Connect to a Windows virtual machine using Azure Bastion

Using Azure Bastion, you can securely and seamlessly connect to your virtual machines over SSL directly in the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. This article shows you how to connect to your Windows VMs. For information about connecting to a Linux VM, see Connect to a Linux VM.

Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the What is Azure Bastion?.


Before you begin, verify that you have met the following criteria:

  • A VNet with the Bastion host already installed.

    Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network. To set up an Azure Bastion host, see Create a bastion host.

  • A Windows virtual machine in the virtual network.

  • The following required roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
    • Reader role on the Azure Bastion resource.
  • Ports: To connect to the Windows VM, you must have the following ports open on your Windows VM:

    • Inbound ports: RDP (3389)


  1. Open the Azure portal. Navigate to the virtual machine that you want to connect to, then select Connect. Select Bastion from the dropdown.

    Select Bastion

  2. After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. Select Use Bastion.

    Select Use Bastion

  3. On the Connect using Azure Bastion page, enter the username and password for your virtual machine, then select Connect.


  4. The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    Connect using port 443

Next steps

Read the Bastion FAQ.