Manually Deploy and Configure Azure Bastion

Azure Bastion — Quick Reference

Fast lookup for SKUs, deployment options, connectivity, host scaling & best practices.

Core Overview

Fully managed PaaS service for secure RDP/SSH connectivity.
Connect to VMs directly in Azure portal over TLS (HTML5 browser).
VMs don't need public IP, agent, or special client software.
Traffic stays within Azure via private IP; no internet exposure.
Connections via browser or native SSH/RDP clients on local computer.

Single click to open RDP/SSH session in browser.

SKU Tiers & Features

SKU	Deployment	Max Instances	Key Features
Basic	Dedicated	2 (fixed)	Portal RDP/SSH
Standard	Dedicated	50	Host scaling, IP-based, native client
Premium	Dedicated	50	Session recording, Private-only
Developer	Shared	1	Free; Dev/Test only; limited features

Can upgrade SKU anytime (e.g., Basic → Standard); downgrade not supported.

Deployment Architectures

Dedicated (Basic/Standard/Premium): Deployed to AzureBastionSubnet (/26+) in VNet.
Private-only (Premium): No public IP; uses private IP for on-premises access (ExpressRoute/VPN).
Developer (Free): Shared resource; not deployed to VNet; single VM at a time.
Private-only & Developer configured at deployment time; cannot change post-deployment.

Subnet Requirements

Subnet name: AzureBastionSubnet (required for Basic/Standard/Premium).
Minimum size: /26 (64 IPs) or larger (/25, /24, etc.).
Older subnets (/27 before Nov 2021) still work but limit host scaling.
Developer SKU: No AzureBastionSubnet needed.
Subnet exclusive to Bastion; no other resources.

Connectivity & Connections

Connection Type	Ports	Use
RDP	3389 (default)	Windows VMs; portal or native client
SSH	22 (default)	Linux VMs; portal or native client
Custom port	User-defined	Standard SKU+ only; non-standard RDP/SSH ports

No public IP required on target VM. VM must have internet access (outbound).

Host Scaling (Capacity Management)

Basic SKU: Fixed 2 instances (no scaling).
Standard & Premium: 2–50 instances; manual scale via Configuration page.
Each instance handles concurrent RDP/SSH connections.
Increase instances for more concurrent sessions.
Requires AzureBastionSubnet /26+ to support scaling.

Scaling takes ~10 minutes to apply.

Availability Zones & Reliability

Zonal: Single availability zone (lower cross-zone latency).
Zone-redundant: Instances spread across multiple zones for resilience.
Zone support preview; requires Basic SKU or higher.
Configure zones at deployment time; cannot change post-deployment.
For resilience, use at least 2 instances with zone redundancy.

Advanced Features

Shareable Links: Share RDP/SSH access via link (no portal access needed for user).
Session Recording: Premium SKU only; record RDP/SSH sessions for audit.
IP-based Connection: Connect to VMs by IP (cross-VNet or specific subnets); Standard+.
Native Client Support: Use Windows/Linux native RDP/SSH instead of portal browser.
File Upload/Download: Native client; Standard+.

Limitations & Constraints

Cannot advertise default route (0.0.0.0/0) via ExpressRoute/VPN; breaks Bastion communication.
Cannot connect to Azure Virtual Desktop (AVD) via Bastion.
VM must have outbound internet access (for standard Bastion; private-only is different).
Bastion doesn't support Azure Bastion within Virtual WAN hubs (spokes only).
Developer SKU: VNet peering not supported; one VM at a time.

Pricing & Cost

Developer: Free (preview; may change).
Basic/Standard/Premium: Hourly SKU rate + per-instance rate.
Pricing starts from deployment moment (regardless of usage).
Data transfer rates apply to outbound traffic.
Check Azure Bastion pricing page for current rates.

Recommendation: Delete Bastion after dev/test to reduce costs.

Deployment Steps (Portal)

1. Go to VM > Bastion > Select "Deploy Bastion".
2. Auto-deploy creates Standard SKU (or customize via Configuration).
3. AzureBastionSubnet created automatically (/26).
4. Public IP auto-created (unless private-only).
5. Wait ~10 min; then connect via portal RDP/SSH.

After deployment, configure features on Configuration page.

CLI Example

# Deploy Bastion (Standard SKU) to existing VNet az network bastion create -g MyRG -n MyBastion \ --vnet-name MyVNet --sku Standard # List Bastion hosts az network bastion list -g MyRG # Connect to VM via native client az network bastion rdp -g MyRG -n MyBastion \ --target-resource-id /subscriptions/.../virtualMachines/MyVM # Scale up instances (Standard/Premium) az network bastion update -g MyRG -n MyBastion \ --scale-units 5 # Delete Bastion az network bastion delete -g MyRG -n MyBastion

Mode	Profile	Best For
Flexible	Standard Azure VMs	New workloads (default)
Uniform	Identical VMs	Legacy large-scale workloads

Feature	Flexible	Uniform
Standard VM APIs	Yes	No
Mix instance types	Yes	No
RBAC per VM	Yes	No
Azure Backup	Yes	No
Site Recovery	Yes	No
Fault domains	1–3	1–5

Type	Layer	Best For
Internal LB	L4	Backend pools
Public LB	L4	External traffic
App Gateway	L7	HTTP/HTTPS + WAF

Policy	Rollout	Use
Automatic	Batch	App can tolerate disruption
Rolling	Controlled	Gradual, managed updates
Manual	On-demand	Full control; explicit API calls

Azure Bastion — Quick Reference

Core Overview

SKU Tiers & Features

Deployment Architectures

Subnet Requirements

Connectivity & Connections

Host Scaling (Capacity Management)

Availability Zones & Reliability

Advanced Features

Limitations & Constraints

Pricing & Cost

Deployment Steps (Portal)

CLI Example

Azure VM Scale Sets — Quick Reference

Core Benefits

Orchestration Modes

Orchestration Comparison

Autoscaling Metrics

Load Balancing

Availability & Zones

Upgrade Policies (Uniform)

Application Deployment

Planned Maintenance & Health

An Introduction to Microsoft Entra ID

Azure vNets Explained

Ask The Author

VMs Made Easy: A Deep Dive Into All VM Settings