Tutorial: Configure Bastion and connect to a Windows VM

This tutorial shows you how to connect to a virtual machine through your browser using Azure Bastion and the Azure portal. In this tutorial, using the Azure portal, you deploy Bastion to your virtual network. Once the service is provisioned, the RDP/SSH experience is available to all of the virtual machines in the same virtual network. When you use Bastion to connect, the VM does not need a public IP address or special software. After deploying Bastion, you can remove the public IP address from your VM if it is not needed for anything else. Next, you connect to a VM via its private IP address using the Azure portal. For more information about Azure Bastion, see What is Azure Bastion?.

In this tutorial, you'll learn how to:

  • Create a bastion host for your VNet.
  • Remove the public IP address from a virtual machine.
  • Connect to a Windows virtual machine.

If you don’t have an Azure subscription, create a free account before you begin.

Prerequisites

  • A virtual network.

  • A Windows virtual machine in the virtual network. If you don't have a VM, create one using Quickstart: Create a VM.

  • The following required roles for your resources:

    • Required VM roles:
      • Reader role on the virtual machine.
      • Reader role on the NIC with private IP of the virtual machine.
  • Ports: To connect to the Windows VM, you must have the following ports open on your Windows VM:

    • Inbound ports: RDP (3389)

Note

The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Example values

You can use the following example values when creating this configuration, or you can substitute your own.

Basic VNet and VM values:

Name Value
Virtual machine TestVM
Resource group TestRG1
Region East US
Virtual network VNet1
Address space 10.1.0.0/16
Subnets FrontEnd: 10.1.0.0/24

Azure Bastion values:

Name Value
Name VNet1-bastion
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a subnet mask /27 or larger.
For example, 10.1.1.0/26.
Tier/SKU Standard
Instance count (host scaling) 3 or greater
Public IP address Create new
Public IP address name VNet1-ip
Public IP address SKU Standard
Assignment Static

Create a bastion host

This section helps you create the bastion object in your VNet. This is required in order to create a secure connection to a VM in the VNet.

  1. Sign in to the Azure portal.

  2. Type Bastion into the search.

  3. Under services, click Bastions.

  4. On the Bastions page, click + Create to open the Create a Bastion page.

  5. On the Create a Bastion page, configure a new Bastion resource.

    Screenshot of Create a Bastion portal page.

Project details

  • Subscription: The Azure subscription you want to use.

  • Resource Group: The Azure resource group in which the new Bastion resource will be created. If you don't have an existing resource group, you can create a new one.

Instance details

  • Name: The name of the new Bastion resource.

  • Region: The Azure public region in which the resource will be created. Choose the region in which your virtual network resides.

  • Tier: The tier is also known as the SKU. For this tutorial, we select the Standard SKU from the dropdown. Selecting the Standard SKU lets you configure the instance count for host scaling. The Basic SKU doesn't support host scaling. For more information, see Configuration settings - SKU. The Standard SKU is in Preview.

  • Instance count: This is the setting for host scaling and configured in scale unit increments. Use the slider to configure the instance count. If you specified the Basic tier SKU, you cannot configure this setting. For more information, see Configuration settings - host scaling. In this tutorial, you can select the instance count you'd prefer, keeping in mind any scale unit pricing considerations.

Configure virtual networks

  • Virtual network: The virtual network in which the Bastion resource will be created. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. If you don't see your virtual network from the dropdown, make sure you have selected the correct Resource Group.

  • Subnet: Once you create or select a virtual network, the subnet field appears on the page. This is the subnet in which your Bastion instances will be deployed. The name must be AzureBastionSubnet. See the following steps to add the subnet.

Manage subnet configuration

In most cases, you will not already have an AzureBastionSubnet configured. To configure the bastion subnet:

  1. Select Manage subnet configuration. This takes you to the Subnets page.

    Screenshot of Manage subnet configuration.

  2. On the Subnets page, select +Subnet to open the Add subnet page.

  3. Create a subnet using the following guidelines:

    • The subnet must be named AzureBastionSubnet.
    • The subnet must be at least /27 or larger. For the Standard SKU, we recommend /26 or larger to accommodate future additional host scaling instances.

    Screenshot of the AzureBastionSubnet subnet.

  4. You don't need to fill out additional fields on this page. Select Save at the bottom of the page to save the settings and close the Add subnet page.

  5. At the top of the Subnets page, select Create a Bastion to return to the Bastion configuration page.

    Screenshot of Create a Bastion.

Public IP address

The public IP address of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a new public IP address. The public IP address must be in the same region as the Bastion resource you are creating. This IP address does not have anything to do with any of the VMs that you want to connect to. It's the public IP address for the Bastion host resource.

  • Public IP address name: The name of the public IP address resource. For this tutorial, you can leave the default.
  • Public IP address SKU: This setting is prepopulated by default to Standard. Azure Bastion uses/supports only the Standard public IP SKU.
  • Assignment: This setting is prepopulated by default to Static.

Review and create

  1. When you finish specifying the settings, select Review + Create. This validates the values. Once validation passes, you can create the Bastion resource.
  2. Review your settings.
  3. At the bottom of the page, select Create.
  4. You will see a message letting you know that your deployment is underway. Status will display on this page as the resources are created. It takes about 5 minutes for the Bastion resource to be created and deployed.

Remove VM public IP address

When you connect to a VM using Azure Bastion, you do not need a public IP address for your VM. If you aren't using the public IP address for anything else, you can disassociate it from your VM. To disassociate a public IP address from your VM, use the following steps:

  1. Navigate to your virtual machine and select Networking. Select the NIC Public IP to open the public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page for the VM, select Disassociate.

    Screenshot of public IP address for the VM.

  3. Select Yes to disassociated the IP address from the network interface.

    Screenshot of Disassociate public IP address.

  4. After you disassociate the IP address, you can delete the public IP address resource. To delete the public IP address resource, navigate to the resource group and locate the IP address resource you want to delete. Then, select Delete to delete the resource.

    Screenshot of delete the public IP address resource.

Connect to a VM

  1. In the Azure portal, navigate to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown.

    Screenshot of Connect.

  2. After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. Select Use Bastion.

    Screenshot of Select Use Bastion.

  3. On the Connect using Azure Bastion page, enter the username and password for your virtual machine, then select Connect.

    Screenshot of Connect button.

  4. The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    • When you connect, the desktop of the VM may look different than the example screenshot.
    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

    Screenshot of Connect using port 443.

Clean up resources

If you're not going to continue to use this application, delete your resources using the following steps:

  1. Enter the name of your resource group in the Search box at the top of the portal. When you see your resource group in the search results, select it.
  2. Select Delete resource group.
  3. Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME: and select Delete.

Next steps

In this tutorial, you created a Bastion host and associated it to a virtual network. You then removed the public IP address from a VM and connected to it. You may choose to use Network Security Groups with your Azure Bastion subnet. To do so, see: