Connect to a Windows VM using Azure Bastion

Azure Bastion provides secure and seamless RDP connectivity to your virtual machines directly in the Azure portal, without exposing a public IP address.

Prerequisite: The target VM must have the Windows Remote Desktop service enabled and be attached to a virtual network that has an Azure Bastion host deployed.

1. Verify Bastion Host Deployment

Make sure a Bastion host exists in the same Virtual Network (VNet) as the target VM.

az network bastion show \
    --name MyBastion \
    --resource-group MyResourceGroup \
    --query "provisioningState"

2. Open the Azure Portal

Navigate to https://portal.azure.com.
Select Virtual machines from the left menu.
Choose the Windows VM you want to connect to.

3. Initiate the RDP Session

On the VM overview page, click Connect → Bastion.
If prompted, select the Bastion host you deployed.
Enter the VM’s local administrator credentials and click Connect.

The RDP session opens in a new browser tab using an HTML5 client.

4. Optional: Use Azure CLI for Bastion RDP

You can also start an RDP session from the command line.

az network bastion rdp \
    --name MyBastion \
    --resource-group MyResourceGroup \
    --target-resource-id $(az vm show -g MyResourceGroup -n MyWindowsVM --query id -o tsv) \
    --auth-type password \
    --username azureuser \
    --password MyPassword

5. Verify Connectivity

Once connected, you should see the Windows desktop of the VM. Perform any administrative tasks as needed.

Troubleshooting

Ensure the VM's network security group (NSG) allows inbound RDP (port 3389) from the Bastion subnet.
Confirm the VM is in a running state.
Check that the Bastion host’s provisioning state is Succeeded.
Review the Bastion troubleshooting guide for more details.