Hello @John Hanley ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
Azure Gateway Manager is an internal architectural component responsible for management traffic for deployments dedicated to Azure VPN/ExpressRoute Gateway, Application Gateway and Azure Bastion. It is configured as a service tag in NSGs to allow the required traffic from the control plane. If you apply a NSG on AzureBastionSubnet, you must enable port 443 inbound from GatewayManager service tag which allows ingress traffic from Azure Bastion control plane i.e. the Gateway Manager to be able to talk to Azure Bastion for the required backend connectivity.
Since, this is an internal component and managed by Microsoft Azure, it is not exposed to customers and there is no publicly available document explaining this component in detail.
However, you can refer the below docs where it is mentioned:
https://video2.skills-academy.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
https://video2.skills-academy.com/en-us/security/benchmark/azure/baselines/bastion-security-baseline?toc=/azure/bastion/TOC.json#ns-1-implement-security-for-internal-traffic
https://video2.skills-academy.com/en-us/azure/bastion/bastion-nsg#apply
The service tag document is not updated to include Azure Bastion service and I will discuss this with the backend team to get it updated soon.
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.