Quickstart: Deploy Azure Bastion with default settings

In this quickstart, you'll learn how to deploy Azure Bastion with default settings to your virtual network using the Azure portal. After Bastion is deployed, you can connect (SSH/RDP) to virtual machines in the virtual network via Bastion using the private IP address of the VM. When you connect to a VM, it doesn't need a public IP address, client software, agent, or a special configuration.

In this quickstart, you deploy Bastion from your VM resource using the Azure portal. Bastion is deployed using default settings that are based on the virtual network in which your VM is located. You then connect to your VM using RDP/SSH connectivity and the VM's private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it.

Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on one of your VMs and maintain yourself. For more information about Azure Bastion, see What is Azure Bastion?

Prerequisites

  • An Azure account with an active subscription. If you don't have one, create one for free.

  • A VM in a VNet.

    When you deploy Bastion using default values, the values are pulled from the VNet in which your VM resides. This VM doesn't become a part of the Bastion deployment itself, but you do connect to it later in the exercise.

    • If you don't already have a VM in a VNet, create one using Quickstart: Create a Windows VM, or Quickstart: Create a Linux VM.
    • If you need example values, see the Example values section.
    • If you already have a virtual network, make sure it's selected on the Networking tab when you create your VM.
    • If you don't have a virtual network, you can create one at the same time you create your VM.
  • Required VM roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
  • Required VM ports inbound ports:

    • 3389 for Windows VMs
    • 22 for Linux VMs

Note

The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Example values

You can use the following example values when creating this configuration, or you can substitute your own.

Basic VNet and VM values:

Name Value
Virtual machine TestVM
Resource group TestRG1
Region East US
Virtual network VNet1
Address space 10.1.0.0/16
Subnets FrontEnd: 10.1.0.0/24

Bastion values:

When you deploy from VM settings, Bastion is automatically configured with default values.

Name Default value
AzureBastionSubnet This subnet is created within the VNet as a /26
SKU Basic
Name Based on the virtual network name
Public IP address name Based on the virtual network name

Deploy Bastion

When you create Azure Bastion using default settings, the settings are configured for you. You can't modify or specify additional values for a default deployment. After deployment completes, you can always go to the bastion host Configuration page to select additional settings and features. For example, the default SKU is the Basic SKU. You can later upgrade to the Standard SKU to support more features. For more information, see About configuration settings.

  1. Sign in to the Azure portal.

  2. In the portal, go to the VM to which you want to connect. The values from the virtual network in which this VM resides will be used to create the Bastion deployment.

  3. On the page for your VM, in the Operations section on the left menu, select Bastion. When the Bastion page opens, it checks to see if you have enough available address space to create the AzureBastionSubnet. If you don't, you'll see settings to allow you to add more address space to your VNet to meet this requirement.

  4. On the Bastion page, you can view some of the values that will be used when creating the bastion host for your virtual network. Select Create Azure Bastion using defaults to deploy bastion using default settings.

    Screenshot of Deploy Bastion.

  5. Bastion begins deploying. This can take around 10 minutes to complete.

Connect to a VM

When the Bastion deployment is complete, the screen changes to the Connect page.

  1. Type your authentication credentials. Then, select Connect.

    Screenshot shows the Connect using Azure Bastion dialog.

  2. The connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Select Allow when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.

    • When you connect, the desktop of the VM may look different than the example screenshot.

    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

      Screenshot of RDP connection.

To enable audio output

You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.

Note

Audio output takes up bandwidth on your internet connection.

To enable remote audio output on a Windows VM:

  1. After you are connected to the VM, on the right-hand bottom corner of the toolbar, you'll see an audio button.
  2. Right-click the audio button and select "Sounds".
  3. A pop-up appears asking if you would like to enable the Windows Audio Service. Select "Yes". You can configure more audio options in Sound preferences.
  4. To verify sound output, hover your mouse over the audio button on the toolbar.

Remove VM public IP address

When you connect to a VM using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can disassociate it from your VM. To disassociate a public IP address from your VM, use the following steps:

  1. Go to your virtual machine and select Networking. Select the NIC Public IP to open the public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page for the VM, select Disassociate.

    Screenshot of public IP address for the VM.

  3. Select Yes to disassociate the IP address from the network interface.

    Screenshot of Disassociate public IP address.

  4. After you disassociate the IP address, you can delete the public IP address resource. On the Public IP address page for the VM, select Delete.

    Screenshot of delete the public IP address resource.

  5. Select Yes to delete the IP address resource.

    Screenshot of Delete public IP address resource confirmation.

Clean up resources

When you're done using the virtual network and the virtual machines, delete the resource group and all of the resources it contains:

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

In this quickstart, you deployed Bastion to your virtual network, and then connected to a virtual machine securely via Bastion. Next, you can configure more features and work with VM connections.