Azure Bastion Fundamentals

Aditya Garg
4 min readJul 15, 2022


Hey there,Hope the readers are doing great!

In this article,I discuss about Azure Bastion.

Starting with the basics,What is Bastion?

Azure Bastion is a service that lets you connect to a virtual machine(having only Private IP and no Public IP) using your browser and the Azure portal.

-The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual network.

-It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS.

-When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.(MAIN OBJECTIVE OF USING BASTION)

-Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned.

-Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

Azure Bastion

This figure shows the architecture of an Azure Bastion deployment. In this diagram:

  • The Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet.

-Subnet size must be /26 or larger (/25, /24 etc.).

-The subnet must be in the same VNet and resource group as the bastion host.

-The subnet cannot contain additional resources.

  • The Bastion is provisioned per virtual network where VM/s reside(which are to be connected).

If 2 VMs reside in different(non peered) vnets, 2 separate Bastion hosts are needed to be provisioned.

  • The user connects to the Azure portal using any HTML5 browser.
  • The user selects the virtual machine to connect to.
  • With a single click, the RDP/SSH session opens in the browser.
  • No public IP is required on the Azure VM. The Azure Bastion host uses a Public IP.

-The Public IP address SKU must be Standard.

-The Public IP address assignment/allocation method must be Static.

2.Where does one deploy the Bastion Host?

· Azure Bastion is deployed to a virtual network and supports virtual network peering.

Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.

Azure Bastion works with the following types of peering:

-Virtual network peering: Connect virtual networks within the same Azure region.

-Global virtual network peering: Connecting virtual networks across Azure regions.

· Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.

Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet(across subnets) and peered VNets.

This means you can consolidate Bastion deployment to single VNet and still reach VMs deployed in a peered VNet, centralizing the overall deployment.

VMs in a non peered VNet will need another Bastion to be setup for access.

Azure Bastion works across peered vNets — A Central Hub vNet can contain single common Bastion Host

3.What kind of IAM permissions are needed for Bastion to work?

Check your permissions in YourSubscription | IAM and verify that you have read access to the following resources:

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Reader role on the virtual network (for peered virtual networks).

4.How do NSGs work with Azure Bastion?

i.There is no need to perform any NSG configuration on the side where VM resides (unless default Azure NSG rules are overridden)

This is because within vNet, subnet to subnet communication is allowed by default.So,the AzureBastionSubnet can communicate with other subnets within same vNet.

Exception is production scenario where a rule is created to override default Azure NSG rules.Then one needs to allow traffic

· from AzureBastionSubnet as source IP ,

·from any source port,

· destination IP equal to subnets/vnets where VMs reside

· destination port 22 for SSH and 3389 for RDP

· Action Allow

· Protocol TCP

ii. NSG on AzureBastionSubnet

Note that,by default,no NSGs are created by Azure –this allows HTTPS traffic from Azure portal inbound.

If using NSG, refer here

5.What are the different SKU options for Azure Bastion?

Azure Bastion SKUs

Instances and host scaling

  • An instance is an optimized Azure VM that is created when you configure Azure Bastion.
  • It’s fully managed by Azure and runs all of the processes needed for Azure Bastion.
  • An instance is also referred to as a scale unit.
  • You connect to client VMs via an Azure Bastion instance.
  • When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances. This is called host scaling.
  • Each instance can support 25 concurrent RDP connections and 50 concurrent SSH connections for medium workloads
  • It may be noted that 1 host instance does not equal 1 user session.

The number of connections per instances depends on what actions you are taking when connected to the client VM.

For example, if you are doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.

  • Instances are created in the AzureBastionSubnet. To allow for host scaling, the AzureBastionSubnet should be /26 or larger. Using a smaller subnet limits the number of instances you can create.

That is pretty much it for this post,hope you liked it :)



Aditya Garg

Cloud Consultant |Zumba Enthusiast | Seaside Lover | 2XAzure, 1XAWS, 1XCCNP, 1XCCNA