Tutorial: Deploy Azure Bastion by using specified settings

  • Article

This tutorial helps you deploy Azure Bastion from the Azure portal by using your own manual settings and a SKU (product tier) that you specify. The SKU determines the features and connections that are available for your deployment. For more information about SKUs, see Configuration settings - SKUs.

In the Azure portal, when you use the Configure manually option to deploy Bastion, you can specify configuration values such as instance counts and SKUs at the time of deployment. After Bastion is deployed, you can use SSH or RDP to connect to virtual machines (VMs) in the virtual network via Bastion using the private IP addresses of the VMs. When you connect to a VM, it doesn't need a public IP address, client software, an agent, or a special configuration.

The following diagram shows the architecture of Bastion.

Diagram that shows the Azure Bastion architecture.

In this tutorial, you deploy Bastion by using the Standard SKU. You adjust host scaling (instance count), which the Standard SKU supports. If you use a lower SKU for the deployment, you can't adjust host scaling.

After the deployment is complete, you connect to your VM via private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it.

In this tutorial, you learn how to:

  • Deploy Bastion to your virtual network.
  • Connect to a virtual machine.
  • Remove the public IP address from a virtual machine.

Prerequisites

To complete this tutorial, you need these resources:

  • An Azure subscription. If you don't have one, create a trial subscription before you begin.

  • A virtual network where you'll deploy Bastion.

  • A virtual machine in the virtual network. This VM isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in this tutorial via Bastion. If you don't have a VM, create one by using Quickstart: Create a Windows VM or Quickstart: Create a Linux VM.

  • Required VM roles:

    • Reader role on the virtual machine
    • Reader role on the network adapter (NIC) with the private IP of the virtual machine

  • Required inbound ports:

    • For Windows VMs: RDP (3389)
    • For Linux VMs: SSH (22)

Note

The use of Azure Bastion with Azure Private DNS zones is supported. However, there are restrictions. For more information, see the Azure Bastion FAQ.

Example values

You can use the following example values when creating this configuration, or you can substitute your own.

Basic virtual network and VM values

Name Value
Virtual machine TestVM
Resource group TestRG1
Region China East 2
Virtual network VNet1
Address space 10.1.0.0/16
Subnets FrontEnd: 10.1.0.0/24

Bastion values

Name Value
Name VNet1-bastion
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your virtual network address space with a subnet mask of /26 or larger; for example, 10.1.1.0/26
Tier/SKU Standard
Instance count (host scaling) 3 or greater
Public IP address Create new
Public IP address name VNet1-ip
Public IP address SKU Standard
Assignment Static

Deploy Bastion

This section helps you deploy Bastion to your virtual network. After Bastion is deployed, you can connect securely to any VM in the virtual network using its private IP address.

Important

Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.

  1. Sign in to the Azure portal.

  2. Type Bastion in the search.

  3. Under services, select Bastions.

  4. On the Bastions page, select + Create to open the Create a Bastion page.

  5. On the Create a Bastion page, configure the settings for your bastion host.

    • Project details

      • Subscription: Select your Azure subscription.
      • Resource Group: Select your Resource Group.

    • Instance details

      • Name: The name that you want to use for your Bastion resource.

      • Region: The Azure public region in which the resource will be created. Choose the region where your virtual network resides.

      • Tier: The SKU. For this tutorial, select Standard. For information about the features available for each SKU, see Configuration settings - SKU.

      • Instance count: The setting for host scaling, which is available for the Standard SKU. You configure host scaling in scale unit increments. Use the slider or enter a number to configure the instance count that you want. For more information, see Instances and host scaling and Azure Bastion pricing.

      Screenshot of Azure Bastion instance details.

  6. Configure the Virtual networks settings. Select your virtual network from the dropdown list. If your virtual network isn't in the dropdown list, make sure that you selected the correct Region value in the previous step.

  7. To configure AzureBastionSubnet, select Manage subnet configuration.

    Screenshot of the section for configuring virtual networks.

  8. On the Subnets pane, select +Subnet.

  9. On the Add subnet pane, create the AzureBastionSubnet subnet by using the following values. Leave the other values as default.

    • The subnet name must be AzureBastionSubnet.
    • The subnet must be /26 or larger (for example, /26, /25, or /24) to accommodate features available with the Standard SKU.

    Select Save at the bottom of the pane to save your values.

  10. At the top of the Subnets pane, select Create a Bastion to return to the Bastion configuration pane.

    Screenshot of the pane that lists Azure Bastion subnets.

  11. The Public IP address section is where you configure the public IP address of the bastion host resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource that you're creating.

    Create a new IP address. You can leave the default naming suggestion.

  12. When you finish specifying the settings, select Review + Create. This step validates the values.

  13. After the values pass validation, you can deploy Bastion. Select Create.

    A message says that your deployment is in process. The status appears on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

Connect to a VM

You can use any of the following detailed articles to connect to a VM. Some connection types require the Bastion Standard SKU.

You can also use these basic connection steps to connect to your VM:

  1. In the Azure portal, go to the virtual machine to which you want to connect.

  2. At the top of the page, select Connect->Bastion to go to the Bastion page. You can also go to the Bastion page using the left menu.

  3. The options available on the Bastion page are dependant on the Bastion SKU tier. If you're using the Basic SKU, you connect to a Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22. You don't have options to change the port number or the protocol. However, you can change the keyboard language for RDP by expanding Connection Settings.

    Screenshot of Bastion connection page.

    If you're using the Standard SKU, you have more connection protocol and port options available. Expand Connection Settings to see the options. Typically, unless you have configured different settings for your VM, you connect to a Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22.

    Screenshot of connection settings expanded.

  4. Select the Authentication Type from the dropdown. The protocol determines the available authentication types. Complete the required authentication values.

    Screenshot showing authentication type dropdown.

  5. To open the VM session in a new browser tab, leave Open in a new browser tab selected.

  6. Click Connect to connect to the VM.

  7. The connection to this virtual machine, via Bastion, will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    • When you connect, the desktop of the VM will look different than the example screenshot.

    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

      Screenshot of Connect using port 443.

Enable audio output

You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.

Note

Audio output takes up bandwidth on your internet connection.

To enable remote audio output on a Windows VM:

  1. After you're connected to the VM, on the right-hand bottom corner of the toolbar, you'll see an audio button.
  2. Right-click the audio button and select "Sounds".
  3. A pop-up appears asking if you would like to enable the Windows Audio Service. Select "Yes". You can configure more audio options in Sound preferences.
  4. To verify sound output, hover your mouse over the audio button on the toolbar.

Remove a VM's public IP address

When you connect to a VM using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM. To dissociate a public IP address from your VM, use the following steps:

  1. Go to your virtual machine and select Networking. Click the NIC Public IP to open the Public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page, you can see the VM network interface listed under Associated to on the lower right of the page. Click Dissociate at the top of the page.

    Screenshot of public IP address for the VM.

  3. Click Yes to dissociate the IP address from the network interface. Once the public IP address is dissociated from the VM network interface, you can see that it's no longer listed under Associated to.

  4. After you dissociate the IP address, you can delete the public IP address resource. On the Public IP address page for the VM, select Delete.

    Screenshot of delete the public IP address resource.

  5. Click Yes to delete the public IP address.

Clean up resources

When you finish using this application, delete your resources:

  1. Enter the name of your resource group in the Search box at the top of the portal. When your resource group appears in the search results, select it.
  2. Select Delete resource group.
  3. Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME, and then select Delete.

Next steps

In this tutorial, you deployed Bastion to a virtual network and connected to a VM. You then removed the public IP address from the VM. Next, learn about and configure additional Bastion features.

Azure Bastion configuration settings

VM connections and features