Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure Bastion offers four SKU tiers: Basic, Standard, and Premium.
For detailed information about all Azure Bastion features and configuration settings, see About Bastion configuration settings.
Feature comparison
Compare the features across all four Azure Bastion SKU tiers:
| Category | Feature | Basic | Standard | Premium |
|---|---|---|---|---|
| Deployment & Requirements | Requires AzureBastionSubnet¹ | Yes | Yes | Yes |
| Requires Public IP address¹ | Yes | Yes | No² | |
| Dedicated bastion host | Yes | Yes | Yes | |
| Availability zones | Yes | Yes | Yes | |
| Virtual network peering support | Yes | Yes | Yes | |
| VM Connectivity | Connect to VMs in same virtual network | Yes | Yes | Yes |
| Connect to VMs in peered virtual networks | Yes | Yes | Yes | |
| Support for concurrent connections | Yes | Yes | Yes | |
| Connect to Linux VM using SSH | Yes | Yes | Yes | |
| Connect to Windows VM using RDP | Yes | Yes | Yes | |
| Connect to Linux VM using RDP | No | Yes | Yes | |
| Connect to Windows VM using SSH | No | Yes | Yes | |
| Authentication & Security | Access Linux VM Private Keys in Azure Key Vault | Yes | Yes | Yes |
| Kerberos authentication | Yes | Yes | Yes | |
| Session recording | No | No | Yes | |
| Private-only deployment (no public IP) | No | No | Yes | |
| Connection Methods & Protocols | Azure portal based connections | Yes | Yes | Yes |
| Connect to VMs using Azure CLI (native client) | No | Yes | Yes | |
| Specify custom inbound port | No | Yes | Yes | |
| IP-Connect feature | No | Yes | Yes | |
| Shareable link | No | Yes | Yes | |
| Upload or download files (native client) | No | Yes | Yes | |
| User Experience | VM audio output | Yes | Yes | Yes |
| Copy/paste (web-based clients) | Yes | Yes | Yes | |
| Disable copy/paste (web-based clients) | No | Yes | Yes | |
| Cost | Hourly charge | Paid | Paid | Paid |
| Outbound data transfer charges | Paid⁶ | Paid⁶ | Paid⁶ |
¹ For dedicated deployments (Basic, Standard, Premium), the AzureBastionSubnet must be /26 or larger (/25, /24, etc.). For more information, see Azure Bastion subnet.
² Private-only deployment option doesn't require public IP address. For more information, see (private-only-deployment.md).
⁵ At maximum scale (50 instances). For more information, see Instances and host scaling.
⁶ First 5 GB per month is free. For more information, see Azure Bastion pricing.
Performance and scalability
The following table shows the capacity and scaling characteristics of each SKU tier:
| Metric | Basic | Standard | Premium |
|---|---|---|---|
| Deployment model | Dedicated host | Dedicated host | Dedicated host |
| Host scaling | No | Yes (2-50 instances) | Yes (2-50 instances) |
| Instance count | 2 (fixed) | 2-50 (configurable) | 2-50 (configurable) |
| Fixed instance count | 2 instances | Configurable | Configurable |
| Concurrent VM connections | Multiple VMs | Multiple VMs | Multiple VMs |
| Max concurrent RDP sessions⁵ | 40 (2 instances × 20) | 1,000 (50 instances × 20) | 1,000 (50 instances × 20) |
| Max concurrent SSH sessions⁵ | 80 (2 instances × 40) | 2,000 (50 instances × 40) | 2,000 (50 instances × 40) |
| Per instance capacity | 20 RDP + 40 SSH | 20 RDP + 40 SSH | 20 RDP + 40 SSH |
Regional availability
Azure Bastion SKU availability varies by region:
- Basic, Standard, Premium SKUs: Available in all Azure regions where Azure Bastion is supported.
Decision framework
Select an Azure Bastion SKU based on your requirements.
Basic SKU
Basic SKU provides dedicated deployment with fixed capacity. Choose Basic SKU when:
- You need dedicated production deployment
- Fixed capacity of two instances (40 RDP/80 SSH sessions) is sufficient
- You don't need advanced features (native client, shareable links, IP-based connections, custom ports, file transfer)
Standard SKU
Standard SKU includes advanced features and configurable scaling. Choose Standard SKU when:
- You need advanced features (native client, shareable links, IP-based connections, custom ports, file transfer)
- You require host scaling (2-50 instances)
- You need high concurrency (up to 1,000 RDP or 2,000 SSH sessions at max scale)
Premium SKU
Premium SKU includes all Standard features plus session recording and private-only deployment. Choose Premium SKU when:
- You require session recording for compliance or audit requirements
- You need private-only deployment (no public IP address)
- Compliance requirements mandate session audit trails
Tip
The cost difference between Standard and Premium is marginal. Premium SKU is the recommended choice for production deployments.
Upgrade considerations
Azure Bastion supports upgrading from lower SKUs to higher SKUs, but downgrading isn't supported.
Upgrade paths
- Basic and Higher: Upgrade through the Azure portal. You can add features at the same time you upgrade. See Upgrade from Basic or Standard SKU.
Important
Upgrades take approximately 10 minutes. Downgrading a SKU isn't supported. You must delete and recreate Azure Bastion. You can add features during the upgrade process.
For step-by-step upgrade instructions, see View or upgrade a SKU.
Pricing model
Azure Bastion pricing combines hourly SKU charges with outbound data transfer costs. For dedicated SKUs (Basic, Standard, Premium), you pay hourly rates plus data transfer charges (first 5 GB/month free).
For detailed pricing information and cost optimization strategies, see Azure Bastion pricing and Azure Bastion cost optimization principles.