How to start with Microsoft #Azure #Bastion Service, secure VM access #AzureBastion #jumpserver #PaaS #WAC

In case you may missed this Azure has released a new service called Bastion. So what is the fuzz about this new service and why should you use this ?

Bastion can Manage RDP/SSH to VMs over SSL using private IP on the VM.

Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to your virtual machines directly through the Azure Portal. Azure Bastion is provisioned directly in your Virtual Network (VNet) and supports all VMs in your Virtual Network (VNet) using SSL without any exposure through public IP addresses.



So basically it is the old Jump server that you already used to get into the Azure VM’s if needed. It can access all virtual machines within a virtual network through a single hardened access point. Exposing the bastion host as primary exposed public access helps lockdown of public Internet exposure and limit threats such as port scanning and other types of malware targeting your VMs.

A jump server as PaaS services.


This seems nice but as always is it free or is it costly ? Well in the Azure Calculator you can see the Costs.



Ho do we start with Bastion.


First we need to register the new resource in Azure this is always needed to get to work with the new Azure components.

Keep in mind this can take some time to register

Get-AzProviderFeature -ProviderNamespace Microsoft.Network


With the Powershell command below we are registering the Bastion service into our subscription and network.

Register-AzProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network


Now that we triggered to register the Bastion services we need to wait

Check if it is done




Then register the network again. with your subscription and the Microsoft.Network provider namespace

Register-AzResourceProvider -ProviderNamespace Microsoft.Network



Now that this is done we can start with the Configuration, and there a multiple ways on how to get there. by the market place or directly in the VM


In the VM almost all the items are pre defined and ready to go if you want to go with the defaults.



In the marketplace you need to find the bastion and select the new resource.


Select and create the resource. Configure this accordantly and select the proper network.


The starting point is almost the same the first one is already in the VM network and the one from the market place is just a blank one , where you need to select your network.

In this LAB I’ll go for connection directly from the VM.

Lets start in the VM go to connect and select bastion and use Bastion


As I want to move forward quickly I already see some red lines. I need a /27 Subnet.  This is currently not in my network so I need to create a new subnet in the used Azure network.


As shown below the extra subnet is created to connect to the AzureBastion



The subnet inside your virtual network to which Bastion resource will be deployed. The subnet must be created with the name AzureBastionSubnet. This lets Azure know which subnet to deploy the Bastion resource to. This is different than a Gateway subnet. Click Manage subnet configuration to create the Azure Bastion Subnet. We highly recommend that you use at least a /27 or larger subnet (/27, /26, etc.). Create the AzureBastionSubnet without any Network Security Groups, route tables, or delegations. Click Create to create the subnet, then proceed with the next settings.



Now that the Subnet is added we can creating the Bastion service.


The validation started a it is created.


Now that it is created we can connect to the VM with HTML5 the connection is similar with WVD RDP connection to the VM.


You can see the created subnet.


Connecting With chrome or with Microsoft Edge is no problem you do need to configure the popup blocker



Web based RDP connection keep in mind the background is filtered out.

For connection with the browser you will need to allow the popup showing


image image image

now that the portal has access the connection will proceed. Unless your VM is in the Wrong region


Currently only the following regions are supported :

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

This is a nice feature but if you running already a hybrid site why not using the Windows admin center here you can also connect with the HTML5 browser to the Azure VM. the only thing here is you will need to connect to an external IP with proper NSG or to the internal IP with a S2S VPN connection.



Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009. Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries. Robert’s past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications: MCT - Microsoft Certified Trainer, MCTS - Windows Server Virtualization, MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on Hyper-V, Failover Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization. Follow Robert on Twitter @ClusterMVP Or follow his blog Linkedin Profile Http:// Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues. A customer says " Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. " Details of the Recommendation: "I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project

3 thoughts on “How to start with Microsoft #Azure #Bastion Service, secure VM access #AzureBastion #jumpserver #PaaS #WAC”

  1. Hey, Thanks for writing this article to get a quick start of azure bastion also azure bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses. Provision of the service directly in your local or peered virtual network to get
    support for all the VMs within it and please visit us:

  2. Thank you for this post very complete cons I have reproduced the different steps in my azure environment and when I want to connect to my windows server from my jumpbox linux I have an error. What needs to be installed on the linux jumpbox to establish a remote RDP connection?

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: