Quickstart: Configure Azure Bastion from VM settings

This quickstart article shows you how to configure Azure Bastion based on your VM settings, and then connect to the VM via private IP address using the Azure portal. Once the Bastion service is provisioned, the RDP/SSH experience is available to all of the virtual machines in the same virtual network.

When connecting via Azure Bastion, your VM doesn't need a public IP address, client software, agent, or a special configuration. Additionally, if you don't need the public IP address on your VM for anything else, you can remove it and connect to your VM through the portal using the private IP address. For more information about Azure Bastion, see What is Azure Bastion?


  • An Azure account with an active subscription. If you don't have one, create one for free. To be able to connect to a VM through your browser using Bastion, you must be able to sign in to the Azure portal.

  • A Windows virtual machine in a virtual network. If you don't have a VM, create one using Quickstart: Create a VM.

    • If you need example values, see the provided Example values.
    • If you already have a virtual network, make sure to select it on the Networking tab when you create your VM.
    • If you don't already have a virtual network, you can create one at the same time you create your VM.
    • You do not need to have a public IP address for this VM in order to connect via Azure Bastion.
  • Required VM roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
  • Required VM ports:

    • Inbound ports: RDP (3389)


For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.


The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Example values

You can use the following example values when creating this configuration, or you can substitute your own.

Basic VNet and VM values:

Name Value
Virtual machine TestVM
Resource group TestRG1
Region East US
Virtual network VNet1
Address space
Subnets FrontEnd:

Azure Bastion values:

Name Value
Name VNet1-bastion
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a subnet mask /26 or larger.
For example,
Tier/SKU Standard
Public IP address Create new
Public IP address name VNet1-ip
Public IP address SKU Standard
Assignment Static

Create a bastion host

There are a few different ways to configure a bastion host. In the following steps, you'll create a bastion host in the Azure portal directly from your VM. When you create a host from a VM, various settings will automatically populate corresponding to your virtual machine and/or virtual network.

  1. Sign in to the Azure portal.

  2. Navigate to the VM that you want to connect to, then select Connect.

    Screenshot of virtual machine settings.

  3. From the dropdown, select Bastion.

    Screenshot of Bastion dropdown.

  4. On the TestVM | Connect page, select Use Bastion.

    Screenshot of Use Bastion.

  5. On the Connect using Azure Bastion page, Step 1, the values are pre-populated because you are creating the bastion host directly from your VM.

    Screenshot of step 1 prepopulated settings.

  6. On the Connect using Azure Bastion page, Step 2, configure the subnet values. The AzureBastionSubnet address space is pre-populated with a suggested address space. The AzureBastionSubnet must have an address space of /26 or larger (/25, /24, etc.). We recommend using a /26 so that host scaling is not limited. When you finish configuring this setting, click Create Subnet to create the AzureBastionSubnet.

    Screenshot of create the Bastion subnet.

  7. After the subnet creates, the page advances automatically to Step 3. For Step 3, use the following values:

    • Name: Name the bastion host.
    • Tier: The tier is the SKU. For this exercise, select Standard from the dropdown. Selecting the Standard SKU lets you configure the instance count for host scaling. The Basic SKU doesn't support host scaling. For more information, see Configuration settings - SKU.
    • Instance count: This is the setting for host scaling. Use the slider to configure. If you specify the Basic tier SKU, you are limited to 2 instances and cannot configure this setting. For more information, see Configuration settings - host scaling. Instance count relies on the Standard SKU. In this quickstart, you can select the instance count you'd prefer, keeping in mind any scale unit pricing considerations.
    • Public IP address: Select Create new.
    • Public IP address name: The name of the Public IP address resource.
    • Public IP address SKU: Pre-configured as Standard.
    • Assignment: Pre-configured to Static. You can't use a Dynamic assignment for Azure Bastion.
    • Resource group: The same resource group as the VM.

    Screenshot of Step 3.

  8. After completing the values, select Create Azure Bastion using defaults. Azure validates your settings, then creates the host. The host and its resources take about 5 minutes to create and deploy.

Remove VM public IP address

When you connect to a VM using Azure Bastion, you do not need a public IP address for your VM. If you aren't using the public IP address for anything else, you can disassociate it from your VM. To disassociate a public IP address from your VM, use the following steps:

  1. Navigate to your virtual machine and select Networking. Select the NIC Public IP to open the public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page for the VM, select Disassociate.

    Screenshot of public IP address for the VM.

  3. Select Yes to disassociated the IP address from the network interface.

    Screenshot of Disassociate public IP address.

  4. After you disassociate the IP address, you can delete the public IP address resource. To delete the public IP address resource, navigate to the resource group and locate the IP address resource you want to delete. Then, select Delete to delete the resource.

    Screenshot of delete the public IP address resource.

Connect to a VM

After Bastion has been deployed to the virtual network, the screen changes to the connect page.

  1. Type the username and password for your virtual machine. Then, select Connect.

    Screenshot shows the Connect using Azure Bastion dialog.

  2. The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Click Allow when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.

    • When you connect, the desktop of the VM may look different than the example screenshot.
    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

    RDP connect

Clean up resources

When you're done using the virtual network and the virtual machines, delete the resource group and all of the resources it contains:

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

In this quickstart, you created a bastion host for your virtual network, and then connected to a virtual machine securely via Bastion. Next, you can continue with the following step if you want to connect to a virtual machine scale set.