM.
Azure AD authentication: Requires VM extension (AADLoginForWindows or AADSSHLoginForLinux). The exam may test that you need to install the extension.
How to Eliminate Wrong Answers
If an answer says the VM needs a public IP, it's wrong.
If an answer says Bastion can be used for any TCP port, it's wrong (only RDP/SSH).
If an answer says Bastion can be deployed in a subnet named anything other than AzureBastionSubnet, it's wrong.
If an answer says Bastion supports cross-region peering, it's wrong.
If an answer says Bastion is free, it's wrong (it's a paid service).
Azure Bastion provides secure RDP/SSH access to Azure VMs without public IPs, over TLS on port 443.
The dedicated subnet must be named `AzureBastionSubnet` (exactly) and have a minimum prefix of /27.
Basic SKU supports 2 concurrent sessions per scale unit; Standard SKU supports 50.
Bastion does not require any inbound NSG rules on the VM subnet; only outbound HTTPS to the Bastion host.
Bastion supports Azure AD authentication but requires the AADLoginForWindows or AADSSHLoginForLinux VM extension.
Bastion can connect to VMs in peered VNets only if the peering is within the same region.
The idle timeout for Bastion sessions is 30 minutes.
Bastion is a paid service; you are billed per hour and per GB of data transfer.
These come up on the exam all the time. Here's how to tell them apart.
Azure Bastion
Fully managed PaaS; no patching or maintenance required.
No public IP needed on target VMs; reduced attack surface.
Access via Azure portal over TLS; no client software needed.
Scales automatically up to 2500 concurrent sessions (Standard SKU).
Costs per hour + data transfer; no VM compute cost.
Jump Box VM
IaaS VM that you must manage, patch, and secure.
Jump box itself has a public IP; still an attack vector.
Requires RDP/SSH client software on the admin's machine.
Scaling requires adding more VMs or load balancers.
Costs include VM compute, storage, and licensing.
Azure Bastion (Basic SKU)
Supports up to 2 concurrent sessions per scale unit.
Requires a public IP on the Bastion host.
No support for private-only access.
No session recording or custom port (IP-based) features.
Lower cost per hour.
Azure Bastion (Standard SKU)
Supports up to 50 concurrent sessions per scale unit.
Can be deployed with or without a public IP (private-only mode).
Supports IP-based connections (preview) for custom ports.
Includes session recording (preview) and diagnostics improvements.
Higher cost per hour.
Mistake
Azure Bastion requires the VM to have a public IP address.
Correct
Azure Bastion eliminates the need for public IPs on VMs. The VM only needs outbound HTTPS to the Bastion host. The Bastion host itself has a public IP (unless using private-only Standard SKU).
Mistake
Azure Bastion can be deployed in any existing subnet within a VNet.
Correct
Bastion requires a dedicated subnet named exactly `AzureBastionSubnet` with a minimum /27 prefix. No other resources can reside in that subnet.
Mistake
Azure Bastion supports any TCP port for connectivity.
Correct
Bastion natively supports only RDP (port 3389) and SSH (port 22). Custom ports are not supported in the GA version, though IP-based connections (preview) allow custom ports.
Mistake
Azure Bastion is a free service.
Correct
Bastion is a paid PaaS service. You are billed per hour for the Bastion host and per GB of data transfer. There is no free tier.
Mistake
Azure Bastion can connect to VMs across different Azure regions via VNet peering.
Correct
Bastion only supports VNet peering within the same region. Cross-region peering is not supported for Bastion connections.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The minimum subnet size is /27 (32 IP addresses). This is because Azure reserves 5 IP addresses for its own use within the subnet, and the Bastion service needs additional addresses for scaling. A /28 subnet (16 addresses) will fail deployment. Always use at least a /27 subnet named `AzureBastionSubnet`.
Yes, but only with the Standard SKU. You can deploy Bastion in private-only mode, where the Bastion host is accessed via a private endpoint on your VNet. This keeps all traffic within the Microsoft backbone and is ideal for compliance-heavy environments. Basic SKU always requires a public IP.
Yes, if you use Azure AD authentication. When you connect via Bastion using Azure AD credentials, the Azure AD authentication process can enforce MFA policies. This requires the VM to have the appropriate Azure AD login extension installed (AADLoginForWindows or AADSSHLoginForLinux).
Yes, as long as the VNets are peered and in the same region. The Bastion host must be in one VNet, and the target VM in the peered VNet. Cross-region peering is not supported. Also, the VM must have outbound HTTPS connectivity to the Bastion host's private IP.
Azure Bastion uses port 443 for HTTPS and WebSocket traffic between the browser and the Bastion host, and between the Bastion host and the VM. The VM does not need any inbound ports open; it only needs outbound HTTPS to the Bastion host. For RDP, the default port is 3389, and for SSH, it is 22.
No, Azure Bastion is a paid service. You are billed based on the number of hours the Bastion host is provisioned and the amount of data transferred (egress). There is no free tier. Pricing varies by SKU and region. For current pricing, refer to the Azure pricing calculator.
Yes, that is exactly the use case. The VM does not need a public IP. However, the VM must have an outbound NSG rule allowing HTTPS (port 443) to the Bastion host's private IP or to the AzureCloud service tag. No inbound rules are needed. Bastion handles the inbound connection through the portal.
You've just covered Azure Bastion — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?