Create an RDP connection to a Windows VM using Azure Bastion

This article shows you how to securely and seamlessly create an RDP connection to your Windows VMs located in an Azure virtual network directly through the Azure portal. When you use Azure Bastion, your VMs don't require a client, agent, or additional software. You can also connect to a Windows VM using SSH. For information, see Create an SSH connection to a Windows VM.

Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the What is Azure Bastion?.

Prerequisites

Before you begin, verify that you have met the following criteria:

  • A VNet with the Bastion host already installed.

    • Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network.
    • To set up an Azure Bastion host, see Create a bastion host. If you plan to configure custom port values, be sure to select the Standard SKU when configuring Bastion.
  • A Windows virtual machine in the virtual network.

Required roles

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.

Ports

To connect to the Windows VM, you must have the following ports open on your Windows VM:

  • Inbound port: RDP (3389) or
  • Inbound port: Custom value (you will then need to specify this custom port when you connect to the VM via Azure Bastion)

Note

If you want to specify a custom port value, Azure Bastion must be configured using the Standard SKU. The Basic SKU does not allow you to specify custom ports.

Connect

  1. In the Azure portal, navigate to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown.

    Screenshot of Connect.

  2. After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. Select Use Bastion.

    Screenshot of Select Use Bastion.

  3. On the Connect using Azure Bastion page, enter the username and password for your virtual machine, then select Connect.

    Screenshot of Connect button.

  4. The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    • When you connect, the desktop of the VM may look different than the example screenshot.
    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

    Screenshot of Connect using port 443.

Next steps

Read the Bastion FAQ.