Home Azure Virtual Machines Azure Bastion
Last updated: May 2026
Azure Virtual Machines Beginner AZ-104 ⏱ 11 min read

Azure Bastion

Every time you open port 22 (SSH) or port 3389 (RDP) to the internet, bots start scanning and brute-forcing within minutes. Azure Bastion eliminates this risk entirely. It's a fully managed service that lets you connect to VMs directly from the Azure Portal browser — with no public IP on the VM and no open management ports. It's the secure, professional way to access VMs in production.

What you'll learn What Azure Bastion is and why it exists · How Bastion works architecturally · Bastion SKUs — Basic vs Standard vs Premium · Deploying Azure Bastion · Connecting to VMs via Bastion · Bastion vs direct SSH/RDP · Cost considerations · Best practices
Table of Contents
  1. What is Azure Bastion?
  2. How Bastion Works
  3. Bastion SKUs
  4. Deploying Azure Bastion
  5. Connecting to VMs via Bastion
  6. Bastion vs Direct SSH/RDP
  7. Cost Considerations
  8. Best Practices
  9. Practice Questions

What is Azure Bastion?

Azure Bastion is a fully managed PaaS service that provides secure, seamless RDP and SSH connectivity to your VMs directly from the Azure Portal — over TLS (HTTPS, port 443). Your VMs don't need public IP addresses, and you don't need to open SSH (22) or RDP (3389) ports to the internet.

ℹ️
The Name "Bastion" A bastion host is a security concept — a dedicated, hardened server that acts as the single entry point into a private network. Azure Bastion is Microsoft's managed implementation of this concept, built into your VNet and managed entirely by Microsoft.

How Bastion Works

Here's the connection flow when you use Azure Bastion:

  1. You open the Azure Portal in your browser (HTTPS, port 443)
  2. You navigate to your VM and click Connect → Bastion
  3. Your browser connects to the Bastion host — which lives inside your VNet in a dedicated subnet called AzureBastionSubnet
  4. Bastion connects to your VM using its private IP address over the VNet — SSH port 22 or RDP port 3389, but only on the internal network
  5. The terminal or desktop session streams back to your browser over the already-open HTTPS connection
💡
Key Security Insight Ports 22 and 3389 are NEVER exposed to the internet. They're only used internally between Bastion and your VM, on the private VNet. The internet only ever sees port 443 (HTTPS) going to the Bastion service — not to your VM.

Bastion SKUs

Azure Bastion comes in three tiers:

SKUKey FeaturesApprox Cost/Month
Developer Single VM at a time, no dedicated subnet needed, no public IP required Free (preview)
Basic RDP/SSH from browser, shareable links not supported, 2 instances ~₹5,000/month
Standard All Basic features + file upload/download, native client support, shareable links, scaling up to 50 instances ~₹9,000–12,000/month
Premium All Standard features + session recording, private-only Bastion, IP-based connection ~₹18,000+/month
💡
For Learning — Use Developer SKU The Developer SKU is free and requires no AzureBastionSubnet or dedicated public IP. It's perfect for learning and testing. For production, use Standard or Premium depending on your needs.

Deploying Azure Bastion

Requirements

  • A Virtual Network with an AzureBastionSubnet subnet (minimum /26 size)
  • A Standard SKU Public IP address assigned to Bastion
  • The subnet must be named exactly AzureBastionSubnet — no other name is accepted

Via Azure Portal

  1. Search for Bastions in the portal
  2. Click + Create
  3. Select your subscription, resource group, and region
  4. Give it a name (e.g., bastion-prod)
  5. Select your VNet — Azure will create the AzureBastionSubnet automatically if it doesn't exist
  6. Create or select a Public IP for Bastion
  7. Select the SKU (Basic for getting started)
  8. Click Review + CreateCreate

Deployment takes about 5–10 minutes.

Via Azure CLI

Azure CLI Deploy Azure Bastion 
# Create the AzureBastionSubnet in your VNet
az network vnet subnet create \
  --resource-group myResourceGroup \
  --vnet-name myVNet \
  --name AzureBastionSubnet \
  --address-prefixes 10.0.1.0/26

# Create a public IP for Bastion
az network public-ip create \
  --resource-group myResourceGroup \
  --name bastion-pip \
  --sku Standard \
  --location centralindia

# Create the Bastion host
az network bastion create \
  --resource-group myResourceGroup \
  --name bastion-prod \
  --public-ip-address bastion-pip \
  --vnet-name myVNet \
  --location centralindia \
  --sku Basic

Connecting to VMs via Bastion

Once Bastion is deployed:

  1. Go to your VM in the Azure Portal
  2. Click Connect in the top menu
  3. Select Bastion
  4. Enter your credentials (username + password, or username + SSH key)
  5. Click Connect
  6. A new browser tab opens with your SSH terminal or RDP desktop
ℹ️
No Client Installation Required The terminal or RDP session runs entirely in your browser. No SSH client, no RDP client, no VPN. Works from any device with a modern browser — including tablets and Chromebooks.

Native Client Support (Standard SKU)

The Standard SKU also supports connecting via your local SSH or RDP client (not just the browser). This is useful if you prefer a full-featured client with copy-paste, multiple tabs, etc.

Azure CLI Connect via SSH through Bastion (Standard SKU) 
az network bastion ssh \
  --name bastion-prod \
  --resource-group myResourceGroup \
  --target-resource-id /subscriptions/.../virtualMachines/myVM \
  --auth-type ssh-key \
  --username azureuser \
  --ssh-key ~/.ssh/id_rsa

Bastion vs Direct SSH/RDP

FactorDirect SSH/RDPAzure Bastion
VM needs public IP?YesNo
Ports 22/3389 exposed?Yes — to internetNo — internal only
Client required?SSH/RDP client appJust a browser
Works on any device?Needs client appYes — any browser
CostFree~₹5,000–18,000/month
SecurityDepends on NSG/JITHigh — no internet exposure
Best forDev/test, learningProduction environments

Cost Considerations

Azure Bastion is charged per deployment hour plus per outbound data. Key points:

  • You pay for Bastion even when no one is connected — it's always-on infrastructure
  • One Bastion host covers all VMs in the same VNet (and peered VNets)
  • For a large team accessing many VMs, one Bastion host is far cheaper than giving each VM a public IP
  • For a single dev VM you use occasionally, direct SSH with an IP-restricted NSG may be more cost-effective

Best Practices

  • Use Bastion for all production VMs — Never expose port 22 or 3389 on production systems
  • One Bastion per VNet — A single Bastion host covers all VMs in the VNet
  • Remove public IPs from VMs behind Bastion — If you're using Bastion, VMs don't need public IPs at all
  • Use Standard SKU for teams — File transfer and native client support are essential for real teams
  • Developer SKU for learning — Free, no infrastructure setup required
💡
AZ-104 Exam Tip Know that Bastion requires a subnet named exactly "AzureBastionSubnet" (/26 minimum), that it provides browser-based SSH/RDP over HTTPS without exposing ports 22 or 3389, and that VMs behind Bastion don't need public IPs.
📝 Practice Questions
Click an option to check your answer. AZ-104 style questions.
Q1. What is the required subnet name when deploying Azure Bastion?
A BastionSubnet
B AzureBastionSubnet
C GatewaySubnet
D Any name of your choice
Q2. How does Azure Bastion connect to a VM once deployed?
A Via the VM\'s public IP address over the internet
B Via the VM\'s private IP address over the VNet — management ports stay internal
C Via a dedicated VPN tunnel between Bastion and the VM
D Via HTTPS (port 443) to the VM directly
Q3. Does a VM need a public IP address when using Azure Bastion?
A No — Bastion connects using the VM\'s private IP; no public IP needed
B Yes — Bastion still requires a public IP on each VM
C Only for Linux VMs — Windows VMs still need a public IP
D Only for the first connection — can be removed afterwards
Q4. Which Azure Bastion SKU supports file upload and download during sessions?
A Basic
B Standard
C Developer
D Free
Q5. A team deploys one Azure Bastion host in a VNet. How many VMs in that VNet can use the Bastion host?
A Only 1 VM
B Up to 10 VMs
C All VMs in the VNet — one Bastion host covers the entire VNet
D Only VMs in the AzureBastionSubnet
Related Topics
Azure Virtual Machines Connect to VM via SSH Azure Virtual Machines Connect to VM via RDP Azure Virtual Machines Availability Sets & Zones
← Previous Azure Managed Disks
Comments
Disclaimer: RedKite Cloud is an independent educational resource and is not affiliated with, endorsed by, or officially connected to Microsoft Corporation. All product names, logos, and trademarks are property of their respective owners. Content is written independently for educational purposes only.