Azure-bastion peer vnet

Question

I've just read the following sentence
When determining the number of Azure Bastion hosts to deploy, consider that you require one per virtual network (or peered virtual network)
and wonder if implementing an HUB-SPOKE topology, where several Vnets are peered to the HUB where the Bastion would be placed, I need more than one Bastion Host

If I do would I need to deploy them in the same AzureBastionSubnet or do I need also different subnets ?

I'm also planning to install a firewall in the HUB Vnet to manage Inter-Vnet traffic, is this a problem in regard of the Azure-Bastion ?

Accepted Answer

@Stefano Colombo Apologize for misunderstanding your question. I am glad you found the answer to it. Regarding concurrent session, here are the Azure Bastion Limits. Based on the workload type, the Bastion Host can either support upto 100,50 or 5 concurrent session. To increase this limitation, you can perform Host scaling.

As mentioned here in Host Scaling, Azure Bastion supports manual host scaling. You can configure the number of host instances (scale units) in order to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for the Azure Bastion Standard SKU only.

Hope this helps. Please let us know if you have any further questions and we will be glad to assist further. Thank you!

Answer

@Stefano Colombo Thank you for reaching out to Azure Support. I understand that you want to know if you can deploy more than one Bastion Host in your Hub and Spoke setup and how to deploy the same.

Azure Bastion deployment is per virtual network, therefore, you will need to deploy the Bastion in a different Vnet such as the Spoke vnet in order to have multiple Bastions in this setup. By default, a user sees the Bastion host that is deployed in the same virtual network in which VM resides. However, in the Connect menu, a user can see multiple Bastion hosts detected across peered networks. They can select the Bastion host that they prefer to use to connect to the VM deployed in the virtual network.

Regarding Firewall in the Hub Vnet, you can setup a Firewall as well as the Bastion in the Hub together.

As seen from the above picture, you need to make sure that when deploying Azure Firewall, or a virtual appliance, you may end up associating your RouteTable, which was created while deploying Azure Firewall, to all subnets in your virtual network. You may even be including the AzureBastionSubnet subnet as well.

This applies a user-defined route to the AzureBastionSubnet subnet which directs all Azure Bastion traffic to Azure Firewall, thereby blocking traffic required for Azure Bastion. To avoid this, configuring Azure Bastion is very easy, but do not associate the RouteTable to AzureBastionSubnet subnet.

Please refer to this document for more details for setting up Azure Bastion and Azure Firewall in the Hub vnet. Hope this helps. Please do let us know if you have any other questions/concerns and we will be glad to assist you further. Thank you!

Answer

Hello @SaiKishor-MSFT
My question was a little different.
I was asking if a single bastion host can serve multiple SPOKE VNETs, and then I found the following picture that seems to confirm it

The second question is about the limits of a single bastion hosts in terms of concurrent connections.
If we have to provide more concurrent connections that a single bastion host can support how would we deploy the “array” of bastion hosts ?
Thanks

Share via

Azure-bastion peer vnet

2 additional answers

Your answer