Tutorial: Deploy Azure Bastion by using specified settings
This tutorial helps you deploy Azure Bastion from the Azure portal by using your own manual settings and a SKU (product tier) that you specify. The SKU determines the features and connections that are available for your deployment. For more information about SKUs, see Configuration settings - SKUs.
In the Azure portal, when you use the Configure manually option to deploy Bastion, you can specify configuration values such as instance counts and SKUs at the time of deployment. After Bastion is deployed, you can use SSH or RDP to connect to virtual machines (VMs) in the virtual network via Bastion using the private IP addresses of the VMs. When you connect to a VM, it doesn't need a public IP address, client software, an agent, or a special configuration.
The following diagram shows the architecture of Bastion.
In this tutorial, you deploy Bastion by using the Standard SKU. You adjust host scaling (instance count), which the Standard SKU supports. If you use a lower SKU for the deployment, you can't adjust host scaling. You can also select an availability zone, depending on the region to which you want to deploy.
After the deployment is complete, you connect to your VM via private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it.
In this tutorial, you learn how to:
- Deploy Bastion to your virtual network.
- Connect to a virtual machine.
- Remove the public IP address from a virtual machine.
To complete this tutorial, you need these resources:
An Azure subscription. If you don't have one, create a free account before you begin.
A virtual network where you'll deploy Bastion.
A virtual machine in the virtual network. This VM isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in this tutorial via Bastion. If you don't have a VM, create one by using Quickstart: Create a Windows VM or Quickstart: Create a Linux VM.
Required VM roles:
- Reader role on the virtual machine
- Reader role on the network adapter (NIC) with the private IP of the virtual machine
Required inbound ports:
- For Windows VMs: RDP (3389)
- For Linux VMs: SSH (22)
Note
The use of Azure Bastion with Azure Private DNS zones is supported. However, there are restrictions. For more information, see the Azure Bastion FAQ.
You can use the following example values when creating this configuration, or you can substitute your own.
Name | Value |
---|---|
Virtual machine | TestVM |
Resource group | TestRG1 |
Region | East US |
Virtual network | VNet1 |
Address space | 10.1.0.0/16 |
Subnets | FrontEnd: 10.1.0.0/24 |
Name | Value |
---|---|
Name | VNet1-bastion |
+ Subnet Name | AzureBastionSubnet |
AzureBastionSubnet addresses | A subnet within your virtual network address space with a subnet mask of /26 or larger; for example, 10.1.1.0/26 |
Availability zone | Select value(s) from the dropdown list, if desired. |
Tier/SKU | Standard |
Instance count (host scaling) | 3 or greater |
Public IP address | Create new |
Public IP address name | VNet1-ip |
Public IP address SKU | Standard |
Assignment | Static |
This section helps you deploy Bastion to your virtual network. After Bastion is deployed, you can connect securely to any VM in the virtual network using its private IP address.
Important
Hourly pricing starts from the moment that Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource after you finish using it.
Sign in to the Azure portal.
Go to your virtual network.
On the page for your virtual network, on the left pane, select Bastion.
On the Bastion pane, expand Dedicated Deployment Options.
Select Configure manually. This option lets you configure specific additional settings (such as the SKU) when you're deploying Bastion to your virtual network.
On the Create a Bastion pane, configure the settings for your bastion host. Project details are populated from your virtual network values. Under Instance details, configure these values:
Name: The name that you want to use for your Bastion resource.
Region: The Azure public region in which the resource will be created. Choose the region where your virtual network resides.
Availability zone: Select the zone(s) from the dropdown, if desired. Only certain regions are supported. For more information, see the What are availability zones? article.
Tier: The SKU. For this tutorial, select Standard. For information about the features available for each SKU, see Configuration settings - SKU.
Instance count: The setting for host scaling, which is available for the Standard SKU. You configure host scaling in scale unit increments. Use the slider or enter a number to configure the instance count that you want. For more information, see Instances and host scaling and Azure Bastion pricing.
Configure the Virtual networks settings. Select your virtual network from the dropdown list. If your virtual network isn't in the dropdown list, make sure that you selected the correct Region value in the previous step.
To configure AzureBastionSubnet, select Manage subnet configuration.
On the Subnets pane, select +Subnet.
On the Add subnet pane, create the AzureBastionSubnet subnet by using the following values. Leave the other values as default.
- The subnet name must be AzureBastionSubnet.
- The subnet must be /26 or larger (for example, /26, /25, or /24) to accommodate features available with the Standard SKU.
Select Save at the bottom of the pane to save your values.
At the top of the Subnets pane, select Create a Bastion to return to the Bastion configuration pane.
The Public IP address section is where you configure the public IP address of the bastion host resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource that you're creating.
Create a new IP address. You can leave the default naming suggestion.
When you finish specifying the settings, select Review + Create. This step validates the values.
After the values pass validation, you can deploy Bastion. Select Create.
A message says that your deployment is in process. The status appears on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.
You can use any of the following detailed articles to connect to a VM. Some connection types require the Bastion Standard SKU.
- Connect to a Windows VM
- Connect to a Linux VM
- Connect to a scale set
- Connect via IP address
- Connect from a native client
You can also use these basic connection steps to connect to your VM:
In the Azure portal, go to the virtual machine that you want to connect to.
At the top of the pane, select Connect > Bastion to go to the Bastion pane. You can also go to the Bastion pane by using the left menu.
The options available on the Bastion pane depend on the Bastion SKU. If you're using the Basic SKU, you connect to a Windows computer by using RDP and port 3389. Also for the Basic SKU, you connect to a Linux computer by using SSH and port 22. You don't have options to change the port number or the protocol. However, you can change the keyboard language for RDP by expanding Connection Settings.
If you're using the Standard SKU, you have more connection protocol and port options available. Expand Connection Settings to see the options. Typically, unless you configure different settings for your VM, you connect to a Windows computer by using RDP and port 3389. You connect to a Linux computer by using SSH and port 22.
For Authentication Type, select from the dropdown list. The protocol determines the available authentication types. Complete the required authentication values.
To open the VM session in a new browser tab, leave Open in new browser tab selected.
Select Connect to connect to the VM.
Confirm that the connection to the virtual machine opens directly in the Azure portal (over HTML5) by using port 443 and the Bastion service.
Note
When you connect, the desktop of the VM will look different from the example screenshot.
Using keyboard shortcut keys while you're connected to a VM might not result in the same behavior as shortcut keys on a local computer. For example, when you're connected to a Windows VM from a Windows client, Ctrl+Alt+End is the keyboard shortcut for Ctrl+Alt+Delete on a local computer. To do this from a Mac while you're connected to a Windows VM, the keyboard shortcut is fn+control+option+delete.
You can enable remote audio output for your VM. Some VMs automatically enable this setting, whereas others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.
Note
Audio output uses bandwidth on your internet connection.
To enable remote audio output on a Windows VM:
- After you're connected to the VM, an audio button appears on the lower-right corner of the toolbar. Right-click the audio button, and then select Sounds.
- A pop-up message asks if you want to enable the Windows Audio Service. Select Yes. You can configure more audio options in Sound preferences.
- To verify sound output, hover over the audio button on the toolbar.
When you connect to a VM by using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM:
Go to your virtual machine. On the Overview page, click the Public IP address to open the Public IP address page.
On the Public IP address page, go to Overview. You can view the resource that this IP address is Associated to. Select Dissociate at the top of the pane.
Select Yes to dissociate the IP address from the VM network interface. After you dissociate the public IP address from the network interface, verify that it's no longer listed under Associated to.
After you dissociate the IP address, you can delete the public IP address resource. On the Public IP address pane for the VM, select Delete.
Select Yes to delete the public IP address.
When you finish using this application, delete your resources:
- Enter the name of your resource group in the Search box at the top of the portal. When your resource group appears in the search results, select it.
- Select Delete resource group.
- Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME, and then select Delete.
In this tutorial, you deployed Bastion to a virtual network and connected to a VM. You then removed the public IP address from the VM. Next, learn about and configure additional Bastion features.