Create an Azure Bastion host using the portal

This tutorial shows you how to create an Azure Bastion host.

Azure Bastion is a fully managed PaaS service that you deploy in your virtual network. It provides secure and seamless RDP and SSH connectivity to your virtual machines directly through the Azure portal over TLS/SSL. Bastion is natively integrated into your virtual network. This native integration eliminates the need for public IP addresses on your virtual machines.

This tutorial covers:

Before you begin:

This tutorial assumes you have an Azure subscription. If you don't have one, create a free account before you begin.

Prerequisites

Before you begin this tutorial, ensure you have the following:

Create a virtual network

If you already have a virtual network that you want to use for Azure Bastion, you can skip this section. Otherwise, follow these steps to create a new virtual network:

Step 1: Sign in to the Azure portal

Open your web browser and go to https://portal.azure.com. Sign in with your Azure account.

Step 2: Create a virtual network

On the Azure portal menu, select Create a resource.

In the Search the Marketplace search box, type Virtual network. Select Virtual network from the results.

Azure portal search for Virtual network

Click Create.

On the Basics tab, configure the following settings:

  • Subscription: Select your subscription.
  • Resource group: Select Create new and enter a name for your resource group, for example, BastionExample-rg.
  • Name: Enter a name for your virtual network, for example, VNet-bastion-example.
  • Region: Select the same region where you plan to create your Bastion host.
Azure virtual network basic settings

Click Next: IP Addresses.

Under IPv4 address space, enter a value, for example, 10.0.0.0/16.

Under Subnets, select Default to rename the subnet or click Add subnet to create a new one.

Important: You need a subnet named AzureBastionSubnet for your Bastion host. This subnet must be at least /27 CIDR block size. You cannot have other resources deployed to this subnet.

In the Subnet name field, enter AzureBastionSubnet. In the Subnet address range field, enter a value, for example, 10.0.1.0/27.

Azure virtual network IP addresses and subnets

Click Review + create.

After validation passes, click Create.

Create an Azure Bastion host

Now that you have a virtual network, you can create a Bastion host.

Step 1: Navigate to Azure Bastion

In the Azure portal search bar, type Bastion. Select Bastions from the results.

Azure portal search for Bastion

Step 2: Create a Bastion host

On the Bastions page, click Create.

Azure portal Bastion create button

On the Basics tab, configure the following settings:

  • Subscription: Select your subscription.
  • Resource group: Select the resource group you created earlier (e.g., BastionExample-rg).
  • Name: Enter a name for your Bastion host, for example, Bastion-host-example.
  • Region: Select the same region as your virtual network.
  • SKU: Select a SKU. For this tutorial, we'll use Standard.
  • Availability zones: Select an option based on your requirements.
Azure Bastion basic configuration

Click Next: Networking.

Under Virtual network, select the virtual network you created (e.g., VNet-bastion-example).

Under Subnet, select AzureBastionSubnet. If you don't see this subnet, ensure it's correctly named and sized (at least /27).

Under Public IP address, select Create new. For the name, enter a name like Bastion-host-ip. Ensure the SKU is Standard and Assignment is Static.

Azure Bastion networking configuration

Click Next: Tags.

Add any desired tags and click Next: Review + create.

After validation passes, click Create.

Deployment can take a few minutes.

Connect to a virtual machine

Once your Bastion host is deployed, you can connect to your virtual machines.

Step 1: Create a virtual machine

If you don't have a virtual machine to connect to, create one in the same virtual network where you deployed Bastion. For simplicity, we'll assume you're creating a Windows VM.

On the Azure portal menu, select Create a resource.

Search for Virtual machine and select it.

Click Create.

On the Basics tab, configure the following:

  • Subscription: Select your subscription.
  • Resource group: Select the same resource group (e.g., BastionExample-rg).
  • Virtual machine name: Enter a name, e.g., VM-bastion-example.
  • Region: Select the same region.
  • Availability options: No infrastructure redundancy required.
  • Security type: Standard.
  • Image: Select a Windows Server image (e.g., Windows Server 2019 Datacenter).
  • Size: Select a VM size.
  • Administrator account: Enter a username and password.
  • Inbound port rules: None.

Click Next: Disks, then Next: Networking.

For Virtual network, select your virtual network (e.g., VNet-bastion-example).

For Subnet, select a subnet other than AzureBastionSubnet.

Ensure Public IP is set to None.

Click Next through the remaining tabs and then Create.

Step 2: Connect to the VM

Once the VM is deployed and running:

  1. Navigate to your virtual machine in the Azure portal.
  2. On the Overview page, click Connect.
  3. Select Bastion.
  4. On the Connect using Bastion page, select Use Bastion.
  5. Enter the username and password for your virtual machine.
  6. Click Connect.

A new browser tab will open, and you will be connected to your virtual machine through Azure Bastion.

Azure VM connect using Bastion