0
0
Azurecloud~10 mins

Azure Bastion for secure VM access - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Azure Bastion for secure VM access
User wants VM access
Connect to Azure Portal
Select VM
Use Azure Bastion
Azure Bastion creates secure tunnel
User accesses VM securely
Session ends
User connects to VM through Azure Portal using Azure Bastion, which creates a secure tunnel without exposing VM to public internet.
Execution Sample
Azure
az network bastion create \
  --resource-group MyResourceGroup \
  --location MyLocation \
  --name MyBastionHost \
  --public-ip-address MyBastionIP \
  --vnet-name MyVnet
This command creates an Azure Bastion host in a virtual network to enable secure VM access.
Process Table
StepActionResource Created/UsedResult/State
1Create public IP for BastionPublic IP: MyBastionIPPublic IP allocated and ready
2Create Bastion host in VNetBastion Host: MyBastionHostBastion host deployed and linked to VNet
3User selects VM in portalVM: TargetVMVM selected for connection
4User clicks 'Connect' via BastionBastion HostSecure tunnel established
5User accesses VM via browser RDP/SSHVM: TargetVMSecure session active
6User ends sessionBastion HostTunnel closed, VM remains secure
💡 User ends session, secure tunnel closes, VM remains protected without public IP exposure
Status Tracker
VariableStartAfter Step 1After Step 2After Step 4After Step 5Final
Public IPNoneAllocatedAllocatedAllocatedAllocatedAllocated
Bastion HostNoneNoneCreatedCreatedCreatedCreated
VM ConnectionDisconnectedDisconnectedDisconnectedConnectedConnectedDisconnected
Secure TunnelClosedClosedClosedOpenOpenClosed
Key Moments - 3 Insights
Why can't I connect directly to the VM without Azure Bastion?
The VM does not have a public IP and is protected inside a virtual network. Azure Bastion creates a secure tunnel to access it without exposing it to the internet, as shown in execution_table steps 4 and 5.
What happens if the public IP for Bastion is not created first?
Azure Bastion requires a public IP to accept connections. Without it (see variable_tracker Public IP at Start and After Step 1), the Bastion host cannot be created or used.
Does Azure Bastion expose the VM's RDP or SSH ports to the internet?
No. Azure Bastion tunnels the connection securely inside Azure's network, so the VM's ports remain closed to the public internet, as seen in execution_table step 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, at which step is the secure tunnel established?
AStep 3
BStep 5
CStep 4
DStep 2
💡 Hint
Check the 'Result/State' column for when the tunnel opens.
According to variable_tracker, what is the state of the VM connection after Step 2?
AConnected
BDisconnected
CConnecting
DUnknown
💡 Hint
Look at the 'VM Connection' row under 'After Step 2'.
If the public IP is not allocated, what will happen to the Bastion host creation?
ABastion host creation will fail
BBastion host will be created successfully
CBastion host will be created but unusable
DPublic IP is not required for Bastion
💡 Hint
Refer to key_moments about the necessity of public IP for Bastion.
Concept Snapshot
Azure Bastion enables secure VM access without public IPs.
Create a public IP, then deploy Bastion host in the VNet.
Use Azure Portal to connect via Bastion, which tunnels RDP/SSH securely.
No direct exposure of VM ports to the internet.
Session ends close the tunnel, keeping VM protected.
Full Transcript
Azure Bastion is a service that lets you securely connect to virtual machines without exposing them to the public internet. First, you create a public IP address for the Bastion host. Then, you deploy the Bastion host inside your virtual network. When you want to access a VM, you select it in the Azure Portal and connect through Bastion. This creates a secure tunnel that lets you use RDP or SSH in your browser. The VM itself does not need a public IP and remains protected. When you finish, the tunnel closes, and the VM stays secure. This process avoids opening VM ports to the internet and uses Azure's secure infrastructure.