Using Azure Bastion

IntermediateTopic20 min4 min readAzure

AZ-104 notes: Using Azure Bastion. Covers key concepts for the Azure Administrator Associate exam.

#azure #az-104 #bastion

This lesson explains how to securely connect to private Azure VMs using:

Azure Bastion

Azure Bastion is a fully managed PaaS jump host service that allows you to connect to VMs via:

SSH (Linux)
RDP (Windows)
Directly from the Azure Portal browser, without exposing VMs to the public internet.

1️⃣ Why Azure Bastion Exists

The Problem

You have:

Virtual Network
Subnet
Private VMs (no public IP)
You need secure administrative access.

Traditional method:

Deploy jump box in DMZ
Assign public IP
Harden OS
Patch it
Manage security

That increases:

Attack surface
Operational overhead
Maintenance effort

2️⃣ What Azure Bastion Does

Azure Bastion:

Deploys into a special subnet
Uses a public IP
Provides browser-based SSH/RDP
Uses HTTPS (TLS encrypted)
Does NOT require VM public IP

Connection flow:

Admin Browser → Azure Portal → Bastion (HTTPS) → Private VM (RDP/SSH)
VM stays private.

3️⃣ Key Architecture Requirements

A. Dedicated Subnet (Mandatory)

Must be named:

AzureBastionSubnet

It must:

Be /26 or larger
Support scaling (host scaling)
Exist inside the same VNet

Example:

172.16.0.64/26
If subnet is smaller than /26 → Deployment fails.

B. Public IP for Bastion

Bastion requires a public IP

VM does NOT need public IP

C. Same Region Requirement

Bastion must:

Be deployed in same region as VNet

4️⃣ Bastion Tiers

Standard tier is production-ready.

Supports:

Copy & Paste
IP-based connection
Kerberos authentication
Native client support
Shareable links
Basic tier has limited features.

5️⃣ How Connection Works

From VM:

Portal → VM → Connect → Bastion

Choose:

SSH (Linux)
RDP (Windows)
Custom port if needed

Authentication method:

Password
SSH key (local file)
Key Vault integration
Session opens in new browser tab.
Encrypted via HTTPS.

6️⃣ What Makes Bastion Secure

✔ No VM public IP required ✔ No inbound NSG rules for SSH/RDP needed ✔ TLS encryption (HTTPS tunnel) ✔ Managed & hardened infrastructure ✔ Autoscaling backend

Reduces attack surface significantly.

7️⃣ Comparison: Jump Box vs Bastion

8️⃣ Session Monitoring

Inside Bastion resource:

You can view:

Active sessions
Username
Protocol
Target VM
Session state
Useful for auditing.

9️⃣ Common Exam Scenarios

🚩 Question: Securely access VMs without public IP? Answer: Azure Bastion.
🚩 Question: Reduce management overhead of jump server? Answer: Bastion.
🚩 Question: Connect via browser over HTTPS? Answer: Bastion.
🚩 Question: Subnet name requirement? Answer: AzureBastionSubnet.
🚩 Minimum subnet size? Answer: /26.

🔟 When NOT to Use Bastion

If you need:

Automated scripting at scale
Direct SSH from CLI without portal
Complex jump workflows

Alternative:

VPN
ExpressRoute
Azure AD login
Just-in-time VM access

11️⃣ Bastion vs Other Remote Access Methods

12️⃣ Security Best Practices

✔ Remove public IPs from VMs ✔ Use Bastion instead of jump servers ✔ Use SSH keys instead of passwords ✔ Use Azure AD authentication (if supported) ✔ Enable session logging