Create Azure Bastion Host
Share this post:

An Azure Bastion host provides secure RDP and SSH connections to your Azure VMs. You connect to your VMs directly in the Azure portal over TLS. You do not have to assign public IP addresses to your VMs. In this post, you will learn how to create an Azure Bastion host and connect to your Azure VMs through the Azure portal.

Key Features

  • Azure Bastion hosts are deployed per virtual network
  • Once deployed, an Azure Bastion host provides secure access to all VMs in the same virtual network
  • No Public IPs required for your Azure VMs
  • Azure Bastion is a fully managed PaaS, hardened internally
  • NSGs for virtual subnets can be configured to only allow connections from Azure Bastion


An Azure Bastion requires a dedicated subnet in the virtual network you are deploying the Bastion host to. The subnet must be named AzureBastionSubnet and be at least /27 or larger. You can create this subnet ahead of time or create it during the Bastion host deployment.

Create a Bastion Host using the Azure Portal

  1. Log in to the Azure portal
  2. From the Azure portal menu, choose Create a resource
Create a new resource in the Azure portal
  1. Search the Marketplace for bastion and click Enter
Search for bastion in the Azure Marketplace
  1. In the search results, select Bastion published by Microsoft
Select Azure Bastion published by Microsoft
  1. Click Create
Begin the process of creating an Azure Bastion
  1. Specify the configuration settings for your Bastion resource
Provide the configuration setting for a new Azure Bastion host
  • Subscription: Select your Azure subscription that you are creating the Bastion resource in.
  • Resource Group: Select an existing resource group or create a new resource group to create the Bastion resource in.
  • Name: Enter a name for the Bastion resource.
  • Region: Select the region to create the Bastion resource in.
  • Virtual Network: Select and existing or create a new virtual network to create the Bastion resource. An existing network will require address space for the Azure Bastion subnet.
  • Subnet: Select or create the subnet for the Bastion resource. It must be named AzureBastionSubnet and be at least /27 or larger.
  • Public IP address: Create a new or select an existing public IP address that will be used to connect to the Bastion resource. The public IP address must be in the same region as the Bastion resource.
  • Public IP address name: Enter a name for the public IP address.
  • Public IP address SKU: Only Standard is available for a Bastion resource.
  • Assignment: Only Static is available for a Bastion resource.
  1. Click Review + Create
  1. Once validation succeeds, select Create
Validation of configuration settings

Create a Network Security Group

The Azure Bastion is a fully managed PaaS service from Azure. It is hardened internally to provide you secure RDP/SSH connectivity. You do not need to apply any NSGs on Azure Bastion subnet. For the subnets that the Azure Bastion will connect to, configure NSGs to allow RDP/SSH connections from the Azure Bastion subnet only.

You can create a new NSG for your VM subnets, or you can modify an existing NSG. Create an inbound security rule that specifies the source as the Azure Bastion subnet IP range and the destination ports 3389/22 for RDP/SSH, respectively.

Create a new inbound security rule in a network security group

Update the VM subnet to use the new or updated NSG.

Assigning a network security group to a virtual subnet

Connect to an Azure VM using Azure Bastion

Now that you have created an Azure Bastion host and configured the NSG to allow RDP from the Azure Bastion host, you can connect to any VM in the virtual network.

  1. In the Azure portal, navigate to the VM you want to connect to
  2. Click Connect and choose Bastion
Connecting to an Azure VM from the Azure portal using the Azure Bastion
  1. Provide credentials to connect to the VM
  2. Click Connect
Providing credentials for the Azure VM

By default, the RDP session opens in a new window. You will need to allow popups.

Allowing popups from Azure for the RDP connection

Once connected, you can choose to allow text and imaged to be copied to the clipboard.

Allowing clipboard access to the connection

Alternatively, clear the checkmark to open the session in a new window…

Changing connection to open in the Azure portal window

and open the session directly in the Azure portal.

Connecting directly from the Azure portal


Azure Bastion is a great way to provide secure access to your Azure VMs. It deploys in about 5 minutes and provides VM connectivity directly from the Azure portal. It removes the need for public IP addresses on your Azure VMs, which provides extra security and simplifies NSG management.

Make sure to check out more great articles at ITProTV

Share this post:


Comments are closed