Tutorial: Configure Bastion and connect to a Windows VM through a browser

This tutorial shows you how to connect to a virtual machine through your browser using Azure Bastion and the Azure portal. In the Azure portal, you deploy Bastion to your virtual network. After deploying Bastion, you connect to a VM via its private IP address using the Azure portal. Your VM does not need a public IP address or special software. Once the service is provisioned, the RDP/SSH experience is available to all of the virtual machines in the same virtual network. For more information about Azure Bastion, see What is Azure Bastion?.

In this tutorial, you'll learn how to:

  • Create a bastion host for your VNet.
  • Remove the public IP address from a virtual machine.
  • Connect to a Windows virtual machine.

If you don’t have an Azure subscription, create a free account before you begin.


  • A virtual network.

  • A Windows virtual machine in the virtual network.

  • The following required roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
    • Reader role on the Azure Bastion resource.
  • Ports: To connect to the Windows VM, you must have the following ports open on your Windows VM:

    • Inbound ports: RDP (3389)


The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Sign in to the Azure portal

Sign in to the Azure portal.

Create a bastion host

This section helps you create the bastion object in your VNet. This is required in order to create a secure connection to a VM in the VNet.

  1. From the Home page, select + Create a resource.

  2. On the New page, in the Search box, type Bastion, then select Enter to get to the search results. On the result for Bastion, verify that the publisher is Microsoft.

  3. Select Create.

  4. On the Create a Bastion page, configure a new Bastion resource.

    Screenshot of Create a Bastion portal page.

    • Subscription: The Azure subscription you want to use to create a new Bastion resource.

    • Resource Group: The Azure resource group in which the new Bastion resource will be created. If you don't have an existing resource group, you can create a new one.

    • Name: The name of the new Bastion resource.

    • Region: The Azure public region that the resource will be created in.

    • Virtual network: The virtual network in which the Bastion resource will be created. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. If you don't see your virtual network from the dropdown, make sure you have selected the correct Resource Group.

    • Subnet: Once you create or select a virtual network, the subnet field will appear. The subnet in your virtual network where the new Bastion host will be deployed. The subnet will be dedicated to the Bastion host. Select Manage subnet configuration and create the Azure Bastion subnet. Select +Subnet and create a subnet using the following guidelines:

      • The subnet must be named AzureBastionSubnet.
      • The subnet must be at least /27 or larger.

      You don't need to fill out additional fields. Select OK and then, at the top of the page, select Create a Bastion to return to the Bastion configuration page.

    • Public IP address: The public IP address of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a new public IP address. The public IP address must be in the same region as the Bastion resource you are creating. This IP address does not have anything to do with any of the VMs that you want to connect to. It's the public IP address for the Bastion host resource.

    • Public IP address name: The name of the public IP address resource. For this tutorial, you can leave the default.

    • Public IP address SKU: This setting is prepopulated by default to Standard. Azure Bastion uses/supports only the Standard public IP SKU.

    • Assignment: This setting is prepopulated by default to Static.

  5. When you have finished specifying the settings, select Review + Create. This validates the values. Once validation passes, you can create the Bastion resource.

    Screenshot of validation page.

  6. Review your settings. Next, at the bottom of the page, select Create.

  7. You will see a message letting you know that your deployment is underway. Status will display on this page as the resources are created. It takes about 5 minutes for the Bastion resource to be created and deployed.

Remove a VM public IP address

When you connect to a VM using Azure Bastion, you do not need a public IP address for your VM. To disassociate a public IP address for your VM, use the following steps:

  1. Navigate to your virtual machine and select Networking. Select the NIC Public IP to open the public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page for the VM, select Disassociate.

    Screenshot of public IP address for the VM.

  3. Select Yes to disassociated the IP address from the network interface.

    Screenshot of Disassociate public IP address.

  4. After you disassociate the IP address, you can delete the public IP address resource. To delete the public IP address resource, navigate to the resource group and locate the IP address resource you want to delete. Then, select Delete to delete the resource.

    Screenshot of delete the public IP address resource.

Connect to a VM

  1. Open the Azure portal. Navigate to the virtual machine that you want to connect to, then select Connect. Select Bastion from the dropdown.

    Select Bastion

  2. After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. Select Use Bastion.

    Select Use Bastion

  3. On the Connect using Azure Bastion page, enter the username and password for your virtual machine, then select Connect.


  4. The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    Connect using port 443

Clean up resources

If you're not going to continue to use this application, delete your resources using the following steps:

  1. Enter the name of your resource group in the Search box at the top of the portal. When you see your resource group in the search results, select it.
  2. Select Delete resource group.
  3. Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME: and select Delete.

Next steps

In this tutorial, you created a Bastion host and associated it to a virtual network. You then removed the public IP address from a VM and connected to it. You may choose to use Network Security Groups with your Azure Bastion subnet. To do so, see: