Azure Bastion FAQ

Azure > Services > Networking > Azure Bastion

Frequently Asked Questions about Azure Bastion

This section addresses common questions regarding Azure Bastion, a fully managed PaaS service that you deploy inside your virtual network. Azure Bastion provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure portal over TLS/SSL. Your virtual machines do not need a public IP address, network security groups (NSGs), or any client software to communicate with Bastion.

What is Azure Bastion?
Azure Bastion is a Platform-as-a-Service (PaaS) offering from Microsoft Azure. It provides secure and seamless RDP and SSH connectivity to your virtual machines (VMs) within Azure, directly from your web browser via the Azure portal. This eliminates the need for public IP addresses on your VMs or client-side RDP/SSH software.
Why should I use Azure Bastion?
Azure Bastion enhances security by:
  • No public IPs on VMs: Your VMs don't need public IP addresses, significantly reducing the attack surface.
  • Browser-based access: Access your VMs directly from the Azure portal using HTML5, without needing to install or manage RDP/SSH clients.
  • Secure protocols: All communication is over TLS/SSL.
  • Network segmentation: Bastion sits within your virtual network, allowing you to control access through its dedicated subnet.
  • Session monitoring: You can monitor and audit remote access sessions.
What are the prerequisites for deploying Azure Bastion?
To deploy Azure Bastion, you need:
  • An Azure subscription.
  • A virtual network (VNet) where you want to deploy Bastion.
  • A dedicated subnet within the VNet named AzureBastionSubnet. This subnet must be at least /26 in size.
  • No Network Security Groups (NSGs) applied to the AzureBastionSubnet.
Do my VMs need a public IP address when using Azure Bastion?
No, your Azure VMs do not require a public IP address when you connect using Azure Bastion. Bastion connects to your VMs using their private IP addresses.
What protocols does Azure Bastion support?
Azure Bastion supports RDP (Remote Desktop Protocol) for Windows VMs and SSH (Secure Shell) for Linux VMs.
Can I connect to on-premises VMs using Azure Bastion?
Currently, Azure Bastion is designed for connecting to Azure virtual machines within your Azure VNet. It does not directly support connecting to on-premises machines. However, if your on-premises network is connected to your Azure VNet via VPN or ExpressRoute, you can connect to VMs in Azure via Bastion.
How does Azure Bastion pricing work?
Azure Bastion pricing is based on hourly rates for the Bastion resource itself and the data transferred. There are different tiers (Basic, Standard, Premium) offering varying features and capabilities, each with its own hourly cost. You are charged for the hours the Bastion resource is deployed and running.
What are the different Azure Bastion pricing tiers?
Azure Bastion offers several tiers:
  • Developer: Intended for development and testing purposes, offering basic features at a lower cost.
  • Basic: Provides core features for secure RDP/SSH access.
  • Standard: Includes all features of Basic, plus advanced features like IP-based restrictions, session recording, and webhook support.
  • Premium: Offers the most advanced capabilities, including scaling, increased concurrent session limits, and granular access control.
The available tiers and their features may vary. Please refer to the official Azure pricing page for the most up-to-date information.
Can I restrict access to Azure Bastion based on IP address?
Yes, the Standard and Premium tiers of Azure Bastion support IP-based restrictions. This allows you to define specific IP address ranges from which users can access your Bastion host.
How do I troubleshoot Azure Bastion connection issues?
Common troubleshooting steps include:
  • Verifying the AzureBastionSubnet configuration (size, name, no NSGs).
  • Ensuring the Bastion resource is in a running state.
  • Checking firewall rules on your local machine to ensure outbound connections to required ports are allowed.
  • Confirming that the target VM is running and reachable from the Bastion subnet via its private IP.
  • Reviewing Azure Network Watcher for traffic flow issues.
What are the supported operating systems for Azure Bastion?
Azure Bastion supports RDP connections to Windows VMs and SSH connections to Linux VMs. The guest operating systems on your VMs should be supported by their respective protocols (RDP for Windows, SSH for Linux).
Can I use Azure Bastion with Azure Active Directory (Azure AD) authentication?
While Azure Bastion itself doesn't directly handle Azure AD authentication for the RDP/SSH session, you can leverage Azure AD to authenticate users to the Azure portal where they initiate the Bastion connection. For VM-level authentication, you'll use standard Windows credentials (username/password or certificates) or Linux credentials (username/password or SSH keys).