Skip to main content
Azure Bastion provides secure, browser-based RDP and SSH connectivity to virtual machines (VMs) directly from the Azure portal. It removes the need to assign public IP addresses to VMs by brokering connections over TLS (port 443) from a Bastion host that lives inside a dedicated subnet of your virtual network. Key benefits:
  • No public IPs on target VMs — reduces attack surface.
  • RDP (Windows) and SSH (Linux) from the portal — no additional client required.
  • Connections are encrypted over TLS and use the VM private IP addresses.
How it works:
  • The user signs in to the Azure portal over TLS (443).
  • A Bastion host is deployed in a dedicated subnet named exactly AzureBastionSubnet.
  • Bastion brokers RDP or SSH connections to target VMs using their private IPs.
A network diagram showing how Azure Bastion lets a user (via the Azure Portal) connect to VMs inside a virtual network: the Bastion host in the AzureBastionSubnet brokers RDP/SSH connections to target VMs over their private IPs. It highlights the virtual network boundary, shield/security icons, and remote protocol ports (3389/22).
Important: The Bastion subnet must be named exactly AzureBastionSubnet and must meet the minimum size requirement (a /27 or larger address range). This subnet must be dedicated to Azure Bastion. If the subnet name is different or the prefix is too small, the Bastion resource cannot be deployed. For full requirements, see the Azure Bastion documentation: https://learn.microsoft.com/azure/bastion/

Deploy Azure Bastion from the Azure portal

Prerequisites:
  • A virtual network that contains the VMs you want to access.
  • A dedicated subnet named AzureBastionSubnet with at least a /27 prefix.
Steps to create Bastion:
  1. In the Azure portal, search for and open Azure Bastion, then click Create.
  2. Select the subscription and resource group, set the Bastion name (for example, Bastion-US2), and choose the virtual network containing your VMs.
  3. Choose a SKU. For quick testing you can select the Developer SKU, but production scenarios typically use Standard or Premium for higher concurrency and advanced features.
  4. On the Advanced tab, review optional features (copy & paste, IP-based connection, Kerberos authentication, native client support, shareable link, session recording).
  5. Complete the deployment: Tags -> Review + Create -> Create.
Screenshot of the Microsoft Azure portal on the "Create a Bastion" page (Advanced tab). It shows Bastion feature options with checkboxes like Copy and paste, IP-based connection, Kerberos authentication, Native client support, Shareable Link, and Session recording.
After the deployment completes, open the Bastion resource to view its overview page (DNS name, virtual network, provisioning state, and other essentials).
A screenshot of the Microsoft Azure portal showing the overview page for a Bastion host named "bastion-eus2." The page displays essentials (resource group, location, subscription, virtual network, provisioning state) and two Microsoft training cards about Azure Bastion and virtual networks.

Connect to a VM using Bastion

To open an RDP or SSH session through Bastion:
  1. In the Azure portal go to Virtual Machines and select the VM you want to connect to.
  2. Click Connect and choose Bastion.
  3. Enter the VM credentials (username and password, or appropriate auth method) and click Connect. A new browser tab will open with the session.
Watch for browser pop-up blockers: allow pop-ups for the Azure portal if the session tab is blocked.
A screenshot of the Microsoft Azure portal showing the Virtual Machines page and the "vm-linux-bastion" Bastion connection pane, with a username filled in, a masked VM password, and a "Connecting..." button. The left pane lists virtual machines while the right pane shows Bastion, networking, and settings options.
If your browser blocks the new window/tab, you may not see the Bastion session. Allow pop-ups for the Azure portal and retry the connection. Some corporate browsers or extensions may require additional configuration.
Example: SSH session output from an Ubuntu VM accessed via Azure Bastion 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 6.8.0-1031-azure x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:    https://landscape.canonical.com
 * Support:       https://ubuntu.com/pro

System information as of Tue Aug 26 19:58:13 UTC 2025

 System load:                0.03             Processes:             108
 Usage of /:                 5.4% of 28.89GB  Users logged in:       0
 Memory usage:               29%              IPv4 address for eth0: 10.0.1.5
 Swap usage:                 0%

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

kodekloud@vm-linux-bastion:~$

Bastion SKUs and concurrency (quick reference)

SKUUse caseTypical features / concurrency
DeveloperTesting or lab environmentsSingle concurrent session; limited features
StandardProduction workloadsMultiple concurrent sessions; copy/paste; native client support
PremiumHigh-scale / advanced securityHigher concurrency; session recording; Kerberos integration; shareable links
For full SKU capabilities, quotas, and pricing, see: https://learn.microsoft.com/azure/bastion/bastion-pricing

Additional resources

That covers deploying Azure Bastion and connecting to Linux and Windows VMs securely from the Azure portal.

Watch Video