Azure Bastion is a fully managed Platform-as-a-Service (PaaS) offering that you deploy within your Azure environment to provide secure access to your virtual machines (VMs) using private IP addresses. This service enables secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) connectivity to your VMs directly through the Transport Layer Security (TLS) protocol from the Azure portal, or via your local computer’s native SSH or RDP client. By utilizing Azure Bastion, your virtual machines are shielded from direct exposure to the internet, eliminating the need for public IP addresses, agents, or specialized client software on your VMs.
Bastion Servers, in general, are critical for providing secure access to a network, and Azure Bastion specifically extends this security to all virtual machines within the virtual network where it is provisioned. By implementing Azure Bastion, you effectively protect your virtual machines from the risks associated with exposing RDP/SSH ports to the external network, while maintaining secure and controlled access through these protocols.
Key Benefits of Using a Bastion Server
| Benefit | Description |
|---|---|
| Direct RDP and SSH Access via Azure Portal | Azure Bastion allows you to initiate RDP and SSH sessions directly within the Azure portal, offering a streamlined, single-click experience for connecting to your VMs. |
| Secure Remote Sessions over TLS with Firewall Traversal | Leveraging an HTML5-based web client, Azure Bastion streams directly to your local device. All RDP/SSH sessions are encapsulated within TLS on port 443, facilitating secure firewall traversal. Azure Bastion adheres to TLS 1.2 for enhanced security, with older versions not supported. |
| Elimination of Public IP Requirement for Azure VMs | Azure Bastion establishes RDP/SSH connections to your Azure VMs using their private IP addresses. This negates the necessity for public IP addresses on your virtual machines, significantly reducing their attack surface. |
| Simplified Network Security Group (NSG) Management | Managing Network Security Groups becomes less complex with Azure Bastion. Since it connects to your VMs via private IPs, you can configure your NSGs to permit RDP/SSH traffic exclusively from the Azure Bastion subnet. This simplifies NSG management, removing the need to adjust rules each time secure VM access is required. For detailed information on NSGs, refer to Network Security Groups documentation. |
| No Separate Bastion Host VM Management | Azure Bastion is a fully managed PaaS offering from Azure. It is inherently hardened and maintained by Azure, eliminating the operational overhead of managing a dedicated bastion host virtual machine. |
| Enhanced Protection Against Port Scanning | By removing the need to expose VMs directly to the internet, Azure Bastion effectively shields your virtual machines from port scanning activities by malicious actors. |
| Centralized Security Hardening | Deployed at the virtual network perimeter, Azure Bastion acts as a single point of entry. This centralizes security hardening efforts, removing the need to individually secure each VM within your virtual network. |
| Mitigation of Zero-Day Exploits | The Azure platform proactively protects against zero-day exploits by ensuring Azure Bastion is consistently hardened, patched, and up-to-date, reducing your vulnerability exposure. |
Azure Bastion SKUs: Choosing the Right Tier
Azure Bastion offers different Stock Keeping Units (SKUs) to cater to varying needs and feature requirements. The table below outlines the features available in each SKU. For in-depth SKU details, consult the Configuration settings documentation.
| Feature | Developer SKU | Basic SKU | Standard SKU | Premium SKU |
|---|---|---|---|---|
| Connect to target VMs in same virtual network | Yes | Yes | Yes | Yes |
| Connect to target VMs in peered virtual networks | No | Yes | Yes | Yes |
| Support for concurrent connections | No | Yes | Yes | Yes |
| Access Linux VM Private Keys in Azure Key Vault (AKV) | Yes | Yes | Yes | Yes |
| Connect to Linux VM using SSH | Yes | Yes | Yes | Yes |
| Connect to Windows VM using RDP | Yes | Yes | Yes | Yes |
| Connect to Linux VM using RDP | No | No | Yes | Yes |
| Connect to Windows VM using SSH | No | No | Yes | Yes |
| Specify custom inbound port | No | No | Yes | Yes |
| Connect to VMs using Azure CLI | No | No | Yes | Yes |
| Host scaling | No | No | Yes | Yes |
| Upload or download files | No | No | Yes | Yes |
| Kerberos authentication | No | Yes | Yes | Yes |
| Shareable link | No | No | Yes | Yes |
| Connect to VMs via IP address | No | No | Yes | Yes |
| VM audio output | Yes | Yes | Yes | Yes |
| Disable copy/paste (web-based clients) | No | No | Yes | Yes |
| Session recording | No | No | No | Yes |
| Private-only deployment | No | No | No | Yes |
Azure Bastion Architecture: Secure Access Pathways
Azure Bastion’s architecture is adaptable based on the chosen SKU and configuration options. Generally, for most SKUs, Bastion is deployed within a virtual network and extends support across peered virtual networks. It effectively manages RDP/SSH connections to VMs residing in both the local and peered virtual networks.
RDP and SSH are fundamental protocols for accessing and managing workloads in Azure. However, exposing RDP/SSH ports directly to the internet is a significant security concern due to potential protocol vulnerabilities. Bastion servers, also known as jump servers, are a recognized security best practice to mitigate this risk. Positioned at the public-facing edge of your network, these servers are specifically designed to withstand attacks and provide a secure gateway for RDP and SSH access to workloads deeper within the network.
The SKU selection during Azure Bastion deployment dictates the underlying architecture and feature availability. While upgrading to a higher SKU is possible to unlock more features, downgrading is not supported post-deployment. Certain architectures, like Private-only and Developer SKU, require configuration at the time of initial deployment. For detailed architectural insights, refer to Bastion design and architecture.
The following diagrams illustrate the different architectures available for Azure Bastion deployments.
Basic SKU and higher Architecture
Developer SKU Architecture
Private-only Deployment Architecture
Availability Zones for Azure Bastion
Azure Bastion offers availability zone deployment in select regions, enhancing resilience and fault tolerance. For zonal deployment, manual configuration during Bastion setup is necessary (avoiding automatic default settings). Specify your desired availability zones during deployment, as zonal availability cannot be altered after Bastion is deployed.
Availability Zones support is currently in preview in the following regions:
- East US
- Australia East
- East US 2
- Central US
- Qatar Central
- South Africa North
- West Europe
- West US 2
- North Europe
- Sweden Central
- UK South
- Canada Central
Host Scaling for Azure Bastion
Azure Bastion supports manual host scaling, allowing you to adjust the number of host instances (scale units) to accommodate varying concurrent RDP/SSH connection demands. Increasing host instances enhances Azure Bastion’s capacity to handle more simultaneous sessions, while decreasing instances reduces concurrent session support. Azure Bastion scales up to a maximum of 50 host instances. This feature is available for Standard SKU and higher.
For comprehensive details, see the Configuration settings documentation.
Azure Bastion Pricing
Azure Bastion pricing is structured around an hourly rate based on the chosen SKU and number of instances (scale units), in addition to data transfer charges. Hourly billing commences immediately upon Bastion deployment, irrespective of outbound data usage. For the most current pricing information, consult the Azure Bastion pricing page.
Stay Updated with Azure Bastion
Keep abreast of the latest Azure Bastion feature updates by subscribing to the RSS feed and visiting the Azure Updates page.
Azure Bastion Frequently Asked Questions
For common queries and answers, refer to the Bastion FAQ.
Next Steps
[original article]:# What is Azure Bastion?
- Article
Azure Bastion is a fully managed PaaS service that you provision to securely connect to virtual machines via private IP address. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal, or via the native SSH or RDP client already installed on your local computer. When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.
Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network for which it’s provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
Key benefits
| Benefit | Description |
|---|---|
| RDP and SSH through the Azure portal | You can get to the RDP and SSH session directly in the Azure portal using a single-click seamless experience. |
| Remote Session over TLS and firewall traversal for RDP/SSH | Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. This enables the traffic to traverse firewalls more securely. Bastion supports TLS 1.2. Older TLS versions aren’t supported. |
| No Public IP address required on the Azure VM | Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don’t need a public IP address on your virtual machine. |
| No hassle of managing Network Security Groups (NSGs) | You don’t need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines. For more information about NSGs, see Network Security Groups. |
| No need to manage a separate bastion host on a VM | Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. |
| Protection against port scanning | Your VMs are protected against port scanning by rogue and malicious users because you don’t need to expose the VMs to the internet. |
| Hardening in one place only | Azure Bastion sits at the perimeter of your virtual network, so you don’t need to worry about hardening each of the VMs in your virtual network. |
| Protection against zero-day exploits | The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you. |
SKUs
Azure Bastion offers multiple SKU tiers. The following table shows features and corresponding SKUs. For more information about SKUs, see the Configuration settings article.
| Feature | Developer SKU | Basic SKU | Standard SKU | Premium SKU |
|---|---|---|---|---|
| Connect to target VMs in same virtual network | Yes | Yes | Yes | Yes |
| Connect to target VMs in peered virtual networks | No | Yes | Yes | Yes |
| Support for concurrent connections | No | Yes | Yes | Yes |
| Access Linux VM Private Keys in Azure Key Vault (AKV) | Yes | Yes | Yes | Yes |
| Connect to Linux VM using SSH | Yes | Yes | Yes | Yes |
| Connect to Windows VM using RDP | Yes | Yes | Yes | Yes |
| Connect to Linux VM using RDP | No | No | Yes | Yes |
| Connect to Windows VM using SSH | No | No | Yes | Yes |
| Specify custom inbound port | No | No | Yes | Yes |
| Connect to VMs using Azure CLI | No | No | Yes | Yes |
| Host scaling | No | No | Yes | Yes |
| Upload or download files | No | No | Yes | Yes |
| Kerberos authentication | No | Yes | Yes | Yes |
| Shareable link | No | No | Yes | Yes |
| Connect to VMs via IP address | No | No | Yes | Yes |
| VM audio output | Yes | Yes | Yes | Yes |
| Disable copy/paste (web-based clients) | No | No | Yes | Yes |
| Session recording | No | No | No | Yes |
| Private-only deployment | No | No | No | Yes |
Architecture
Azure Bastion offers multiple deployment architectures, depending on the selected SKU and option configurations. For most SKUs, Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.
RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn’t desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.
The SKU you select when you deploy Bastion determines the architecture and the available features. You can upgrade to a higher SKU to support more features, but you can’t downgrade a SKU after deploying. Certain architectures, such as Private-only and Developer SKU, must be configured at the time of deployment. For more information about each architecture, see Bastion design and architecture.
The following diagrams show the available architectures for Azure Bastion.
Basic SKU and higher
Developer SKU
Private-only deployment
Availability zones
Some regions support the ability to deploy Azure Bastion in an availability zone (or multiple, for zone redundancy). To deploy zonally, deploy Bastion using manually specified settings (don’t deploy using the automatic default settings). Specify the desired availability zones at the time of deployment. You can’t change zonal availability after Bastion is deployed.
Support for Availability Zones is currently in preview. During preview, the following regions are available:
- East US
- Australia East
- East US 2
- Central US
- Qatar Central
- South Africa North
- West Europe
- West US 2
- North Europe
- Sweden Central
- UK South
- Canada Central
Host scaling
Azure Bastion supports manual host scaling. You can configure the number of host instances (scale units) in order to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for Standard SKU and higher.
For more information, see the Configuration settings article.
Pricing
Azure Bastion pricing is a combination of hourly pricing based on SKU and instances (scale units), plus data transfer rates. Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For the latest pricing information, see the Azure Bastion pricing page.
What’s new?
Subscribe to the RSS feed and view the latest Azure Bastion feature updates on the Azure Updates page.
Bastion FAQ
For frequently asked questions, see the Bastion FAQ.
