Bird
Raised Fist0
Azurecloud~5 mins

Azure Bastion for secure VM access - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Accessing virtual machines securely over the internet can be risky. Azure Bastion provides a safe way to connect to your VMs without exposing them directly to the internet.
When you want to connect to a VM without opening public ports like RDP or SSH.
When you need to securely manage VMs from the Azure portal using a browser.
When you want to reduce the risk of attacks by avoiding exposing VM IP addresses.
When you want to simplify network security by not managing jump servers or VPNs.
When you want encrypted and seamless VM access without extra client software.
Config File - azuredeploy.json
azuredeploy.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "bastionName": {
      "type": "string",
      "defaultValue": "myBastionHost"
    },
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "myVnet"
    },
    "subnetName": {
      "type": "string",
      "defaultValue": "AzureBastionSubnet"
    },
    "location": {
      "type": "string",
      "defaultValue": "eastus"
    },
    "publicIpName": {
      "type": "string",
      "defaultValue": "myBastionPublicIP"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-05-01",
      "name": "[parameters('publicIpName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAllocationMethod": "Static"
      }
    },
    {
      "type": "Microsoft.Network/bastionHosts",
      "apiVersion": "2021-05-01",
      "name": "[parameters('bastionName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
      ],
      "properties": {
        "ipConfigurations": [
          {
            "name": "bastionIPConfig",
            "properties": {
              "subnet": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
              },
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
              }
            }
          }
        ]
      }
    }
  ]
}

This ARM template creates a public IP address with a static allocation and the Standard SKU, which is required for Azure Bastion. It then creates the Azure Bastion host resource linked to the specified virtual network and subnet named AzureBastionSubnet. The subnet name AzureBastionSubnet is mandatory for Bastion. The Bastion host allows secure RDP/SSH access to VMs inside the virtual network without exposing them publicly.

Commands
Create the required subnet named AzureBastionSubnet in the virtual network. This subnet is reserved for Azure Bastion and must be named exactly this.
Terminal
az network vnet subnet create --resource-group myResourceGroup --vnet-name myVnet --name AzureBastionSubnet --address-prefixes 10.0.1.0/27
Expected OutputExpected
{ "addressPrefix": "10.0.1.0/27", "addressPrefixes": [ "10.0.1.0/27" ], "delegations": [], "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVnet/subnets/AzureBastionSubnet", "name": "AzureBastionSubnet", "privateEndpointNetworkPolicies": "Enabled", "privateLinkServiceNetworkPolicies": "Enabled", "provisioningState": "Succeeded", "resourceGroup": "myResourceGroup", "resourceNavigationLinks": [], "routeTable": null, "serviceEndpoints": [], "type": "Microsoft.Network/virtualNetworks/subnets" }
--resource-group - Specifies the resource group where the subnet is created
--vnet-name - Specifies the virtual network name
--name - Subnet name, must be AzureBastionSubnet for Bastion
Create a static public IP address with Standard SKU for the Bastion host. This IP is used to connect securely to the VMs.
Terminal
az network public-ip create --resource-group myResourceGroup --name myBastionPublicIP --sku Standard --location eastus --allocation-method Static
Expected OutputExpected
{ "dnsSettings": null, "etag": "W/\"00000000-0000-0000-0000-000000000000\"", "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/myBastionPublicIP", "ipAddress": "52.170.12.34", "ipTags": [], "location": "eastus", "name": "myBastionPublicIP", "provisioningState": "Succeeded", "publicIPAllocationMethod": "Static", "publicIPAddressVersion": "IPv4", "resourceGroup": "myResourceGroup", "sku": { "name": "Standard" }, "tags": {}, "type": "Microsoft.Network/publicIPAddresses" }
--sku - Must be Standard for Azure Bastion
--allocation-method - Static IP allocation is required
Create the Azure Bastion host resource linked to the virtual network and public IP. This enables secure VM access.
Terminal
az network bastion create --resource-group myResourceGroup --name myBastionHost --public-ip-address myBastionPublicIP --vnet-name myVnet --location eastus
Expected OutputExpected
{ "etag": "W/\"00000000-0000-0000-0000-000000000000\"", "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/bastionHosts/myBastionHost", "location": "eastus", "name": "myBastionHost", "provisioningState": "Succeeded", "resourceGroup": "myResourceGroup", "tags": {}, "type": "Microsoft.Network/bastionHosts" }
--public-ip-address - Associates the Bastion with the public IP
--vnet-name - Specifies the virtual network where Bastion is deployed
Verify the Bastion host was created successfully and check its details.
Terminal
az network bastion show --resource-group myResourceGroup --name myBastionHost
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/bastionHosts/myBastionHost", "location": "eastus", "name": "myBastionHost", "provisioningState": "Succeeded", "resourceGroup": "myResourceGroup", "type": "Microsoft.Network/bastionHosts" }
Key Concept

If you remember nothing else from this pattern, remember: Azure Bastion lets you securely connect to VMs without exposing them to the internet by using a special subnet and public IP.

Common Mistakes
Naming the subnet anything other than AzureBastionSubnet
Azure Bastion requires the subnet to be named exactly AzureBastionSubnet to function properly.
Always create a subnet named AzureBastionSubnet in your virtual network before deploying Bastion.
Using a Basic SKU public IP instead of Standard
Azure Bastion requires a Standard SKU public IP for proper functionality and SLA.
Create the public IP with --sku Standard and --allocation-method Static.
Not associating the Bastion host with the correct virtual network or public IP
Bastion won't work if it is not linked to the right virtual network and public IP address.
Specify the correct --vnet-name and --public-ip-address when creating the Bastion host.
Summary
Create a subnet named AzureBastionSubnet in your virtual network for Bastion.
Create a static Standard SKU public IP address for the Bastion host.
Deploy the Azure Bastion host linked to the subnet and public IP.
Verify the Bastion host is deployed successfully before connecting to VMs.

Practice

(1/5)
1. What is the main purpose of Azure Bastion when accessing virtual machines (VMs)?
easy
A. To backup VM data to Azure storage
B. To create public IP addresses for all VMs automatically
C. To replace virtual networks with a simpler network
D. To provide secure, browser-based access to VMs without exposing public IP addresses

Solution

  1. Step 1: Understand Azure Bastion's role

    Azure Bastion allows users to connect to VMs securely through a browser without needing a public IP on the VM.

  2. Step 2: Compare options with this role

    Only To provide secure, browser-based access to VMs without exposing public IP addresses describes this secure, browser-based access without public IP exposure.

  3. Final Answer:

    To provide secure, browser-based access to VMs without exposing public IP addresses -> Option D

  4. Quick Check:

    Azure Bastion = Secure browser access without public IP [OK]
Hint: Azure Bastion hides VM public IPs for secure browser access [OK]
Common Mistakes:
  • Thinking Azure Bastion creates public IPs for VMs
  • Confusing Azure Bastion with backup services
  • Assuming it replaces virtual networks
2. Which subnet name is required to deploy Azure Bastion correctly?
easy
A. AzureBastionSubnet
B. PublicSubnet
C. GatewaySubnet
D. BastionSubnet

Solution

  1. Step 1: Recall Azure Bastion subnet naming requirement

    Azure Bastion requires a dedicated subnet named exactly 'AzureBastionSubnet' for deployment.

  2. Step 2: Match options with the required name

    Only AzureBastionSubnet matches the exact required subnet name.

  3. Final Answer:

    AzureBastionSubnet -> Option A

  4. Quick Check:

    Subnet name for Bastion = AzureBastionSubnet [OK]
Hint: Azure Bastion subnet must be named AzureBastionSubnet exactly [OK]
Common Mistakes:
  • Using 'BastionSubnet' instead of 'AzureBastionSubnet'
  • Confusing with 'GatewaySubnet' used for VPN gateways
  • Naming subnet 'PublicSubnet' incorrectly
3. Given this Azure CLI command snippet to create an Azure Bastion host, what will be the result? 
az network bastion create --resource-group MyResourceGroup --name MyBastionHost --public-ip-address MyPublicIP --vnet-name MyVNet --subnet AzureBastionSubnet --location eastus
medium
A. Fails because the subnet AzureBastionSubnet is missing in MyVNet
B. Creates a VM named MyBastionHost instead of a Bastion host
C. Creates an Azure Bastion host named MyBastionHost in MyResourceGroup using MyPublicIP and MyVNet
D. Creates a public IP named MyBastionHost

Solution

  1. Step 1: Check prerequisites for Azure Bastion creation

    Azure Bastion requires a subnet named 'AzureBastionSubnet' in the specified virtual network before creation.

  2. Step 2: Analyze command and subnet presence

    If the subnet AzureBastionSubnet exists in MyVNet, the command will successfully create the Bastion host.

  3. Final Answer:

    Creates an Azure Bastion host named MyBastionHost in MyResourceGroup using MyPublicIP and MyVNet -> Option C

  4. Quick Check:

    Azure Bastion host created if subnet exists [OK]
Hint: Azure Bastion needs AzureBastionSubnet before creation [OK]
Common Mistakes:
  • Assuming the command creates the subnet automatically
  • Confusing Bastion host with VM creation
  • Thinking public IP is created with Bastion host name
4. You deployed Azure Bastion but cannot connect to your VM through the Azure portal. What is the most likely cause?
medium
A. The AzureBastionSubnet is smaller than /27
B. The VM is in a different virtual network than the Bastion host
C. The VM has a public IP address assigned
D. The Bastion host is deployed in the same subnet as the VM

Solution

  1. Step 1: Understand Bastion host and VM network relationship

    Azure Bastion must be deployed in the same virtual network as the VM to allow secure access.

  2. Step 2: Analyze options for connectivity issues

    If the VM is in a different virtual network, Bastion cannot connect to it, causing failure.

  3. Final Answer:

    The VM is in a different virtual network than the Bastion host -> Option B

  4. Quick Check:

    VM and Bastion must share the same VNet [OK]
Hint: Bastion and VM must be in the same virtual network [OK]
Common Mistakes:
  • Assigning public IP to VM does not block Bastion access
  • Thinking subnet size smaller than /27 causes failure
  • Deploying Bastion in VM subnet is not allowed
5. You want to secure access to multiple VMs in different subnets within the same virtual network using Azure Bastion. Which configuration is required?
hard
A. Deploy one Azure Bastion host in a dedicated AzureBastionSubnet in the virtual network; no public IPs needed on VMs
B. Deploy an Azure Bastion host in each subnet where VMs are located
C. Assign public IPs to all VMs and connect directly without Bastion
D. Deploy Azure Bastion in a separate virtual network and peer it with VM networks

Solution

  1. Step 1: Understand Azure Bastion scope within a virtual network

    One Azure Bastion host per virtual network can provide secure access to all VMs in any subnet within that network.

  2. Step 2: Evaluate options for multi-subnet VM access

    Deploy one Azure Bastion host in a dedicated AzureBastionSubnet in the virtual network; no public IPs needed on VMs correctly states deploying one Bastion host in the required subnet with no public IPs on VMs.

  3. Final Answer:

    Deploy one Azure Bastion host in a dedicated AzureBastionSubnet in the virtual network; no public IPs needed on VMs -> Option A

  4. Quick Check:

    One Bastion per VNet secures all subnets [OK]
Hint: One Bastion host per VNet secures all subnets [OK]
Common Mistakes:
  • Deploying Bastion in every subnet wastes resources
  • Assigning public IPs defeats Bastion's purpose
  • Trying to peer Bastion in separate VNet for access