How to Start with Microsoft #Azure #Bastion Service, Secure VM Access #AzureBastion #jumpserver #PaaS #WAC

In case you may missed this Azure has released a new service called Bastion. So what is the fuzz about this new service and why should you use this ?

Bastion can Manage RDP/SSH to VMs over SSL using private IP on the VM.

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.

Azure Bastion Service
Azure Bastion Service

So basically it is the old Jump server that you already used to get into the Azure VM’s if needed. It can access all virtual machines within a virtual network through a single hardened access point. Exposing the bastion host as primary exposed public access helps lockdown of public Internet exposure and limit threats such as port scanning and other types of malware targeting your VMs.

A jump server as PaaS services.

Customer’s virtual network

This seems nice but as always is it free or is it costly ? Well in the Azure Calculator you can see the Costs.

Azure Bastion Service

Ho do we start with Bastion.

First we need to register the new resource in Azure this is always needed to get to work with the new Azure components.

Keep in mind this can take some time to register

Get-AzProviderFeature -ProviderNamespace Microsoft.Network


With the Powershell command below we are registering the Bastion service into our subscription and network.

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network


Now that we triggered to register the Bastion services we need to wait

Check if it is done


Then register the network again. with your subscription and the Microsoft.Network provider namespace

Register-AzResourceProvider -ProviderNamespace Microsoft.Network


Now that this is done we can start with the Configuration, and there a multiple ways on how to get there. by the market place or directly in the VM

Connect to virtual machine

In the VM almost all the items are pre defined and ready to go if you want to go with the defaults.

Azure Bastion Service

In the marketplace you need to find the bastion and select the new resource.

Get started
Bastion preview

Select and create the resource. Configure this accordantly and select the proper network.

Create a bastion

The starting point is almost the same the first one is already in the VM network and the one from the market place is just a blank one , where you need to select your network.

In this LAB I’ll go for connection directly from the VM.

Lets start in the VM go to connect and select bastion and use Bastion

Connec to virtual machine

As I want to move forward quickly I already see some red lines. I need a /27 Subnet.  This is currently not in my network so I need to create a new subnet in the used Azure network.

Azure Bastion Service

As shown below the extra subnet is created to connect to the AzureBastion

Azure Bastion Service

The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name AzureBastionSubnet. This lets Azure know which subnet to deploy the Bastion resource to. This is different than a Gateway subnet. Click Manage subnet configuration to create the Azure Bastion Subnet. We highly recommend that you use at least a /27 or larger subnet (/27, /26, etc.). Create the AzureBastionSubnet without any Network Security Groups, route tables, or delegations. Click Create to create the subnet, then proceed with the next settings.

Add subset

Now that the Subnet is added we can creating the Bastion service.


The validation started a it is created.

Creating a new bastion

Now that it is created we can connect to the VM with HTML5 the connection is similar with WVD RDP connection to the VM.


You can see the created subnet.


Connecting With chrome or with Microsoft Edge is no problem you do need to configure the popup blocker


Web based RDP connection keep in mind the background is filtered out.

For connection with the browser you will need to allow the popup showing

Pop-ups blocked

now that the portal has access the connection will proceed. Unless your VM is in the Wrong region


Currently only the following regions are supported :

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

This is a nice feature but if you running already a hybrid site why not using the Windows admin center here you can also connect with the HTML5 browser to the Azure VM. the only thing here is you will need to connect to an external IP with proper NSG or to the internal IP with a S2S VPN connection.

Azure Bastion Service

About the Author:

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile


Smit, R. (2019). How to start with Microsoft #Azure #Bastion Service, secure VM access #AzureBastion #jumpserver #PaaS #WAC. Available at: [Accessed: 2nd January 2020].

Share this on...

Rate this Post: