Tutorial: Configure Bastion and connect to a Windows VM
This tutorial shows you how to connect to a virtual machine through your browser using Azure Bastion and the Azure portal. In this tutorial, using the Azure portal, you deploy Bastion to your virtual network. Once the service is provisioned, the RDP/SSH experience is available to all of the virtual machines in the same virtual network. When you use Bastion to connect, the VM does not need a public IP address or special software. After deploying Bastion, you can remove the public IP address from your VM if it is not needed for anything else. Next, you connect to a VM via its private IP address using the Azure portal. For more information about Azure Bastion, see What is Azure Bastion?.
In this tutorial, you'll learn how to:
- Create a bastion host for your VNet.
- Remove the public IP address from a virtual machine.
- Connect to a Windows virtual machine.
If you don’t have an Azure subscription, create a free account before you begin.
Prerequisites
A Windows virtual machine in the virtual network. If you don't have a VM, create one using Quickstart: Create a VM.
The following required roles for your resources:
- Required VM roles:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Required VM roles:
Ports: To connect to the Windows VM, you must have the following ports open on your Windows VM:
- Inbound ports: RDP (3389)
Important
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.
Note
The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.
Example values
You can use the following example values when creating this configuration, or you can substitute your own.
Basic VNet and VM values:
| Name | Value |
|---|---|
| Virtual machine | TestVM |
| Resource group | TestRG1 |
| Region | East US |
| Virtual network | VNet1 |
| Address space | 10.1.0.0/16 |
| Subnets | FrontEnd: 10.1.0.0/24 |
Azure Bastion values:
| Name | Value |
|---|---|
| Name | VNet1-bastion |
| + Subnet Name | AzureBastionSubnet |
| AzureBastionSubnet addresses | A subnet within your VNet address space with a subnet mask /26 or larger. For example, 10.1.1.0/26. |
| Tier/SKU | Standard |
| Instance count (host scaling) | 3 or greater |
| Public IP address | Create new |
| Public IP address name | VNet1-ip |
| Public IP address SKU | Standard |
| Assignment | Static |
Create a bastion host
This section helps you create the bastion object in your VNet. This is required in order to create a secure connection to a VM in the VNet.
Sign in to the Azure portal.
Type Bastion into the search.
Under services, click Bastions.
On the Bastions page, click + Create to open the Create a Bastion page.
On the Create a Bastion page, configure a new Bastion resource.
Project details
Subscription: The Azure subscription you want to use.
Resource Group: The Azure resource group in which the new Bastion resource will be created. If you don't have an existing resource group, you can create a new one.
Instance details
Name: The name of the new Bastion resource.
Region: The Azure public region in which the resource will be created. Choose the region in which your virtual network resides.
Tier: The tier is also known as the SKU. For this tutorial, we select the Standard SKU from the dropdown. Selecting the Standard SKU lets you configure the instance count for host scaling. The Basic SKU doesn't support host scaling. For more information, see Configuration settings - SKU.
Instance count: This is the setting for host scaling and configured in scale unit increments. Use the slider to configure the instance count. If you specified the Basic tier SKU, you cannot configure this setting. For more information, see Configuration settings - host scaling. In this tutorial, you can select the instance count you'd prefer, keeping in mind any scale unit pricing considerations.
Configure virtual networks
Virtual network: The virtual network in which the Bastion resource will be created. You can create a new virtual network in the portal during this process, or use an existing virtual network. If you are using an existing virtual network, make sure the existing virtual network has enough free address space to accommodate the Bastion subnet requirements. If you don't see your virtual network from the dropdown, make sure you have selected the correct Resource Group.
Subnet: Once you create or select a virtual network, the subnet field appears on the page. This is the subnet in which your Bastion instances will be deployed. The name must be AzureBastionSubnet. See the following steps to add the subnet.
Manage subnet configuration
In most cases, you will not already have an AzureBastionSubnet configured. To configure the bastion subnet:
Select Manage subnet configuration. This takes you to the Subnets page.
On the Subnets page, select +Subnet to open the Add subnet page.
Create a subnet using the following guidelines:
- The subnet must be named AzureBastionSubnet.
- The subnet must be at least /26 or larger. For the Standard SKU, we recommend /26 or larger to accommodate future additional host scaling instances.
You don't need to fill out additional fields on this page. Select Save at the bottom of the page to save the settings and close the Add subnet page.
At the top of the Subnets page, select Create a Bastion to return to the Bastion configuration page.
Public IP address
The public IP address of the Bastion resource on which RDP/SSH will be accessed (over port 443). Create a new public IP address. The public IP address must be in the same region as the Bastion resource you are creating. This IP address does not have anything to do with any of the VMs that you want to connect to. It's the public IP address for the Bastion host resource.
- Public IP address name: The name of the public IP address resource. For this tutorial, you can leave the default.
- Public IP address SKU: This setting is prepopulated by default to Standard. Azure Bastion uses/supports only the Standard public IP SKU.
- Assignment: This setting is prepopulated by default to Static.
Review and create
- When you finish specifying the settings, select Review + Create. This validates the values. Once validation passes, you can create the Bastion resource.
- Review your settings.
- At the bottom of the page, select Create.
- You will see a message letting you know that your deployment is underway. Status will display on this page as the resources are created. It takes about 5 minutes for the Bastion resource to be created and deployed.
Remove VM public IP address
When you connect to a VM using Azure Bastion, you do not need a public IP address for your VM. If you aren't using the public IP address for anything else, you can disassociate it from your VM. To disassociate a public IP address from your VM, use the following steps:
Navigate to your virtual machine and select Networking. Select the NIC Public IP to open the public IP address page.
On the Public IP address page for the VM, select Disassociate.
Select Yes to disassociated the IP address from the network interface.
After you disassociate the IP address, you can delete the public IP address resource. To delete the public IP address resource, navigate to the resource group and locate the IP address resource you want to delete. Then, select Delete to delete the resource.
Connect to a VM
In the Azure portal, navigate to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown.
After you select Bastion from the dropdown, a side bar appears that has three tabs: RDP, SSH, and Bastion. Because Bastion was provisioned for the virtual network, the Bastion tab is active by default. Select Use Bastion.
On the Connect using Azure Bastion page, enter the username and password for your virtual machine, then select Connect.
The RDP connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.
- When you connect, the desktop of the VM may look different than the example screenshot.
- Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.
Clean up resources
If you're not going to continue to use this application, delete your resources using the following steps:
- Enter the name of your resource group in the Search box at the top of the portal. When you see your resource group in the search results, select it.
- Select Delete resource group.
- Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME: and select Delete.
Next steps
In this tutorial, you created a Bastion host and associated it to a virtual network. You then removed the public IP address from a VM and connected to it. You may choose to use Network Security Groups with your Azure Bastion subnet. To do so, see: