Bird
Raised Fist0
Azurecloud~5 mins

Azure Bastion for secure VM access - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Azure Bastion?
Azure Bastion is a managed service that provides secure and seamless RDP and SSH connectivity to virtual machines directly through the Azure portal without exposing the VM to the public internet.
Click to reveal answer
beginner
How does Azure Bastion improve VM security?
Azure Bastion eliminates the need for public IP addresses on VMs and protects against port scanning and other attacks by providing RDP/SSH access over SSL through the Azure portal.
Click to reveal answer
beginner
Which protocols does Azure Bastion support for VM access?
Azure Bastion supports RDP (Remote Desktop Protocol) for Windows VMs and SSH (Secure Shell) for Linux VMs.
Click to reveal answer
intermediate
What is required to use Azure Bastion in a virtual network?
You need to deploy an Azure Bastion host in the virtual network with a dedicated subnet named 'AzureBastionSubnet' that has a minimum /27 address space.
Click to reveal answer
intermediate
Can Azure Bastion be used to connect to VMs across different virtual networks?
By default, Azure Bastion connects to VMs in the same virtual network. To connect across virtual networks, peering or VPN connections must be configured between the networks.
Click to reveal answer
What does Azure Bastion eliminate the need for when accessing VMs?
AAzure subscriptions
BVirtual networks
CPublic IP addresses on VMs
DStorage accounts
Which subnet name is required for deploying Azure Bastion?
AAzureBastionSubnet
BBastionSubnet
CGatewaySubnet
DManagementSubnet
Which protocols does Azure Bastion support for VM connections?
AFTP and HTTP
BRDP and SSH
CSMTP and POP3
DTelnet and SNMP
How does Azure Bastion protect VMs from port scanning attacks?
ABy providing access only through the Azure portal over SSL
BBy blocking all inbound traffic
CBy disabling RDP and SSH protocols
DBy using VPN tunnels only
To connect to VMs in different virtual networks using Azure Bastion, what must be configured?
ANothing, it works automatically
BAzure Firewall
CPublic IP addresses on VMs
DVirtual network peering or VPN connections
Explain how Azure Bastion provides secure access to virtual machines without exposing them to the internet.
Think about how Azure Bastion acts as a bridge inside the virtual network.
You got /4 concepts.
    Describe the steps needed to deploy Azure Bastion in an Azure virtual network.
    Focus on subnet creation and Bastion host deployment.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of Azure Bastion when accessing virtual machines (VMs)?
      easy
      A. To backup VM data to Azure storage
      B. To create public IP addresses for all VMs automatically
      C. To replace virtual networks with a simpler network
      D. To provide secure, browser-based access to VMs without exposing public IP addresses

      Solution

      1. Step 1: Understand Azure Bastion's role

        Azure Bastion allows users to connect to VMs securely through a browser without needing a public IP on the VM.

      2. Step 2: Compare options with this role

        Only To provide secure, browser-based access to VMs without exposing public IP addresses describes this secure, browser-based access without public IP exposure.

      3. Final Answer:

        To provide secure, browser-based access to VMs without exposing public IP addresses -> Option D

      4. Quick Check:

        Azure Bastion = Secure browser access without public IP [OK]
      Hint: Azure Bastion hides VM public IPs for secure browser access [OK]
      Common Mistakes:
      • Thinking Azure Bastion creates public IPs for VMs
      • Confusing Azure Bastion with backup services
      • Assuming it replaces virtual networks
      2. Which subnet name is required to deploy Azure Bastion correctly?
      easy
      A. AzureBastionSubnet
      B. PublicSubnet
      C. GatewaySubnet
      D. BastionSubnet

      Solution

      1. Step 1: Recall Azure Bastion subnet naming requirement

        Azure Bastion requires a dedicated subnet named exactly 'AzureBastionSubnet' for deployment.

      2. Step 2: Match options with the required name

        Only AzureBastionSubnet matches the exact required subnet name.

      3. Final Answer:

        AzureBastionSubnet -> Option A

      4. Quick Check:

        Subnet name for Bastion = AzureBastionSubnet [OK]
      Hint: Azure Bastion subnet must be named AzureBastionSubnet exactly [OK]
      Common Mistakes:
      • Using 'BastionSubnet' instead of 'AzureBastionSubnet'
      • Confusing with 'GatewaySubnet' used for VPN gateways
      • Naming subnet 'PublicSubnet' incorrectly
      3. Given this Azure CLI command snippet to create an Azure Bastion host, what will be the result? 
      az network bastion create --resource-group MyResourceGroup --name MyBastionHost --public-ip-address MyPublicIP --vnet-name MyVNet --subnet AzureBastionSubnet --location eastus
      medium
      A. Fails because the subnet AzureBastionSubnet is missing in MyVNet
      B. Creates a VM named MyBastionHost instead of a Bastion host
      C. Creates an Azure Bastion host named MyBastionHost in MyResourceGroup using MyPublicIP and MyVNet
      D. Creates a public IP named MyBastionHost

      Solution

      1. Step 1: Check prerequisites for Azure Bastion creation

        Azure Bastion requires a subnet named 'AzureBastionSubnet' in the specified virtual network before creation.

      2. Step 2: Analyze command and subnet presence

        If the subnet AzureBastionSubnet exists in MyVNet, the command will successfully create the Bastion host.

      3. Final Answer:

        Creates an Azure Bastion host named MyBastionHost in MyResourceGroup using MyPublicIP and MyVNet -> Option C

      4. Quick Check:

        Azure Bastion host created if subnet exists [OK]
      Hint: Azure Bastion needs AzureBastionSubnet before creation [OK]
      Common Mistakes:
      • Assuming the command creates the subnet automatically
      • Confusing Bastion host with VM creation
      • Thinking public IP is created with Bastion host name
      4. You deployed Azure Bastion but cannot connect to your VM through the Azure portal. What is the most likely cause?
      medium
      A. The AzureBastionSubnet is smaller than /27
      B. The VM is in a different virtual network than the Bastion host
      C. The VM has a public IP address assigned
      D. The Bastion host is deployed in the same subnet as the VM

      Solution

      1. Step 1: Understand Bastion host and VM network relationship

        Azure Bastion must be deployed in the same virtual network as the VM to allow secure access.

      2. Step 2: Analyze options for connectivity issues

        If the VM is in a different virtual network, Bastion cannot connect to it, causing failure.

      3. Final Answer:

        The VM is in a different virtual network than the Bastion host -> Option B

      4. Quick Check:

        VM and Bastion must share the same VNet [OK]
      Hint: Bastion and VM must be in the same virtual network [OK]
      Common Mistakes:
      • Assigning public IP to VM does not block Bastion access
      • Thinking subnet size smaller than /27 causes failure
      • Deploying Bastion in VM subnet is not allowed
      5. You want to secure access to multiple VMs in different subnets within the same virtual network using Azure Bastion. Which configuration is required?
      hard
      A. Deploy one Azure Bastion host in a dedicated AzureBastionSubnet in the virtual network; no public IPs needed on VMs
      B. Deploy an Azure Bastion host in each subnet where VMs are located
      C. Assign public IPs to all VMs and connect directly without Bastion
      D. Deploy Azure Bastion in a separate virtual network and peer it with VM networks

      Solution

      1. Step 1: Understand Azure Bastion scope within a virtual network

        One Azure Bastion host per virtual network can provide secure access to all VMs in any subnet within that network.

      2. Step 2: Evaluate options for multi-subnet VM access

        Deploy one Azure Bastion host in a dedicated AzureBastionSubnet in the virtual network; no public IPs needed on VMs correctly states deploying one Bastion host in the required subnet with no public IPs on VMs.

      3. Final Answer:

        Deploy one Azure Bastion host in a dedicated AzureBastionSubnet in the virtual network; no public IPs needed on VMs -> Option A

      4. Quick Check:

        One Bastion per VNet secures all subnets [OK]
      Hint: One Bastion host per VNet secures all subnets [OK]
      Common Mistakes:
      • Deploying Bastion in every subnet wastes resources
      • Assigning public IPs defeats Bastion's purpose
      • Trying to peer Bastion in separate VNet for access