{"id":488,"date":"2026-04-14T05:47:52","date_gmt":"2026-04-14T05:47:52","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/azure-bastion-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking\/"},"modified":"2026-04-14T05:47:52","modified_gmt":"2026-04-14T05:47:52","slug":"azure-bastion-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/azure-bastion-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking\/","title":{"rendered":"Azure Bastion Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Networking<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Azure Bastion is a managed Azure Networking service that lets you securely connect to Azure virtual machines (VMs) using RDP (Windows) or SSH (Linux) without giving those VMs public IP addresses and without opening inbound ports (like 3389\/22) to the internet.<\/p>\n\n\n\n

In simple terms: Azure Bastion is a secure \u201cjump box as a service.\u201d You connect to it from the Azure portal (and, with supported options, from native clients), and it proxies your RDP\/SSH session to a VM over a private IP inside your virtual network (VNet).<\/p>\n\n\n\n

Technically, you deploy an Azure Bastion resource into a dedicated subnet named AzureBastionSubnet<\/code> in your VNet. Azure manages the underlying hosts and patching. Users authenticate to Azure, and their sessions are brokered through Bastion over HTTPS (port 443) to the Bastion service, which then connects privately to target VMs in the VNet (and, depending on SKU\/features, potentially peered VNets). This reduces your public attack surface and simplifies secure administrative access.<\/p>\n\n\n\n

Azure Bastion solves a common problem in cloud networking and security: administrators need reliable interactive access to VMs for troubleshooting and operations, but exposing management ports to the internet (even with IP allowlists) increases risk and operational burden. Bastion provides controlled access while keeping VMs private.<\/p>\n\n\n\n

2. What is Azure Bastion?<\/h2>\n\n\n\n

Official purpose (in Azure terms):<\/strong> Azure Bastion provides secure and seamless RDP and SSH connectivity to your virtual machines directly from the Azure portal (and supported client options), over TLS, without exposing public IP addresses on the VMs.<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n
    \n
  • RDP\/SSH to private VMs<\/strong> without public IPs<\/li>\n
  • TLS\/HTTPS-based access<\/strong> (commonly via Azure portal over 443)<\/li>\n
  • Managed bastion hosts<\/strong> maintained by Azure (no IaaS jump server to patch\/harden)<\/li>\n
  • Per-VNet deployment model<\/strong> (a Bastion resource is deployed into a specific VNet)<\/li>\n
  • Integration with Azure IAM (RBAC)<\/strong> and Azure monitoring\/diagnostics<\/li>\n<\/ul>\n\n\n\n

    Major components<\/h3>\n\n\n\n
      \n
    • Azure Bastion resource<\/strong>: The managed service instance you create in Azure.<\/li>\n
    • AzureBastionSubnet<\/code><\/strong>: A dedicated subnet in your VNet reserved for Bastion. Azure requires this exact subnet name.<\/li>\n
    • Public IP address for Bastion<\/strong>: Used as the entry point for the Bastion service (VMs do not need public IPs).<\/li>\n
    • Target VMs<\/strong>: Windows or Linux VMs reachable via private IP within the VNet.<\/li>\n
    • Azure control plane<\/strong>: Deployment and access control via Azure Resource Manager (ARM), RBAC, and policy.<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • PaaS-managed networking service<\/strong> (you manage configuration; Azure manages underlying hosts, scaling constructs, and updates within the service boundary).<\/li>\n<\/ul>\n\n\n\n

        Scope and locality<\/h3>\n\n\n\n
          \n
        • Regional<\/strong>: Azure Bastion is deployed into a VNet in a specific Azure region (VNets are regional resources). High availability characteristics and zonal capabilities may depend on region and SKU\u2014verify current options in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n

          How it fits into the Azure ecosystem<\/h3>\n\n\n\n

          Azure Bastion is commonly used alongside:\n– Azure Virtual Network (VNet)<\/strong>: the network boundary where Bastion lives.\n– Network Security Groups (NSGs)<\/strong>: to tightly control traffic to VM subnets (and to follow Bastion subnet rule requirements if you associate NSGs).\n– Azure Firewall<\/strong> \/ Network Virtual Appliances (NVAs)<\/strong>: for centralized egress control and segmentation.\n– Private endpoints \/ Private Link<\/strong>: to keep PaaS access private, complementing Bastion for VM access.\n– Azure Monitor \/ Log Analytics<\/strong>: for diagnostics and operational visibility.\n– Azure Policy<\/strong>: to enforce \u201cno public IP on VM NICs\u201d or other security standards.<\/p>\n\n\n\n

          3. Why use Azure Bastion?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Reduce breach risk<\/strong> by eliminating public exposure of VM management ports.<\/li>\n
          • Lower operational overhead<\/strong> compared to running and maintaining jump box VMs.<\/li>\n
          • Improve audit posture<\/strong> by centralizing how administrators reach VMs (with Azure-native logging\/controls).<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • No public IP required on VMs<\/strong>, helping keep workloads private by default.<\/li>\n
            • No inbound NSG rules from internet<\/strong> to VM subnets for RDP\/SSH.<\/li>\n
            • Simplified access patterns<\/strong> for admins and operators (browser-based access is a common baseline).<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Fewer moving parts<\/strong> than self-managed bastion\/jump hosts (no OS patching, antivirus, disk management, or VM resizing for the bastion itself).<\/li>\n
              • Consistent access method<\/strong> across many VMs within the VNet (and potentially across peered VNets depending on SKU\/feature support\u2014verify in docs).<\/li>\n
              • Works well for break-glass access<\/strong> when VPNs\/ExpressRoute are unavailable (subject to your org\u2019s security rules).<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Shrinks attack surface<\/strong>: you can enforce \u201cno public IP on VM NIC\u201d policies and rely on Bastion for interactive access.<\/li>\n
                • Integrates with Azure RBAC<\/strong> so only authorized users can initiate connections.<\/li>\n
                • Supports segmentation<\/strong>: VM subnets can be locked down to accept RDP\/SSH only from the Bastion subnet.<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • Service-managed scaling<\/strong> within the Bastion model (exact scaling behavior depends on SKU\u2014verify in official docs).<\/li>\n
                  • Avoids bottlenecks<\/strong> of a single small jump VM (though Bastion itself has service limits and concurrent session considerations).<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose Azure Bastion<\/h3>\n\n\n\n

                    Choose Azure Bastion when you want:\n– Private VMs without public IPs\n– Centralized, controlled RDP\/SSH access\n– Reduced operational burden compared to jump box VMs\n– Fast setup for secure admin access in dev\/test and production\n– A standardized approach that security teams can approve<\/p>\n\n\n\n

                    When teams should not choose it<\/h3>\n\n\n\n

                    Consider alternatives when:\n– You need full network-level access<\/strong> from admin devices to private subnets (use VPN Gateway<\/strong> or ExpressRoute<\/strong>).\n– You require session recording<\/strong> as a built-in feature (Bastion is not primarily a session recording product; use OS-level logging, SIEM tooling, or specialized PAM tools\u2014verify current feature set).\n– Your environment requires strict private-only ingress<\/strong> with no public endpoint at all (evaluate designs using private connectivity, or confirm whether your requirements can be met with Bastion plus compensating controls; verify options in docs).\n– You already have mature PAM \/ zero-trust access tooling<\/strong> that meets requirements and is standardized across clouds.<\/p>\n\n\n\n

                    4. Where is Azure Bastion used?<\/h2>\n\n\n\n

                    Industries<\/h3>\n\n\n\n
                      \n
                    • Financial services, healthcare, and government: reduce exposed attack surface and support compliance controls.<\/li>\n
                    • SaaS and tech companies: secure operations access without maintaining jump servers.<\/li>\n
                    • Manufacturing\/retail: standardize access for distributed ops teams.<\/li>\n<\/ul>\n\n\n\n

                      Team types<\/h3>\n\n\n\n
                        \n
                      • Cloud platform teams standardizing landing zones<\/li>\n
                      • Security engineering teams enforcing \u201cno public IPs\u201d<\/li>\n
                      • SRE\/operations teams needing emergency access paths<\/li>\n
                      • DevOps teams managing ephemeral environments<\/li>\n
                      • Developers accessing test VMs safely<\/li>\n<\/ul>\n\n\n\n

                        Workloads<\/h3>\n\n\n\n
                          \n
                        • Line-of-business apps hosted on IaaS VMs<\/li>\n
                        • Legacy apps requiring VM admin access<\/li>\n
                        • Kubernetes worker nodes or supporting VMs (when direct node access is necessary and allowed)<\/li>\n
                        • Data processing VMs, build agents, and batch compute nodes<\/li>\n<\/ul>\n\n\n\n

                          Architectures<\/h3>\n\n\n\n
                            \n
                          • Hub-and-spoke networks where Bastion sits in a spoke VNet or hub VNet depending on access model<\/li>\n
                          • Segmented VNets with locked-down subnets<\/li>\n
                          • Environments where inbound internet is tightly controlled or eliminated for workloads<\/li>\n<\/ul>\n\n\n\n

                            Real-world deployment contexts<\/h3>\n\n\n\n
                              \n
                            • Production<\/strong>: Bastion as the standard path for RDP\/SSH to private VMs, combined with strict RBAC and logging.<\/li>\n
                            • Dev\/test<\/strong>: Quick access to sandbox VMs without needing a VPN client rollout.<\/li>\n<\/ul>\n\n\n\n

                              5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                              Below are practical scenarios where Azure Bastion is commonly used. Each example includes the problem, why Bastion fits, and a short scenario.<\/p>\n\n\n\n

                              1) Remove public IPs from admin-access VMs<\/h3>\n\n\n\n
                                \n
                              • Problem:<\/strong> VMs have public IPs solely for RDP\/SSH, increasing risk and scanning noise.<\/li>\n
                              • Why Azure Bastion fits:<\/strong> Provides RDP\/SSH without public IPs or inbound internet rules to VM subnets.<\/li>\n
                              • Example:<\/strong> A team removes public IPs from 200 Windows servers and mandates Bastion for all interactive access.<\/li>\n<\/ul>\n\n\n\n

                                2) Secure break-glass access for incident response<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> During incidents, VPN\/ExpressRoute may be impaired or admins may be off-network.<\/li>\n
                                • Why Azure Bastion fits:<\/strong> Portal-based access over HTTPS (443) is often easier to allow through enterprise egress controls.<\/li>\n
                                • Example:<\/strong> An on-call engineer uses Bastion to access a private VM to restart services when the VPN concentrator is down.<\/li>\n<\/ul>\n\n\n\n

                                  3) Standardize VM access across teams<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Different teams run different jump hosts, credentials, and firewall rules.<\/li>\n
                                  • Why Azure Bastion fits:<\/strong> Centralizes the VM access pattern at the VNet level and aligns with Azure RBAC.<\/li>\n
                                  • Example:<\/strong> A platform team publishes a standard \u201cVM access\u201d pattern: private VM + Bastion + RBAC + logging.<\/li>\n<\/ul>\n\n\n\n

                                    4) Restrict RDP\/SSH to a single trusted source in the VNet<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Even inside the VNet, lateral movement risks increase if many subnets can reach management ports.<\/li>\n
                                    • Why Azure Bastion fits:<\/strong> You can lock down VM subnet NSGs to only allow RDP\/SSH from the Bastion subnet.<\/li>\n
                                    • Example:<\/strong> NSGs allow TCP\/22 and TCP\/3389 only from AzureBastionSubnet<\/code> CIDR; all other sources denied.<\/li>\n<\/ul>\n\n\n\n

                                      5) Contractor\/admin access without extending corporate network<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Providing VPN access to contractors is high-risk and high-effort.<\/li>\n
                                      • Why Azure Bastion fits:<\/strong> Lets authorized users connect through Azure\u2019s access controls without full network extension.<\/li>\n
                                      • Example:<\/strong> A vendor is granted time-bound access via Azure RBAC to connect to a specific VM through Bastion.<\/li>\n<\/ul>\n\n\n\n

                                        6) Access to VMs in locked-down subnets (no inbound from internet)<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Strict environments forbid inbound internet to workload subnets.<\/li>\n
                                        • Why Azure Bastion fits:<\/strong> Bastion is the only ingress path for interactive admin protocols, while workloads remain private.<\/li>\n
                                        • Example:<\/strong> A PCI environment uses Bastion for Windows patch verification without opening 3389 inbound.<\/li>\n<\/ul>\n\n\n\n

                                          7) Day-2 operations for legacy apps hosted on VMs<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Legacy apps require frequent interactive troubleshooting, config edits, and patching windows.<\/li>\n
                                          • Why Azure Bastion fits:<\/strong> Provides convenient RDP\/SSH access while maintaining private networking.<\/li>\n
                                          • Example:<\/strong> Ops team uses Bastion weekly during maintenance without exposing the VM to the internet.<\/li>\n<\/ul>\n\n\n\n

                                            8) Reduce jump server sprawl and patching burden<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Self-managed jump servers must be patched, monitored, and scaled.<\/li>\n
                                            • Why Azure Bastion fits:<\/strong> Managed service reduces operational overhead and standardizes access.<\/li>\n
                                            • Example:<\/strong> An org retires dozens of jump VMs and replaces them with Bastion in each environment VNet.<\/li>\n<\/ul>\n\n\n\n

                                              9) Support controlled access in hub-and-spoke topologies<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Spoke VNets contain workloads; administrators need access without broad network exposure.<\/li>\n
                                              • Why Azure Bastion fits:<\/strong> Deploy Bastion strategically (hub or spoke) and route access privately (capabilities vary\u2014verify peering support by SKU).<\/li>\n
                                              • Example:<\/strong> Bastion deployed in a management VNet; admins connect to VM subnets via private peering.<\/li>\n<\/ul>\n\n\n\n

                                                10) Enable \u201cprivate by default\u201d landing zones<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> Developers default to public IPs for convenience, creating governance drift.<\/li>\n
                                                • Why Azure Bastion fits:<\/strong> Paired with policy (\u201cdeny public IP on NIC\u201d), Bastion becomes the approved access method.<\/li>\n
                                                • Example:<\/strong> A landing zone blueprint includes Bastion and policies; dev teams can still SSH\/RDP without public IPs.<\/li>\n<\/ul>\n\n\n\n

                                                  6. Core Features<\/h2>\n\n\n\n

                                                  Azure Bastion\u2019s features vary by SKU and region. Always confirm the latest matrix in official docs before standardizing. The items below reflect commonly documented capabilities; where SKU specifics matter, it\u2019s called out.<\/p>\n\n\n\n

                                                  Browser-based RDP\/SSH over TLS (portal experience)<\/h3>\n\n\n\n
                                                    \n
                                                  • What it does:<\/strong> Lets users initiate RDP or SSH sessions from the Azure portal to a VM\u2019s private IP.<\/li>\n
                                                  • Why it matters:<\/strong> Users don\u2019t need direct network reachability to the VNet; the portal connection is typically over HTTPS (443).<\/li>\n
                                                  • Practical benefit:<\/strong> Quick access from managed desktops without installing RDP\/SSH clients (for portal-based connection).<\/li>\n
                                                  • Limitations\/caveats:<\/strong> Browser experience depends on portal availability and user environment restrictions (pop-up blockers, corporate proxies). Verify supported browsers and constraints in docs.<\/li>\n<\/ul>\n\n\n\n

                                                    No public IP required on target VMs<\/h3>\n\n\n\n
                                                      \n
                                                    • What it does:<\/strong> Eliminates the need for public IPs on VMs used for admin access.<\/li>\n
                                                    • Why it matters:<\/strong> Reduces attack surface and aligns with \u201cprivate workloads\u201d governance.<\/li>\n
                                                    • Practical benefit:<\/strong> Easier compliance story; less exposure to scanning and brute-force attempts.<\/li>\n
                                                    • Limitations\/caveats:<\/strong> You still need a network path from Bastion to the VM (routing, NSGs, and VM firewall rules must allow it).<\/li>\n<\/ul>\n\n\n\n

                                                      Dedicated AzureBastionSubnet<\/code> requirement<\/h3>\n\n\n\n
                                                        \n
                                                      • What it does:<\/strong> Forces Bastion to run in a dedicated subnet with a specific name.<\/li>\n
                                                      • Why it matters:<\/strong> Separates Bastion infrastructure from workloads and supports service-managed behavior.<\/li>\n
                                                      • Practical benefit:<\/strong> Clear segmentation boundary; easier to apply subnet-specific controls.<\/li>\n
                                                      • Limitations\/caveats:<\/strong> Subnet sizing is strict (commonly \/26<\/code> minimum). If you misname the subnet or size it too small, deployment fails.<\/li>\n<\/ul>\n\n\n\n

                                                        Azure RBAC-controlled access<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Uses Azure identity and role assignments to control who can initiate Bastion connections and who can access the target VM resource.<\/li>\n
                                                        • Why it matters:<\/strong> Centralizes authorization and supports least privilege and JIT-style governance patterns (often combined with privileged identity processes).<\/li>\n
                                                        • Practical benefit:<\/strong> Avoids shared jump host credentials; aligns with enterprise access reviews.<\/li>\n
                                                        • Limitations\/caveats:<\/strong> Required permissions involve both the Bastion resource and the target VM. Exact required actions\/roles can change\u2014verify current RBAC requirements in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                          SKU-based feature set (e.g., Basic vs Standard)<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Azure Bastion is offered in multiple SKUs with different capabilities (for example, Standard commonly includes more features than Basic).<\/li>\n
                                                          • Why it matters:<\/strong> Your choice impacts cost, scalability, and supported scenarios (such as certain advanced connectivity options).<\/li>\n
                                                          • Practical benefit:<\/strong> You can start small in dev\/test and choose richer capabilities for production.<\/li>\n
                                                          • Limitations\/caveats:<\/strong> Feature availability differs by SKU and region; confirm the latest comparison in docs.<\/li>\n<\/ul>\n\n\n\n

                                                            Native client support \/ tunneling (SKU-dependent)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Allows using native SSH\/RDP clients through Bastion by creating a tunnel (often driven via Azure CLI tooling).<\/li>\n
                                                            • Why it matters:<\/strong> Some workflows require native client features (SSH agent forwarding, certain RDP client capabilities, automation).<\/li>\n
                                                            • Practical benefit:<\/strong> Integrates with existing admin tooling and scripts.<\/li>\n
                                                            • Limitations\/caveats:<\/strong> This is commonly SKU-dependent and may require Azure CLI extension support; verify supported OS\/client requirements in docs.<\/li>\n<\/ul>\n\n\n\n

                                                              File transfer (SKU-dependent)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Enables transferring files during Bastion sessions (commonly available in Standard SKU; verify current status).<\/li>\n
                                                              • Why it matters:<\/strong> Securely move logs, scripts, or patches without opening new inbound paths.<\/li>\n
                                                              • Practical benefit:<\/strong> Operational convenience for troubleshooting.<\/li>\n
                                                              • Limitations\/caveats:<\/strong> Govern carefully\u2014file transfer can become a data exfil path. Use RBAC, auditing, and endpoint controls.<\/li>\n<\/ul>\n\n\n\n

                                                                Session management and concurrent connections (service limits)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Supports multiple user sessions; limits depend on SKU and service design.<\/li>\n
                                                                • Why it matters:<\/strong> Production ops teams may have many parallel sessions during incidents.<\/li>\n
                                                                • Practical benefit:<\/strong> Avoids \u201csingle jump box\u201d bottleneck.<\/li>\n
                                                                • Limitations\/caveats:<\/strong> Concurrency and scale characteristics are governed by SKU and service limits; verify official limits and plan accordingly.<\/li>\n<\/ul>\n\n\n\n

                                                                  Diagnostics and logging integration<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Emits logs\/metrics via Azure Monitor diagnostic settings (where supported), enabling routing to Log Analytics, Event Hubs, or Storage.<\/li>\n
                                                                  • Why it matters:<\/strong> Access paths are security-sensitive and should be auditable.<\/li>\n
                                                                  • Practical benefit:<\/strong> Centralized observability and SIEM integration.<\/li>\n
                                                                  • Limitations\/caveats:<\/strong> Confirm which log categories are available and what they contain in official docs.<\/li>\n<\/ul>\n\n\n\n

                                                                    7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                    High-level architecture<\/h3>\n\n\n\n

                                                                    Azure Bastion is deployed into a VNet and acts as a managed access proxy for RDP\/SSH. Users authenticate to Azure and then initiate sessions via the Azure portal (or supported native client methods). Bastion connects to VMs using private IPs within the VNet.<\/p>\n\n\n\n

                                                                    Key points:\n– Bastion is inside<\/strong> your VNet but is managed<\/strong> by Azure.\n– Target VMs remain private (no public IP required).\n– The client-to-Bastion path is typically HTTPS (443)<\/strong>.\n– The Bastion-to-VM path is RDP\/SSH<\/strong> over private networking.<\/p>\n\n\n\n

                                                                    Request\/data\/control flow (conceptual)<\/h3>\n\n\n\n
                                                                      \n
                                                                    1. User<\/strong> signs into Azure and opens the Azure portal (or uses supported CLI-based connection).<\/li>\n
                                                                    2. The user selects a VM<\/strong> and chooses Connect via Bastion<\/strong>.<\/li>\n
                                                                    3. The browser establishes an encrypted session<\/strong> to the Bastion endpoint.<\/li>\n
                                                                    4. Bastion initiates a private RDP\/SSH connection<\/strong> to the VM\u2019s private IP.<\/li>\n
                                                                    5. The interactive session is proxied through Bastion; the VM never needs inbound internet exposure.<\/li>\n<\/ol>\n\n\n\n

                                                                      Integrations with related services<\/h3>\n\n\n\n
                                                                        \n
                                                                      • Azure Virtual Network<\/strong>: Bastion must be in the same VNet as targets (and\/or connected VNets depending on supported peering features and SKU\u2014verify).<\/li>\n
                                                                      • NSGs<\/strong>: Used to restrict VM subnets and optionally applied to Bastion subnet with required rules.<\/li>\n
                                                                      • Azure Firewall \/ NVAs<\/strong>: Often used for egress control from workloads; Bastion is separate but must be considered in routing design.<\/li>\n
                                                                      • Azure Monitor<\/strong>: Diagnostic settings for logs\/metrics.<\/li>\n
                                                                      • Azure Policy<\/strong>: Enforce \u201cno public IP,\u201d required tags, or approved SKUs.<\/li>\n<\/ul>\n\n\n\n

                                                                        Dependency services<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Public IP (for Bastion endpoint)<\/li>\n
                                                                        • VNet + dedicated Bastion subnet<\/li>\n
                                                                        • Target VM reachable via private IP and allowed ports (22\/3389 or custom ports depending on features)<\/li>\n<\/ul>\n\n\n\n

                                                                          Security\/authentication model<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Authentication to Azure<\/strong>: Users authenticate via Entra ID (Azure AD) to the portal\/CLI.<\/li>\n
                                                                          • Authorization<\/strong>: Azure RBAC governs ability to use Bastion and access VM resources.<\/li>\n
                                                                          • VM credentials<\/strong>: For OS-level login, you still need valid VM credentials (SSH key\/user or Windows credentials), unless using supported identity-based login methods on the VM OS (verify supported identity methods and prerequisites).<\/li>\n<\/ul>\n\n\n\n

                                                                            Networking model<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Bastion resides in AzureBastionSubnet<\/code>.<\/li>\n
                                                                            • VMs are in workload subnets.<\/li>\n
                                                                            • Traffic from Bastion to VMs uses private IP routing.<\/li>\n
                                                                            • You can lock down VM NSGs to only permit management traffic from the Bastion subnet range.<\/li>\n<\/ul>\n\n\n\n

                                                                              Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                \n
                                                                              • Enable Bastion diagnostic settings to centralize audit events (verify available categories).<\/li>\n
                                                                              • Track \u201cwho connected to what\u201d via Azure Activity Log (resource operations) and Bastion logs where available.<\/li>\n
                                                                              • Use tags on Bastion resources for cost allocation (environment, owner, cost center).<\/li>\n<\/ul>\n\n\n\n

                                                                                Simple architecture diagram (conceptual)<\/h3>\n\n\n\n
                                                                                flowchart LR\n  U[Admin User] -->|HTTPS 443 (Portal)| P[Azure Portal]\n  P -->|Session to Bastion| B[Azure Bastion\\nin AzureBastionSubnet]\n  B -->|RDP 3389 \/ SSH 22 (Private IP)| VM[Private VM\\n(no Public IP)]\n  subgraph VNet[Azure Virtual Network]\n    B\n    VM\n  end\n<\/code><\/pre>\n\n\n\n
                                                                                Production-style architecture diagram (hub\/spoke + governance)<\/h3>\n\n\n\n
                                                                                flowchart TB\n  subgraph Internet[User Network \/ Internet]\n    U1[Admin\/SRE Workstation]\n  end\n\n  U1 -->|HTTPS 443| A[Azure Portal \/ Azure Control Plane]\n\n  subgraph HubVNet[Hub VNet]\n    B[Azure Bastion\\nAzureBastionSubnet]\n    F[Azure Firewall (optional)]\n    LA[Log Analytics Workspace]\n  end\n\n  subgraph SpokeVNet1[Spoke VNet: App]\n    VM1[App VM (private)]\n    VM2[DB VM (private)]\n  end\n\n  subgraph Governance[Governance]\n    POL[Azure Policy\\n(no public IPs, tagging)]\n    RBAC[Azure RBAC \/ PIM (optional)]\n  end\n\n  A --> B\n  B -->|RDP\/SSH private| VM1\n  B -->|RDP\/SSH private| VM2\n\n  B -->|Diagnostics| LA\n  POL --> HubVNet\n  POL --> SpokeVNet1\n  RBAC --> A\n\n  HubVNet ---|VNet Peering \/ Routing| SpokeVNet1\n<\/code><\/pre>\n\n\n\n
                                                                                Notes:\n– Whether Bastion can connect across peering and under what conditions depends on SKU\/features and configuration\u2014verify in official docs<\/strong>.\n– Azure Firewall is optional and shown for broader network governance; Bastion does not replace firewalling.<\/p>\n\n\n\n
                                                                                8. Prerequisites<\/h2>\n\n\n\n
                                                                                Account\/subscription\/tenant requirements<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • An active Azure subscription<\/strong> with permission to create networking and compute resources.<\/li>\n
                                                                                • If your org uses centralized networking, ensure you\u2019re allowed to create:<\/li>\n
                                                                                • VNets and subnets<\/li>\n
                                                                                • Public IPs<\/li>\n
                                                                                • Azure Bastion resource<\/li>\n
                                                                                • VMs and NICs<\/li>\n<\/ul>\n\n\n\n
                                                                                  Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                  At minimum, you typically need:\n– Permissions to create and manage Virtual Network<\/strong>, Subnets<\/strong>, Public IP<\/strong>, and Bastion<\/strong> resources.\n– Permissions to create\/manage VMs<\/strong>.\n– Permissions to connect<\/strong> using Bastion and to log into the VM OS.<\/p>\n\n\n\n
                                                                                  Exact RBAC actions required to initiate Bastion connections can be specific (for example, Bastion resource actions and VM read permissions). Verify the required RBAC roles and actions in official docs<\/strong>:\n– Azure Bastion documentation: https:\/\/learn.microsoft.com\/azure\/bastion\/<\/p>\n\n\n\n
                                                                                  Billing requirements<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Azure Bastion is a paid service.<\/li>\n
                                                                                  • VMs, disks, public IPs, and logging destinations also incur costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                    Tools needed<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Azure portal access<\/li>\n
                                                                                    • Azure CLI (optional but recommended for repeatable labs): https:\/\/learn.microsoft.com\/cli\/azure\/install-azure-cli<\/li>\n
                                                                                    • SSH client (for Linux VM validation), or a browser-only approach via portal<\/li>\n<\/ul>\n\n\n\n
                                                                                      For CLI-based Bastion connectivity, you may need an Azure CLI extension depending on CLI version\u2014verify in official docs<\/strong>.<\/p>\n\n\n\n
                                                                                      Region availability<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Azure Bastion is available in many Azure regions, but not all features\/SKUs are available everywhere.<\/li>\n
                                                                                      • Always confirm region support: https:\/\/learn.microsoft.com\/azure\/bastion\/<\/li>\n<\/ul>\n\n\n\n
                                                                                        Quotas\/limits<\/h3>\n\n\n\n
                                                                                        Common constraints to plan for (verify current limits):\n– AzureBastionSubnet<\/code> must meet minimum size requirements (often \/26<\/code>).\n– One Bastion resource is deployed per VNet (sharing models exist for connected networks depending on SKU\/features\u2014verify).\n– Concurrent session limits and scaling behavior depend on SKU.<\/p>\n\n\n\n
                                                                                        Prerequisite services<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Azure Virtual Network<\/li>\n
                                                                                        • Dedicated AzureBastionSubnet<\/code><\/li>\n
                                                                                        • Azure Public IP (for the Bastion endpoint)<\/li>\n
                                                                                        • One or more target VMs without public IP (recommended)<\/li>\n<\/ul>\n\n\n\n
                                                                                          9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                          Azure Bastion pricing is usage-based<\/strong> and depends on:\n– SKU<\/strong> (commonly Basic vs Standard)\n– Hourly rate<\/strong> for the Bastion resource (often per deployment\/unit; exact model can vary)\n– Data transfer \/ outbound data processing<\/strong> (Bastion traffic can incur data-related charges)\n– Optional related costs: Log Analytics ingestion, Storage for logs, VM compute and disks, Public IP, and any egress through firewalls\/NAT<\/p>\n\n\n\n
                                                                                          Because Azure pricing is region-dependent<\/strong> and changes over time, do not rely on static numbers in articles. Use the official sources:\n– Official pricing page: https:\/\/azure.microsoft.com\/pricing\/details\/azure-bastion\/\n– Azure Pricing Calculator: https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/p>\n\n\n\n
                                                                                          Pricing dimensions (what you pay for)<\/h3>\n\n\n\n
                                                                                          Expect the cost model to include:\n– Bastion host hours<\/strong>: running time of the Bastion deployment.\n– Data processed<\/strong>: traffic through Bastion (RDP\/SSH sessions) may be billed per GB (verify exact dimension on the pricing page).\n– SKU choice<\/strong>: Standard typically costs more than Basic due to additional features and scale characteristics.<\/p>\n\n\n\n
                                                                                          Free tier<\/h3>\n\n\n\n
                                                                                          Azure Bastion generally does not<\/strong> have a free tier for sustained usage. Promotions may exist occasionally\u2014verify on the pricing page<\/strong>.<\/p>\n\n\n\n
                                                                                          Primary cost drivers<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Leaving Bastion running<\/strong> continuously in dev\/test subscriptions.<\/li>\n
                                                                                          • Choosing Standard SKU<\/strong> for environments that only need Basic capabilities.<\/li>\n
                                                                                          • High session usage<\/strong> and heavy data transfer (file copy, large terminal output, long RDP sessions).<\/li>\n
                                                                                          • Centralized logging<\/strong> (Log Analytics ingestion and retention can exceed Bastion costs in some environments).<\/li>\n<\/ul>\n\n\n\n
                                                                                            Hidden\/indirect costs to watch<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Log Analytics<\/strong>: diagnostics and activity logs routed to Log Analytics incur ingestion and retention costs.<\/li>\n
                                                                                            • Public IP<\/strong>: typically small cost but still billable.<\/li>\n
                                                                                            • VM uptime<\/strong>: Bastion often makes it easier to keep \u201cjust in case\u201d VMs running; ensure you deallocate lab VMs when not used.<\/li>\n
                                                                                            • Firewall\/NVA routing<\/strong>: if your design forces Bastion or VM traffic through a firewall, you may add data processing charges there too (architecture-dependent).<\/li>\n<\/ul>\n\n\n\n
                                                                                              Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Bastion sessions involve continuous interactive traffic; RDP can be data-heavy depending on resolution\/graphics.<\/li>\n
                                                                                              • If you use file transfer features (where supported), data volume increases.<\/li>\n
                                                                                              • Cross-region scenarios (if applicable) can trigger inter-region bandwidth costs\u2014avoid cross-region admin paths.<\/li>\n<\/ul>\n\n\n\n
                                                                                                How to optimize cost<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Right-size SKU<\/strong>: Use Basic where it meets requirements; use Standard only where needed (features\/concurrency).<\/li>\n
                                                                                                • Use Bastion per environment<\/strong> (prod vs non-prod) and remove it from temporary sandboxes.<\/li>\n
                                                                                                • Control logging<\/strong>: send only necessary logs; set retention appropriately.<\/li>\n
                                                                                                • Use VM auto-shutdown<\/strong> in dev\/test; deallocate VMs when idle.<\/li>\n
                                                                                                • Consider whether a subset of environments can rely on VPN<\/strong> for admin access and reserve Bastion for high-security\/limited-access segments (depends on policy).<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Example low-cost starter estimate (qualitative)<\/h3>\n\n\n\n
                                                                                                  A low-cost lab typically includes:\n– 1 small Linux VM (B-series)\n– 1 Bastion (Basic SKU if appropriate)\n– Minimal logging (or disabled in lab)\n– No VPN\/ExpressRoute<\/p>\n\n\n\n
                                                                                                  To estimate:\n1. Open the pricing calculator.\n2. Add Azure Bastion<\/strong> with your region and SKU.\n3. Add Virtual Machines<\/strong> (compute + OS disk).\n4. Add Public IP<\/strong> and Log Analytics<\/strong> only if enabled.\n5. Multiply by hours used (for example, a few hours for a lab vs 730 hours\/month for always-on).<\/p>\n\n\n\n
                                                                                                  Example production cost considerations (what to model)<\/h3>\n\n\n\n
                                                                                                  In production, model:\n– Bastion SKU needed (often Standard if advanced features are required)\n– Expected concurrent sessions (ops + vendors + on-call)\n– Data processed per month (RDP heavy vs SSH light)\n– Logging destination and retention (SIEM requirements)\n– Whether you need Bastion per VNet\/spoke vs shared pattern (verify supported designs)\n– Cost allocation via tags and chargeback<\/p>\n\n\n\n
                                                                                                  10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                  Objective<\/h3>\n\n\n\n
                                                                                                  Deploy Azure Bastion in a new VNet, create a private Linux VM with no public IP<\/strong>, and connect to it via Azure Bastion using secure SSH.<\/p>\n\n\n\n
                                                                                                  Lab Overview<\/h3>\n\n\n\n
                                                                                                  You will:\n1. Create a resource group.\n2. Create a VNet with two subnets:\n   – workloads<\/code> subnet for the VM\n   – AzureBastionSubnet<\/code> dedicated subnet for Bastion\n3. Create a Linux VM without a public IP.\n4. Deploy Azure Bastion with a public IP.\n5. Connect to the VM through Bastion and validate private-only access.\n6. Clean up all resources.<\/p>\n\n\n\n
                                                                                                  This lab is designed to be beginner-friendly<\/strong> and low-risk<\/strong>, but Azure Bastion is a paid service\u2014remember to clean up.<\/p>\n\n\n\n
                                                                                                  \n\n\n\n
                                                                                                  Step 1: Create a resource group<\/h3>\n\n\n\n
                                                                                                  Option A: Azure CLI<\/strong><\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  1. Sign in:<\/li>\n<\/ol>\n\n\n\n
                                                                                                    az login\n<\/code><\/pre>\n\n\n\n
                                                                                                      \n
                                                                                                    1. Set your subscription (if needed):<\/li>\n<\/ol>\n\n\n\n
                                                                                                      az account set --subscription \"<SUBSCRIPTION_ID_OR_NAME>\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n
                                                                                                      1. Create a resource group:<\/li>\n<\/ol>\n\n\n\n
                                                                                                        az group create \\\n  --name rg-bastion-lab \\\n  --location eastus\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> Resource group rg-bastion-lab<\/code> exists in your chosen region.<\/p>\n\n\n\n
                                                                                                        Verification:<\/strong><\/p>\n\n\n\n
                                                                                                        az group show --name rg-bastion-lab --output table\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 2: Create a VNet and subnets (including AzureBastionSubnet)<\/h3>\n\n\n\n
                                                                                                        Azure Bastion requires a dedicated subnet named exactly<\/strong> AzureBastionSubnet<\/code>. The subnet must be large enough (commonly \/26<\/code> minimum; verify current requirement).<\/p>\n\n\n\n
                                                                                                        Create the VNet and a workload subnet:<\/p>\n\n\n\n
                                                                                                        az network vnet create \\\n  --resource-group rg-bastion-lab \\\n  --location eastus \\\n  --name vnet-bastion-lab \\\n  --address-prefixes 10.10.0.0\/16 \\\n  --subnet-name workloads \\\n  --subnet-prefixes 10.10.1.0\/24\n<\/code><\/pre>\n\n\n\n
                                                                                                        Create the Bastion subnet:<\/p>\n\n\n\n
                                                                                                        az network vnet subnet create \\\n  --resource-group rg-bastion-lab \\\n  --vnet-name vnet-bastion-lab \\\n  --name AzureBastionSubnet \\\n  --address-prefixes 10.10.0.0\/26\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome:<\/strong>\n– VNet vnet-bastion-lab<\/code> exists\n– Subnet workloads<\/code> exists\n– Subnet AzureBastionSubnet<\/code> exists with a \/26<\/code><\/p>\n\n\n\n
                                                                                                        Verification:<\/strong><\/p>\n\n\n\n
                                                                                                        az network vnet subnet list \\\n  --resource-group rg-bastion-lab \\\n  --vnet-name vnet-bastion-lab \\\n  --output table\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 3: Create a private Linux VM (no public IP)<\/h3>\n\n\n\n
                                                                                                        Create (or reuse) an SSH key locally:<\/p>\n\n\n\n
                                                                                                        ssh-keygen -t ed25519 -f ~\/.ssh\/bastionlab_ed25519 -N \"\"\n<\/code><\/pre>\n\n\n\n
                                                                                                        Create the VM without a public IP:<\/p>\n\n\n\n
                                                                                                        az vm create \\\n  --resource-group rg-bastion-lab \\\n  --name vm-linux-private \\\n  --location eastus \\\n  --image Ubuntu2204 \\\n  --size Standard_B1s \\\n  --vnet-name vnet-bastion-lab \\\n  --subnet workloads \\\n  --public-ip-address \"\" \\\n  --admin-username azureuser \\\n  --ssh-key-values ~\/.ssh\/bastionlab_ed25519.pub\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> A VM is created in the workloads<\/code> subnet and has no public IP<\/strong>.<\/p>\n\n\n\n
                                                                                                        Verification (confirm no public IP):<\/strong><\/p>\n\n\n\n
                                                                                                        az vm list-ip-addresses \\\n  --resource-group rg-bastion-lab \\\n  --name vm-linux-private \\\n  --output table\n<\/code><\/pre>\n\n\n\n
                                                                                                        You should see a private IP and an empty\/none public IP entry.<\/p>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 4: Create a Public IP for Azure Bastion<\/h3>\n\n\n\n
                                                                                                        Azure Bastion typically requires a Standard<\/strong> Public IP SKU (verify current requirement in docs if you hit errors).<\/p>\n\n\n\n
                                                                                                        az network public-ip create \\\n  --resource-group rg-bastion-lab \\\n  --name pip-bastion-lab \\\n  --location eastus \\\n  --sku Standard \\\n  --allocation-method Static\n<\/code><\/pre>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> Public IP resource pip-bastion-lab<\/code> exists.<\/p>\n\n\n\n
                                                                                                        Verification:<\/strong><\/p>\n\n\n\n
                                                                                                        az network public-ip show \\\n  --resource-group rg-bastion-lab \\\n  --name pip-bastion-lab \\\n  --query \"{ipAddress:ipAddress, sku:sku.name}\" \\\n  --output table\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 5: Deploy Azure Bastion into the VNet<\/h3>\n\n\n\n
                                                                                                        Create the Bastion resource:<\/p>\n\n\n\n
                                                                                                        az network bastion create \\\n  --resource-group rg-bastion-lab \\\n  --name bastion-lab \\\n  --location eastus \\\n  --vnet-name vnet-bastion-lab \\\n  --public-ip-address pip-bastion-lab\n<\/code><\/pre>\n\n\n\n
                                                                                                        If you need a specific SKU (Basic\/Standard), check az network bastion create --help<\/code> and the current docs; flags and defaults can vary by CLI version. Verify SKU parameters in official docs<\/strong>:\nhttps:\/\/learn.microsoft.com\/azure\/bastion\/<\/p>\n\n\n\n
                                                                                                        Expected outcome:<\/strong> Bastion is deployed successfully in AzureBastionSubnet<\/code>.<\/p>\n\n\n\n
                                                                                                        Verification:<\/strong><\/p>\n\n\n\n
                                                                                                        az network bastion show \\\n  --resource-group rg-bastion-lab \\\n  --name bastion-lab \\\n  --output table\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        Step 6: Connect to the VM using Azure Bastion (Portal method)<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        1. Open the Azure portal: https:\/\/portal.azure.com<\/li>\n
                                                                                                        2. Navigate to Virtual machines<\/strong> \u2192 vm-linux-private<\/strong><\/li>\n
                                                                                                        3. Select Connect<\/strong> \u2192 Bastion<\/strong><\/li>\n
                                                                                                        4. Enter:\n   – Username: azureuser<\/code>\n   – Authentication: SSH private key (paste contents of ~\/.ssh\/bastionlab_ed25519<\/code>)<\/li>\n
                                                                                                        5. Click Connect<\/strong><\/li>\n<\/ol>\n\n\n\n
                                                                                                          Expected outcome:<\/strong> You get an interactive SSH terminal session in the browser, connected to the VM\u2019s private IP.<\/p>\n\n\n\n
                                                                                                          Verification inside the VM:<\/strong><\/p>\n\n\n\n
                                                                                                          ip a\nhostname\n<\/code><\/pre>\n\n\n\n
                                                                                                          You should see the VM\u2019s private IP in the 10.10.1.0\/24<\/code> range.<\/p>\n\n\n\n
                                                                                                          \n\n\n\n
                                                                                                          Step 7 (Optional): Connect using Azure CLI (native SSH via Bastion)<\/h3>\n\n\n\n
                                                                                                          Azure supports CLI-driven Bastion connectivity. Depending on your Azure CLI version, this may require an extension.<\/p>\n\n\n\n
                                                                                                            \n
                                                                                                          1. Check CLI version:<\/li>\n<\/ol>\n\n\n\n
                                                                                                            az version\n<\/code><\/pre>\n\n\n\n
                                                                                                              \n
                                                                                                            1. If documentation instructs, install the Bastion extension (only if required):<\/li>\n<\/ol>\n\n\n\n
                                                                                                              az extension add --name bastion\n<\/code><\/pre>\n\n\n\n
                                                                                                              If this fails, don\u2019t force it\u2014use the portal method and verify the current CLI requirements<\/strong> in official docs.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                              1. Get the VM resource ID:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                VM_ID=$(az vm show -g rg-bastion-lab -n vm-linux-private --query id -o tsv)\necho \"$VM_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. Attempt SSH via Bastion (command shape may vary; verify in docs):<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  az network bastion ssh \\\n  --name bastion-lab \\\n  --resource-group rg-bastion-lab \\\n  --target-resource-id \"$VM_ID\" \\\n  --auth-type ssh-key \\\n  --username azureuser \\\n  --ssh-key ~\/.ssh\/bastionlab_ed25519\n<\/code><\/pre>\n\n\n\n
                                                                                                                  Expected outcome:<\/strong> Your local terminal opens an SSH session to the VM through Bastion.<\/p>\n\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  Validation<\/h3>\n\n\n\n
                                                                                                                  Confirm:\n1. VM has no public IP<\/strong>:<\/p>\n\n\n\n
                                                                                                                  az vm list-ip-addresses -g rg-bastion-lab -n vm-linux-private -o table\n<\/code><\/pre>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Bastion exists and is running<\/strong>:<\/li>\n<\/ol>\n\n\n\n
                                                                                                                    az network bastion show -g rg-bastion-lab -n bastion-lab -o table\n<\/code><\/pre>\n\n\n\n
                                                                                                                      \n
                                                                                                                    1. \n
                                                                                                                      You can reach the VM via Bastion<\/strong>:\n– Portal SSH session opens successfully, or CLI-based SSH works.<\/p>\n<\/li>\n
                                                                                                                    2. \n
                                                                                                                      No inbound internet rules are needed on the VM subnet<\/strong> for SSH:\n– Your VM subnet NSG (if present) should not allow inbound from Internet<\/code> to port 22.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Troubleshooting<\/h3>\n\n\n\n
                                                                                                                      Common issues and fixes:<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. \n
                                                                                                                        Bastion deployment fails due to subnet name<\/strong>\n– Symptom: Error mentions required subnet name.\n– Fix: Ensure the subnet is named exactly<\/strong> AzureBastionSubnet<\/code> (case-sensitive in practice\u2014follow docs).<\/p>\n<\/li>\n
                                                                                                                      2. \n
                                                                                                                        Bastion deployment fails due to subnet size<\/strong>\n– Symptom: Error indicates subnet too small.\n– Fix: Use at least \/26<\/code> for AzureBastionSubnet<\/code> (verify current requirement).<\/p>\n<\/li>\n
                                                                                                                      3. \n
                                                                                                                        Public IP SKU mismatch<\/strong>\n– Symptom: Error about Public IP SKU.\n– Fix: Recreate the Bastion public IP as Standard<\/strong> SKU and retry.<\/p>\n<\/li>\n
                                                                                                                      4. \n
                                                                                                                        Cannot connect to VM via Bastion<\/strong>\n– Check VM is running:<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                        az vm get-instance-view -g rg-bastion-lab -n vm-linux-private --query instanceView.statuses -o table\n<\/code><\/pre>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Check NSGs: ensure the VM subnet NSG allows SSH from the Bastion subnet CIDR (or at least allows VNet traffic). If you tightened rules, explicitly allow inbound from 10.10.0.0\/26<\/code> to TCP\/22.<\/li>\n
                                                                                                                        • Check VM firewall (ufw\/iptables) allows SSH.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. CLI Bastion commands not found<\/strong>\n– Symptom: az network bastion ssh<\/code> not recognized.\n– Fix: Update Azure CLI and verify whether an extension is required. Use portal method in the meantime. Official docs: https:\/\/learn.microsoft.com\/azure\/bastion\/<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Cleanup<\/h3>\n\n\n\n
                                                                                                                            To avoid ongoing charges, delete the resource group (this removes Bastion, VM, public IPs, and VNet):<\/p>\n\n\n\n
                                                                                                                            az group delete --name rg-bastion-lab --yes --no-wait\n<\/code><\/pre>\n\n\n\n
                                                                                                                            Expected outcome:<\/strong> All lab resources are scheduled for deletion.<\/p>\n\n\n\n
                                                                                                                            Verify deletion:<\/p>\n\n\n\n
                                                                                                                            az group exists --name rg-bastion-lab\n<\/code><\/pre>\n\n\n\n
                                                                                                                            It should return false<\/code> after deletion completes.<\/p>\n\n\n\n
                                                                                                                            11. Best Practices<\/h2>\n\n\n\n
                                                                                                                            Architecture best practices<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Design for \u201cprivate by default\u201d<\/strong>: Put VMs on private subnets without public IPs; use Bastion for interactive access.<\/li>\n
                                                                                                                            • Use hub-and-spoke carefully<\/strong>: Decide whether Bastion is per-spoke or centralized. Validate peering and connectivity support for your chosen SKU and design.<\/li>\n
                                                                                                                            • Segment admin paths<\/strong>: Restrict VM management ports to only allow traffic from the Bastion subnet CIDR.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Least privilege via RBAC<\/strong>: Grant only the ability to connect to required VMs; avoid broad contributor rights.<\/li>\n
                                                                                                                              • Separate duties<\/strong>: Network team manages Bastion\/VNet; ops team gets connect rights; security team audits logs.<\/li>\n
                                                                                                                              • Use time-bound privileged access<\/strong> where your organization supports it (for example, privileged identity workflows). Exact implementation depends on your identity platform.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Cost best practices<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Remove Bastion from short-lived sandboxes<\/strong> once testing is complete.<\/li>\n
                                                                                                                                • Choose SKU intentionally<\/strong>: Don\u2019t pay for Standard features you don\u2019t use.<\/li>\n
                                                                                                                                • Right-size logging<\/strong>: Route diagnostics to the right destination with appropriate retention.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Performance best practices<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Prefer SSH<\/strong> for lightweight administration when possible (lower bandwidth than RDP).<\/li>\n
                                                                                                                                  • For RDP, keep resolution reasonable and avoid unnecessary graphical workloads through Bastion.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Consider how admins will access systems if the Azure portal is unavailable (document fallback processes).<\/li>\n
                                                                                                                                    • Maintain break-glass accounts<\/strong> and documented runbooks, consistent with your security policies.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Operations best practices<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Enable diagnostic settings<\/strong> and centralize logs.<\/li>\n
                                                                                                                                      • Use naming standards<\/strong> (include env\/region): bas-<env>-<region>-01<\/code><\/li>\n
                                                                                                                                      • Use tagging: env<\/code>, owner<\/code>, costCenter<\/code>, dataClassification<\/code>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Enforce \u201cno public IPs on NICs\u201d and \u201capproved SKUs only\u201d via Azure Policy (where feasible).<\/li>\n
                                                                                                                                        • Tag Bastion resources for chargeback; Bastion is a shared access cost that can otherwise be hard to allocate.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                          Identity and access model<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Azure authentication<\/strong>: Access starts with Azure sign-in.<\/li>\n
                                                                                                                                          • Azure RBAC authorization<\/strong>: Controls who can initiate Bastion sessions and who can access VM resources.<\/li>\n
                                                                                                                                          • OS-level authentication<\/strong>: Users still authenticate to the VM (SSH keys, local accounts, or supported identity-based login where configured). Validate which identity-based login methods are supported for your OS and Bastion connection mode.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Recommendations:\n– Use individual identities<\/strong>, not shared VM accounts.\n– Prefer SSH keys<\/strong> over passwords for Linux.\n– For Windows, prefer strong credential hygiene and consider identity-integrated login methods where supported (verify prerequisites).<\/p>\n\n\n\n
                                                                                                                                            Encryption<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Client-to-Bastion traffic is encrypted (TLS\/HTTPS).<\/li>\n
                                                                                                                                            • Bastion-to-VM traffic occurs over private networking; encryption depends on protocol (SSH is encrypted; RDP has encryption options).<\/li>\n
                                                                                                                                            • Disk encryption and VM-level encryption remain your responsibility (Azure Disk Encryption \/ server-side encryption options).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Network exposure<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Target VMs can be fully private (no public IPs).<\/li>\n
                                                                                                                                              • Bastion itself uses a public IP endpoint (service-managed). Treat it as a controlled ingress point:<\/li>\n
                                                                                                                                              • Lock down who can use it via RBAC.<\/li>\n
                                                                                                                                              • Follow NSG requirements if you associate NSGs to Bastion subnet (misconfiguration can break service).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Avoid pasting private keys into shared machines.<\/li>\n
                                                                                                                                                • Prefer secure key storage and rotation processes (for example, enterprise key management).<\/li>\n
                                                                                                                                                • Don\u2019t store SSH private keys in source control or shared file shares.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Use:<\/li>\n
                                                                                                                                                  • Azure Activity Log<\/strong> for control-plane events (creation\/updates of Bastion, role assignments).<\/li>\n
                                                                                                                                                  • Azure Monitor diagnostic logs<\/strong> for Bastion where supported.<\/li>\n
                                                                                                                                                  • Forward logs to SIEM (Microsoft Sentinel or third-party) if required.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Bastion helps reduce public exposure, supporting common compliance controls (minimize ingress, least privilege).<\/li>\n
                                                                                                                                                    • Compliance is not automatic: you still must implement RBAC, logging, secure VM baselines, patching, and vulnerability management.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Leaving public IPs<\/strong> on VMs \u201ctemporarily\u201d and never removing them.<\/li>\n
                                                                                                                                                      • Granting Owner\/Contributor<\/strong> widely so many users can connect everywhere.<\/li>\n
                                                                                                                                                      • Misconfiguring NSGs so Bastion connectivity fails, leading teams to re-add public IPs as a workaround.<\/li>\n
                                                                                                                                                      • Not logging or not reviewing access patterns.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Deploy Bastion as part of a standard landing zone<\/strong> pattern.<\/li>\n
                                                                                                                                                        • Enforce \u201cno public IP on VM NIC\u201d via policy where possible.<\/li>\n
                                                                                                                                                        • Restrict RDP\/SSH on VM subnets to only<\/strong> Bastion subnet CIDR.<\/li>\n
                                                                                                                                                        • Centralize logs and run regular access reviews.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                          Always confirm the latest constraints in official docs, but plan for these common gotchas:<\/p>\n\n\n\n
                                                                                                                                                          Subnet requirements<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • AzureBastionSubnet<\/code> must be named exactly and meet minimum sizing (commonly \/26<\/code>).<\/li>\n
                                                                                                                                                          • Subnet IP exhaustion can occur if you undersize and later need scale\/features\u2014plan ahead.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            NSG and route table pitfalls<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Attaching an NSG to AzureBastionSubnet<\/code> without required rules can break Bastion.<\/li>\n
                                                                                                                                                            • User-defined routes (UDRs) can interfere with connectivity if they force traffic in unsupported ways. Test carefully in secured hub\/spoke networks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              SKU feature mismatches<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Some advanced capabilities (native client support, file transfer, custom ports, peering scenarios) are often SKU-dependent.<\/li>\n
                                                                                                                                                              • Picking Basic for production and then needing Standard features later can cause rework.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Public endpoint perception<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Even though VMs are private, Bastion uses a public IP. Some organizations require \u201cno public endpoints at all,\u201d which may require alternative designs or additional controls.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Operational behaviors<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Browser-based sessions depend on portal availability and client network policies.<\/li>\n
                                                                                                                                                                  • Long-running sessions can be disrupted by network changes or corporate proxy behavior.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Custom SSH\/RDP ports and certain authentication modes may require specific SKUs or configuration (verify).<\/li>\n
                                                                                                                                                                    • Hardened VM firewall baselines can unintentionally block Bastion-to-VM traffic.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Leaving Bastion running in multiple dev\/test VNets can create steady monthly cost.<\/li>\n
                                                                                                                                                                      • Diagnostics routed to Log Analytics can generate ingestion cost if verbose.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Migrating from jump box VMs often requires:<\/li>\n
                                                                                                                                                                        • Removing public IPs<\/li>\n
                                                                                                                                                                        • Adjusting NSGs<\/li>\n
                                                                                                                                                                        • Updating runbooks and access processes<\/li>\n
                                                                                                                                                                        • Training teams on the new access flow<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                          Azure Bastion is one option for secure administrative access. The best choice depends on whether you need interactive access, full network connectivity, or agent-based management.<\/p>\n\n\n\n
                                                                                                                                                                          Comparison table<\/h3>\n\n\n\n
                                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                          Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                          Azure Bastion<\/strong><\/td>\nSecure RDP\/SSH to private VMs<\/td>\nNo public IPs on VMs; managed service; Azure RBAC integration; quick setup<\/td>\nOngoing cost; feature set varies by SKU; still a public endpoint for Bastion<\/td>\nYou need standardized, secure interactive VM access without VPN<\/td>\n<\/tr>\n
                                                                                                                                                                          Self-managed jump box VM<\/strong><\/td>\nCustom admin tooling and full control<\/td>\nFull OS control; can install tools; can be cheaper for very small scale (sometimes)<\/td>\nYou patch\/harden\/monitor it; often ends up with public exposure; single point of failure if not HA<\/td>\nYou need custom tooling on the jump host and accept operational overhead<\/td>\n<\/tr>\n
                                                                                                                                                                          Azure VPN Gateway<\/strong><\/td>\nFull private network access from admin devices<\/td>\nBroad access to private subnets; works for many protocols<\/td>\nRequires client VPN management; expands network trust boundary; still needs good endpoint hygiene<\/td>\nYou need network-level access to many resources beyond VM RDP\/SSH<\/td>\n<\/tr>\n
                                                                                                                                                                          ExpressRoute<\/strong><\/td>\nPrivate connectivity from corporate networks<\/td>\nHigh reliability; private circuit; enterprise standard<\/td>\nCost and lead time; still requires internal network governance<\/td>\nEnterprise connectivity needs and strict private routing requirements<\/td>\n<\/tr>\n
                                                                                                                                                                          Azure Virtual Desktop (AVD)<\/strong><\/td>\nSecure desktop\/app delivery<\/td>\nStrong user experience; centralized desktops; can integrate with identity controls<\/td>\nMore complex; different goal than VM admin access; cost<\/td>\nYou need user desktops or controlled admin workstations inside Azure<\/td>\n<\/tr>\n
                                                                                                                                                                          AWS Systems Manager Session Manager<\/strong> (other cloud)<\/td>\nAgent-based shell access without inbound ports<\/td>\nNo inbound network exposure; strong auditing<\/td>\nDifferent cloud; requires SSM agent and IAM; not RDP equivalent by default<\/td>\nMulti-cloud comparison: when you want agent-based access patterns<\/td>\n<\/tr>\n
                                                                                                                                                                          Google Cloud IAP TCP forwarding<\/strong> (other cloud)<\/td>\nIdentity-aware access to private resources<\/td>\nIdentity-aware proxying<\/td>\nDifferent cloud; requires IAP setup<\/td>\nMulti-cloud comparison for identity-aware access<\/td>\n<\/tr>\n
                                                                                                                                                                          Apache Guacamole \/ OSS bastion<\/strong><\/td>\nBrowser-based RDP\/SSH via self-managed gateway<\/td>\nFlexible; self-hosted; can integrate with many systems<\/td>\nYou manage it; HA and security are your responsibility<\/td>\nYou need custom workflows and accept managing the platform<\/td>\n<\/tr>\n
                                                                                                                                                                          Privileged Access Management (PAM) tools<\/strong><\/td>\nStrong governance, approvals, recording<\/td>\nMature controls: approvals, rotation, auditing<\/td>\nCost and complexity; integration work<\/td>\nRegulated environments requiring approvals\/recording\/rotation<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                          15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                          Enterprise example: regulated hub-and-spoke network<\/h3>\n\n\n\n
                                                                                                                                                                          Problem<\/strong>\nA financial services company hosts hundreds of Windows and Linux VMs across multiple spokes. Security policy forbids inbound internet access to workload subnets and mandates removal of VM public IPs. Operations teams still need RDP\/SSH for patching and incident response.<\/p>\n\n\n\n
                                                                                                                                                                          Proposed architecture<\/strong>\n– Hub-and-spoke VNets with centralized network governance\n– Azure Bastion deployed per environment (or centrally if supported\/approved by SKU and design)\n– VM subnets with NSGs allowing RDP\/SSH only from AzureBastionSubnet<\/code> CIDR\n– Azure Policy enforcing:\n  – No public IP on VM NICs\n  – Required tags and approved regions\/SKUs\n– Azure Monitor diagnostics forwarded to Log Analytics and SIEM<\/p>\n\n\n\n
                                                                                                                                                                          Why Azure Bastion was chosen<\/strong>\n– Eliminates VM public IPs and inbound 3389\/22 exposure\n– Simplifies admin access without rolling out VPN to every third-party operator\n– Aligns with RBAC and centralized auditing<\/p>\n\n\n\n
                                                                                                                                                                          Expected outcomes<\/strong>\n– Reduced attack surface and scanning noise\n– More consistent operational access method\n– Better audit trail of access tooling (control-plane and diagnostic logs)<\/p>\n\n\n\n
                                                                                                                                                                          Startup\/small-team example: secure access without a VPN rollout<\/h3>\n\n\n\n
                                                                                                                                                                          Problem<\/strong>\nA startup runs a few Linux VMs for a legacy workload. They want to keep servers private and avoid maintaining a jump box VM or managing a VPN client for every engineer.<\/p>\n\n\n\n
                                                                                                                                                                          Proposed architecture<\/strong>\n– Single VNet with private VM subnet\n– Azure Bastion in AzureBastionSubnet<\/code>\n– No public IP on VMs\n– Minimal NSG rules and basic logging\n– Tags for cost tracking<\/p>\n\n\n\n
                                                                                                                                                                          Why Azure Bastion was chosen<\/strong>\n– Fast to deploy\n– Avoids maintaining a jump VM\n– Engineers can access VMs securely from the portal when needed<\/p>\n\n\n\n
                                                                                                                                                                          Expected outcomes<\/strong>\n– Private VMs with secure SSH access\n– Less ops burden\n– Clear path to scale into stronger governance later (policy, logging, approvals)<\/p>\n\n\n\n
                                                                                                                                                                          16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                          1) Do my VMs need public IP addresses to use Azure Bastion?<\/strong>\nNo. A primary benefit of Azure Bastion is enabling RDP\/SSH to VMs over private IPs without public IPs on the VMs.<\/p>\n\n\n\n
                                                                                                                                                                          2) Does Azure Bastion replace a VPN?<\/strong>\nNot exactly. Bastion is primarily for interactive RDP\/SSH access to VMs. A VPN provides broader network-level access to private subnets for many protocols.<\/p>\n\n\n\n
                                                                                                                                                                          3) What subnet does Azure Bastion require?<\/strong>\nA dedicated subnet named AzureBastionSubnet<\/code>. It must meet minimum size requirements (commonly \/26<\/code>). Verify current sizing in official docs.<\/p>\n\n\n\n
                                                                                                                                                                          4) Can I apply an NSG to AzureBastionSubnet?<\/strong>\nSometimes, but you must follow Azure\u2019s required inbound\/outbound rules for Bastion. Misconfigured NSGs commonly break connectivity. Verify required rules in official docs.<\/p>\n\n\n\n
                                                                                                                                                                          5) What ports do I need to open to the internet for my VMs?<\/strong>\nTypically none for RDP\/SSH when using Bastion (VMs remain private). Bastion itself is accessed over HTTPS (commonly 443).<\/p>\n\n\n\n
                                                                                                                                                                          6) Can Bastion connect to VMs in peered VNets?<\/strong>\nThis depends on SKU\/features and configuration. Verify current support and requirements in official docs before designing around it.<\/p>\n\n\n\n
                                                                                                                                                                          7) Does Azure Bastion support Linux and Windows?<\/strong>\nYes\u2014SSH for Linux and RDP for Windows are the core use cases.<\/p>\n\n\n\n
                                                                                                                                                                          8) How do users authenticate?<\/strong>\nUsers authenticate to Azure (Entra ID\/Azure AD). They still authenticate to the VM OS using SSH keys\/credentials or supported identity-based login methods on the VM (verify supported scenarios).<\/p>\n\n\n\n
                                                                                                                                                                          9) Is Azure Bastion highly available by default?<\/strong>\nAzure manages the service, but availability characteristics depend on region and SKU. Verify official SLA\/architecture guidance.<\/p>\n\n\n\n
                                                                                                                                                                          10) Can I use my native SSH or RDP client instead of the portal?<\/strong>\nIn many cases, yes via supported native client options\/tunneling (often SKU-dependent and CLI-assisted). Verify current requirements and supported clients.<\/p>\n\n\n\n
                                                                                                                                                                          11) Does Bastion support custom SSH\/RDP ports?<\/strong>\nThis is commonly an advanced feature and may require specific SKU. Verify current support and limitations.<\/p>\n\n\n\n
                                                                                                                                                                          12) Can I transfer files through Bastion?<\/strong>\nFile transfer is SKU\/feature-dependent. Verify current support and consider data loss prevention and auditing requirements.<\/p>\n\n\n\n
                                                                                                                                                                          13) What should I log for compliance?<\/strong>\nAt minimum: Azure Activity Log (resource operations) and Bastion diagnostic logs\/metrics where available, forwarded to a central workspace or SIEM. Also log OS-level authentication and command\/activity on the VM.<\/p>\n\n\n\n
                                                                                                                                                                          14) How do I prevent teams from adding public IPs again?<\/strong>\nUse Azure Policy to deny public IP creation\/association on VM NICs, combined with Bastion as the approved access method.<\/p>\n\n\n\n
                                                                                                                                                                          15) What\u2019s the simplest safe pattern for dev\/test?<\/strong>\nOne VNet, private VM subnet, AzureBastionSubnet<\/code>, Bastion Basic SKU (if it meets needs), minimal logging, and strict cleanup of resources after use.<\/p>\n\n\n\n
                                                                                                                                                                          16) Does Azure Bastion inspect traffic or replace a firewall?<\/strong>\nNo. Bastion is an access proxy for RDP\/SSH. You still need NSGs\/firewalls for network security and segmentation.<\/p>\n\n\n\n
                                                                                                                                                                          17) Can I use Bastion for automated configuration management (Ansible\/SSH automation)?<\/strong>\nBastion is designed for interactive access. Some native client\/tunneling options can support certain workflows, but for automation at scale, prefer agent-based tools or private network connectivity (VPN\/ExpressRoute) depending on your design. Verify supported automation patterns.<\/p>\n\n\n\n
                                                                                                                                                                          17. Top Online Resources to Learn Azure Bastion<\/h2>\n\n\n\n
                                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                          Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                          Official documentation<\/td>\nAzure Bastion documentation \u2013 https:\/\/learn.microsoft.com\/azure\/bastion\/<\/td>\nAuthoritative setup, architecture, and feature\/SKU guidance<\/td>\n<\/tr>\n
                                                                                                                                                                          Official pricing<\/td>\nAzure Bastion pricing \u2013 https:\/\/azure.microsoft.com\/pricing\/details\/azure-bastion\/<\/td>\nCurrent pricing dimensions by region\/SKU<\/td>\n<\/tr>\n
                                                                                                                                                                          Pricing tool<\/td>\nAzure Pricing Calculator \u2013 https:\/\/azure.microsoft.com\/pricing\/calculator\/<\/td>\nBuild estimates including Bastion + VM + logging<\/td>\n<\/tr>\n
                                                                                                                                                                          Quickstarts\/Tutorials<\/td>\nSearch \u201cAzure Bastion quickstart\u201d within Microsoft Learn \u2013 https:\/\/learn.microsoft.com\/azure\/bastion\/<\/td>\nStep-by-step deployment and connectivity walkthroughs<\/td>\n<\/tr>\n
                                                                                                                                                                          Architecture guidance<\/td>\nAzure Architecture Center \u2013 https:\/\/learn.microsoft.com\/azure\/architecture\/<\/td>\nBroader networking and secure access patterns (hub\/spoke, landing zones)<\/td>\n<\/tr>\n
                                                                                                                                                                          Security baseline<\/td>\nMicrosoft cloud security documentation \u2013 https:\/\/learn.microsoft.com\/security\/<\/td>\nHelps align Bastion usage with security controls and governance<\/td>\n<\/tr>\n
                                                                                                                                                                          Azure CLI reference<\/td>\nAzure CLI docs \u2013 https:\/\/learn.microsoft.com\/cli\/azure\/<\/td>\nCommands for repeatable networking\/VM setups<\/td>\n<\/tr>\n
                                                                                                                                                                          Azure Policy docs<\/td>\nAzure Policy documentation \u2013 https:\/\/learn.microsoft.com\/azure\/governance\/policy\/<\/td>\nEnforce no-public-IP, tagging, allowed SKUs, and standards<\/td>\n<\/tr>\n
                                                                                                                                                                          Video learning<\/td>\nMicrosoft Learn \/ Azure YouTube channel \u2013 https:\/\/www.youtube.com\/@MicrosoftAzure<\/td>\nVisual walkthroughs and conceptual explanations (search Bastion)<\/td>\n<\/tr>\n
                                                                                                                                                                          Community (trusted)<\/td>\nMicrosoft Tech Community (Azure Networking discussions) \u2013 https:\/\/techcommunity.microsoft.com\/<\/td>\nReal-world troubleshooting patterns; validate against official docs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                          18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          1. \n
                                                                                                                                                                            DevOpsSchool.com<\/strong>\n   – Suitable audience: DevOps engineers, SREs, cloud engineers, platform teams\n   – Likely learning focus: Azure operations, DevOps practices, cloud networking fundamentals (verify specific Bastion coverage on site)\n   – Mode: check website\n   – Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                          2. \n
                                                                                                                                                                            ScmGalaxy.com<\/strong>\n   – Suitable audience: DevOps beginners to intermediate practitioners\n   – Likely learning focus: SCM, CI\/CD, DevOps foundations, cloud basics (verify Azure Networking topics on site)\n   – Mode: check website\n   – Website: https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n
                                                                                                                                                                          3. \n
                                                                                                                                                                            CLoudOpsNow.in<\/strong>\n   – Suitable audience: Cloud operations and platform teams\n   – Likely learning focus: CloudOps, operational tooling, monitoring, governance (verify Azure course catalog)\n   – Mode: check website\n   – Website: https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n
                                                                                                                                                                          4. \n
                                                                                                                                                                            SreSchool.com<\/strong>\n   – Suitable audience: SREs, reliability engineers, operations teams\n   – Likely learning focus: SRE practices, incident response, reliability patterns (verify Azure-specific offerings)\n   – Mode: check website\n   – Website: https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                          5. \n
                                                                                                                                                                            AiOpsSchool.com<\/strong>\n   – Suitable audience: Ops teams adopting AIOps practices\n   – Likely learning focus: Observability, automation, AIOps concepts (verify Azure integration content)\n   – Mode: check website\n   – Website: https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                            19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            1. \n
                                                                                                                                                                              RajeshKumar.xyz<\/strong>\n   – Likely specialization: DevOps \/ cloud training content (verify current offerings)\n   – Suitable audience: Engineers seeking practical training and guidance\n   – Website: https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n
                                                                                                                                                                            2. \n
                                                                                                                                                                              devopstrainer.in<\/strong>\n   – Likely specialization: DevOps tooling and CI\/CD training (verify Azure modules)\n   – Suitable audience: Beginners to intermediate DevOps practitioners\n   – Website: https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n
                                                                                                                                                                            3. \n
                                                                                                                                                                              devopsfreelancer.com<\/strong>\n   – Likely specialization: DevOps consulting\/training resources (verify services)\n   – Suitable audience: Teams seeking hands-on guidance or project-based help\n   – Website: https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n
                                                                                                                                                                            4. \n
                                                                                                                                                                              devopssupport.in<\/strong>\n   – Likely specialization: DevOps support and training resources (verify scope)\n   – Suitable audience: Ops\/DevOps teams needing practical support\n   – Website: https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                              20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              1. \n
                                                                                                                                                                                cotocus.com<\/strong>\n   – Likely service area: Cloud\/DevOps consulting (verify current service catalog)\n   – Where they may help: Architecture reviews, implementations, operational readiness\n   – Consulting use case examples: Secure VM access patterns, landing zone governance, network segmentation planning\n   – Website: https:\/\/cotocus.com\/<\/p>\n<\/li>\n
                                                                                                                                                                              2. \n
                                                                                                                                                                                DevOpsSchool.com<\/strong>\n   – Likely service area: DevOps and cloud consulting\/training (verify consulting offerings)\n   – Where they may help: DevOps transformation, cloud migrations, platform engineering enablement\n   – Consulting use case examples: Standardizing Azure Networking patterns, implementing Bastion-based access controls, building runbooks and governance\n   – Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                              3. \n
                                                                                                                                                                                DEVOPSCONSULTING.IN<\/strong>\n   – Likely service area: DevOps consulting services (verify current offerings)\n   – Where they may help: CI\/CD, infrastructure automation, cloud operations\n   – Consulting use case examples: Infrastructure-as-Code rollout for network and Bastion deployments, operational monitoring integration, access governance processes\n   – Website: https:\/\/www.devopsconsulting.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                What to learn before Azure Bastion<\/h3>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                • Azure fundamentals<\/strong>: subscriptions, resource groups, IAM\/RBAC<\/li>\n
                                                                                                                                                                                • Azure Networking basics<\/strong>:<\/li>\n
                                                                                                                                                                                • VNets, subnets, IP addressing<\/li>\n
                                                                                                                                                                                • NSGs, service tags (conceptually), routing<\/li>\n
                                                                                                                                                                                • Public IP vs private IP<\/li>\n
                                                                                                                                                                                • VM fundamentals<\/strong>: Windows RDP, Linux SSH, authentication basics<\/li>\n
                                                                                                                                                                                • Security basics<\/strong>: least privilege, audit logging, secure admin access patterns<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  What to learn after Azure Bastion<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Hub-and-spoke networking<\/strong> and secure landing zones<\/li>\n
                                                                                                                                                                                  • Azure Firewall<\/strong> and advanced segmentation<\/li>\n
                                                                                                                                                                                  • VPN Gateway \/ ExpressRoute<\/strong> for private connectivity<\/li>\n
                                                                                                                                                                                  • Azure Monitor<\/strong> and SIEM integration (Microsoft Sentinel)<\/li>\n
                                                                                                                                                                                  • Azure Policy<\/strong> for governance at scale<\/li>\n
                                                                                                                                                                                  • Privileged Identity Management processes<\/strong> (tooling depends on org)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • Cloud engineer \/ cloud administrator<\/li>\n
                                                                                                                                                                                    • Network engineer (cloud networking)<\/li>\n
                                                                                                                                                                                    • Platform engineer<\/li>\n
                                                                                                                                                                                    • SRE \/ operations engineer<\/li>\n
                                                                                                                                                                                    • Security engineer (cloud security posture and access controls)<\/li>\n
                                                                                                                                                                                    • DevOps engineer (infrastructure and operational access patterns)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                      Certification path (Azure)<\/h3>\n\n\n\n
                                                                                                                                                                                      Azure certifications change frequently; verify the latest role-based certifications on Microsoft Learn. Commonly relevant tracks include:\n– Azure Fundamentals\n– Azure Administrator\n– Azure Network Engineer\n– Azure Security Engineer<\/p>\n\n\n\n
                                                                                                                                                                                      Start here and confirm current certification lineup:\nhttps:\/\/learn.microsoft.com\/credentials\/certifications\/<\/p>\n\n\n\n
                                                                                                                                                                                      Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                        \n
                                                                                                                                                                                      • Build a \u201cprivate VM access\u201d reference environment:<\/li>\n
                                                                                                                                                                                      • VNet + Bastion + private VMs + policy to deny public IPs<\/li>\n
                                                                                                                                                                                      • Implement subnet segmentation:<\/li>\n
                                                                                                                                                                                      • Allow SSH\/RDP only from Bastion subnet to VM subnet<\/li>\n
                                                                                                                                                                                      • Add monitoring:<\/li>\n
                                                                                                                                                                                      • Route Bastion diagnostics to Log Analytics and build alerts for unusual access patterns<\/li>\n
                                                                                                                                                                                      • Automate with IaC:<\/li>\n
                                                                                                                                                                                      • Recreate the lab with Bicep or Terraform (verify official examples and best practices)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                        22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                          \n
                                                                                                                                                                                        • Azure Bastion<\/strong>: Managed service providing secure RDP\/SSH to VMs without public IPs.<\/li>\n
                                                                                                                                                                                        • VNet (Virtual Network)<\/strong>: Private network boundary in Azure.<\/li>\n
                                                                                                                                                                                        • Subnet<\/strong>: Segment of a VNet\u2019s address space used to isolate resources.<\/li>\n
                                                                                                                                                                                        • AzureBastionSubnet<\/code><\/strong>: Required dedicated subnet name where Azure Bastion is deployed.<\/li>\n
                                                                                                                                                                                        • RDP (Remote Desktop Protocol)<\/strong>: Protocol used to access Windows machines interactively.<\/li>\n
                                                                                                                                                                                        • SSH (Secure Shell)<\/strong>: Encrypted protocol for remote shell access, common on Linux.<\/li>\n
                                                                                                                                                                                        • NSG (Network Security Group)<\/strong>: Stateful L3\/L4 firewall rules for subnets and NICs in Azure.<\/li>\n
                                                                                                                                                                                        • Public IP<\/strong>: Internet-routable IP address resource in Azure.<\/li>\n
                                                                                                                                                                                        • Private IP<\/strong>: IP address reachable only within private networks (VNet\/peering\/VPN\/ER).<\/li>\n
                                                                                                                                                                                        • RBAC (Role-Based Access Control)<\/strong>: Azure authorization system for resource access.<\/li>\n
                                                                                                                                                                                        • Diagnostic settings<\/strong>: Azure Monitor configuration to send logs\/metrics to destinations like Log Analytics.<\/li>\n
                                                                                                                                                                                        • Log Analytics Workspace<\/strong>: Azure Monitor log store used for query and analysis.<\/li>\n
                                                                                                                                                                                        • Hub-and-spoke<\/strong>: Network topology with a central hub VNet connected to spoke VNets.<\/li>\n
                                                                                                                                                                                        • Jump box \/ jump host<\/strong>: A server used as an intermediate hop for administrative access.<\/li>\n
                                                                                                                                                                                        • Attack surface<\/strong>: The set of entry points an attacker can target.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                          23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                          Azure Bastion is an Azure Networking service that provides secure RDP\/SSH access to Azure VMs over encrypted connections without requiring public IP addresses on those VMs. It matters because it reduces public exposure of management ports, simplifies secure operations access, and integrates with Azure RBAC and monitoring.<\/p>\n\n\n\n
                                                                                                                                                                                          Architecturally, Bastion sits in a dedicated AzureBastionSubnet<\/code> inside a VNet and proxies admin sessions to private VM IPs. Cost-wise, it\u2019s a paid service with SKU-based pricing and usage dimensions (hourly plus data-related charges); the biggest cost pitfalls are leaving it running everywhere and over-logging.<\/p>\n\n\n\n
                                                                                                                                                                                          Security-wise, Bastion is strongest when paired with least-privilege RBAC, policies that prevent VM public IPs, subnet segmentation that only allows RDP\/SSH from the Bastion subnet, and centralized logging.<\/p>\n\n\n\n
                                                                                                                                                                                          Use Azure Bastion when you want a standardized, managed, secure admin access path to private VMs without deploying and maintaining jump box VMs. Next, deepen your skills by learning hub-and-spoke network design, Azure Policy governance, and Azure Monitor\/SIEM integration\u2014and validate all SKU-specific capabilities against the latest official docs: https:\/\/learn.microsoft.com\/azure\/bastion\/<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                          Networking<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[40,50,10],"tags":[],"class_list":["post-488","post","type-post","status-publish","format-standard","hentry","category-azure","category-networking","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=488"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/488\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=488"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=488"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}