Create an Azure Bastion host using Azure CLI

This article shows you how to create an Azure Bastion host using Azure CLI. Once you provision the Azure Bastion service in your virtual network, the seamless RDP/SSH experience is available to all of the VMs in the same virtual network. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.

Optionally, you can create an Azure Bastion host by using the following methods:


There are two available Bastion SKUs: Basic and Standard. The Standard SKU is currently in Preview. During Preview, you can only configure the Standard SKU using the Azure portal. For more information about Bastion SKUs and the features that are supported by each SKU, see Configuration settings - Bastion SKUs.


Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

This article uses the Azure CLI. To run commands, you can use Azure Cloud Shell. The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to and toggle the dropdown in the left corner to reflect Bash or PowerShell. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.


The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Create a bastion host

This section helps you create a new Azure Bastion resource using Azure CLI.


As shown in the examples, use the --location parameter with --resource-group for every command to ensure that the resources are deployed together.

  1. Create a virtual network and an Azure Bastion subnet. You must create the Azure Bastion subnet using the name value AzureBastionSubnet. This value lets Azure know which subnet to deploy the Bastion resources to. This is different than a VPN gateway subnet.

    • The smallest subnet AzureBastionSubnet size you can create is /27. However, we recommend that you create a /26 or larger size to accommodate host scaling.
    • Create the AzureBastionSubnet without any route tables or delegations.
    • If you use Network Security Groups on the AzureBastionSubnet, refer to the Work with NSGs article.
    az network vnet create --resource-group MyResourceGroup --name MyVnet --address-prefix --subnet-name AzureBastionSubnet --subnet-prefix --location northeurope
  2. Create a public IP address for Azure Bastion. The public IP is the public IP address the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you are creating.

    az network public-ip create --resource-group MyResourceGroup --name MyIp --sku Standard --location northeurope
  3. Create a new Azure Bastion resource in the AzureBastionSubnet of your virtual network. It takes about 5 minutes for the Bastion resource to create and deploy.

    az network bastion create --name MyBastion --public-ip-address MyIp --resource-group MyResourceGroup --vnet-name MyVnet --location northeurope

Next steps

  • Read the Bastion FAQ for additional information.
  • To use Network Security Groups with the Azure Bastion subnet, see Work with NSGs.