![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 20%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
247 questions
I have updated my answer with the following references
https://video2.skills-academy.com/en-us/troubleshoot/azure/virtual-machines/serial-console-errors
https://video2.skills-academy.com/en-us/azure/bastion/troubleshoot
some possible reasons according to references
Azure Serial Console requires boot diagnostics to be enabled. Ensure that the VM or virtual machine scale set has boot diagnostics enabled.
Make sure the VM or virtual machine scale set instance is in a started state.
If you receive a "Forbidden" response, it could be due to enabling a storage account firewall on the custom boot diagnostics account.
The storage account used for boot diagnostics on the VM could not be found. Verify that boot diagnostics is enabled for this VM, the storage account has not been deleted, and you have access to this storage account.
If you're encountering a 'Bad Request' error, it could be due to an incorrect boot diagnostics URI. For example, "http://" was used instead of "https://". This can be fixed with the command:
az vm boot-diagnostics enable --name vmName --resource-group rgName --storage https://<storageAccountUri>.blob.core.windows.net/
Ensure you have at least VM Contributor permissions. Serial console access requires contributor level access on the boot diagnostics storage account.
If you're unable to determine the resource group for the boot diagnostics storage account, verify that boot diagnostics is enabled for this VM and you have access to this storage account.
If the VM has not fully deployed, you may experience issues. Please ensure the VM is fully deployed and retry the serial console connection.
If your VM's boot diagnostics storage account is created using Azure Data Lake Storage Gen2, this could be the issue as Serial console does not work with a storage account using Azure Data Lake Storage Gen2 with hierarchical namespaces
You may encounter a 'Forbidden'(SubscriptionNotEnabled) error if the subscription that a user has created their Cloud Shell storage account in has been disabled.
If you receive an error stating that the serial console was unable to connect to the VM because the service did not respond in a timely manner, reapplying the virtual machine state in the Azure portal may resolve this issue.
Azure Bastion related errors
If you're trying to create an NSG on the Azure Bastion subnet, make sure you have added the required rules to the NSG.
If you're using SSH, make sure that you browse a key file that is RSA, DSA, or OPENSSH private key for SSH, with a public key provisioned on the target VM.
If you're unable to connect to your Windows domain-joined virtual machine, Azure Bastion supports domain-joined VM sign-in for username-password based domain sign-in only.
You can troubleshoot your connectivity issues by navigating to the Connection Troubleshoot tab (in the Monitoring section) of your Azure Bastion resource in the Azure portal.
File transfer is not supported at this time with Azure Bastion.
If you get a black screen in the Azure portal, this happens when there is either a network connectivity issue between your web browser and Azure Bastion, or between the Azure Bastion and your target VM.