Skip to main content
Azure Bastion provides secure RDP and SSH connectivity to virtual machines directly from the Azure portal—without assigning public IP addresses to those VMs. Bastion tunnels RDP/SSH traffic over TLS (port 443), encrypting traffic end-to-end and allowing administrators to reach VMs using private IPs inside the virtual network. Key benefits:
  • No public IPs required on virtual machines.
  • Browser-based RDP/SSH sessions over TLS (443).
  • Centralized, auditable access to VMs from the Azure portal.
Azure Bastion must be deployed into a dedicated subnet named exactly AzureBastionSubnet. If the subnet name differs, Bastion cannot be deployed there—this name is mandatory.
High-level connectivity flow:
  • An administrator signs into the Azure portal over the internet (TLS on port 443).
  • Azure Bastion is deployed inside the virtual network in the AzureBastionSubnet.
  • Bastion connects to target VMs using RDP or SSH over their private IP addresses.
  • Because only private IPs are used, VMs do not expose public IPs.
Example: An Azure subscription with two VMs (one Linux, one Windows) where neither VM has a public IP attached.
The image shows a Microsoft Azure portal interface displaying a list of virtual machines, with details such as name, subscription, resource group, location, status, operating system, size, and number of disks.

Deploy Azure Bastion from the Azure portal

Follow these steps to create a Bastion host:
  1. In the Azure portal, search for and open the Bastion service, then click Create.
  2. Select (or create) a resource group and provide a name for the Bastion instance (for example: Bastion-EastUS2).
  3. Choose the target virtual network that contains the VMs and ensure the AzureBastionSubnet exists and uses the correct name.
  4. Select the SKU:
    • Developer (for testing; limited features and concurrency)
    • Standard (production)
    • Premium (advanced features)
  5. Under Advanced settings, review optional features: clipboard support (copy/paste), IP-based connections, and Kerberos authentication—feature availability depends on the selected SKU.
  6. Add tags if required, then Review + createCreate.
After deployment you can open the Bastion resource to review its configuration and public DNS name.
The image shows an overview page of a Microsoft Azure Bastion, including details like resource group, location, and public DNS name. It also offers links to tutorials for free Microsoft training.

Bastion SKU and feature comparison

For full, up-to-date SKU capabilities and pricing, see the official Azure Bastion documentation linked at the end.

Connect to a VM via Bastion (Portal)

To open a Bastion session from the portal:
  1. Go to Virtual Machines and open the VM you want to access.
  2. Click ConnectConnect via Bastion.
  3. Provide the VM credentials (username/password or select SSH private key for Linux).
  4. Click Connect — the session opens in a new browser tab. If a pop-up is blocked, allow pop-ups for the portal.
When connecting to a Linux VM via Bastion, the browser-based SSH session shows the VM login prompt and shell output. Example login banner and prompt:
The Developer SKU supports only one active Bastion session at a time. For multiple concurrent sessions or advanced features (IP-based connections, Kerberos authentication, etc.), upgrade to the Standard or Premium SKU.
The image displays the Microsoft Azure portal interface, showing virtual machine management with options for creating and managing virtual machines, and a focus on Bastion services for secure connectivity.

Connect to a Windows VM using Bastion

  • In the portal, select the Windows VM, click ConnectBastion.
  • Enter the username (for example, KodeKloud) and password, then click Connect.
  • The Bastion session launches an RDP desktop session in a browser tab—no public IP is required on the VM.
Using Bastion ensures that RDP and SSH access stays inside your virtual network perimeter while still allowing convenient portal-based access. The next section covers Azure Firewall.

Watch Video