VNet peering and Azure Bastion (Preview)
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host. For more information about VNet peering, see About virtual network peering.
Azure Bastion works with the following types of peering:
- Virtual network peering: Connect virtual networks within the same Azure region.
- Global virtual network peering: Connecting virtual networks across Azure regions.
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.
Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet, as well as peered VNets. This means you can consolidate Bastion deployment to single VNet and still reach VMs deployed in a peered VNet, centralizing the overall deployment.
This figure shows the architecture of an Azure Bastion deployment in a hub-and-spoke model. In this diagram you can see the following configuration:
- The Bastion host is deployed in the centralized Hub virtual network.
- Centralized Network Security Group (NSG) is deployed.
- A public IP is not required on the Azure VM.
Connect to the Azure portal using any HTML5 browser.
Select the virtual machine to connect to.
Azure Bastion is seamlessly detected across the peered VNet.
With a single click, the RDP/SSH session opens in the browser. For RDP and SSH concurrent session limits, see RDP and SSH sessions.
For more information about connecting to a VM via Azure Bastion, see:
Can I still deploy multiple Bastion hosts across peered virtual networks?
Yes. By default, a user sees the Bastion host that is deployed in the same virtual network in which VM resides. However, in the Connect menu, a user can see multiple Bastion hosts detected across peered networks. They can select the Bastion host that they prefer to use to connect to the VM deployed in the virtual network.
If my peered VNets are deployed in different subscriptions, will connectivity via Bastion work?
Yes, connectivity via Bastion will continue to work for peered VNets across different subscription for a single Tenant. Subscriptions across two different Tenants are not supported. To see Bastion in the Connect drop down menu, the user must select the subs they have access to in Subscription > global subscription.
I have access to the peered VNet, but I can't see the VM deployed there.
Make sure the user has read access to both the VM, and the peered VNet. Additionally, check under IAM that the user has read access to following resources:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Azure Bastion resource.
- Reader Role on the Virtual Network (Not needed if there is no peered virtual network).
|Microsoft.Network/bastionHosts/read||Gets a Bastion Host||Action|
|Microsoft.Network/virtualNetworks/BastionHosts/action||Gets Bastion Host references in a Virtual Network.||Action|
|Microsoft.Network/virtualNetworks/bastionHosts/default/action||Gets Bastion Host references in a Virtual Network.||Action|
|Microsoft.Network/networkInterfaces/read||Gets a network interface definition.||Action|
|Microsoft.Network/networkInterfaces/ipconfigurations/read||Gets a network interface IP configuration definition.||Action|
|Microsoft.Network/virtualNetworks/read||Get the virtual network definition||Action|
|Microsoft.Network/virtualNetworks/subnets/virtualMachines/read||Gets references to all the virtual machines in a virtual network subnet||Action|
|Microsoft.Network/virtualNetworks/virtualMachines/read||Gets references to all the virtual machines in a virtual network||Action|
Read the Bastion FAQ.