What is Azure Bastion?
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to your virtual machines directly through the Azure portal — without exposing public IP addresses. By eliminating the need for jump boxes, VPN gateways, or public IPs on VMs, Bastion significantly reduces the attack surface while providing native browser-based access through TLS on port 443.
How Azure Bastion Works
Bastion is deployed within a dedicated subnet (AzureBastionSubnet, minimum /26) in your virtual network. When you connect to a VM, the Azure portal establishes an HTML5-based RDP or SSH session through the Bastion host over TLS. Traffic flows from your browser to Azure Bastion, then from Bastion to the target VM’s private IP address — the VM never needs a public IP or NSG rules allowing inbound RDP/SSH from the internet.
SKU Tiers
Basic SKU
Supports manual RDP/SSH connections via the Azure portal for up to 25 concurrent sessions. Suitable for small environments and development/test scenarios.
Standard SKU
Adds host scaling (2-50 instances), native client support (az network bastion tunnel), shareable links, file upload/download, and IP-based connections to non-Azure VMs reachable through peered networks. Standard SKU supports up to 50 concurrent sessions per instance.
Premium SKU
Includes all Standard features plus session recording for compliance auditing and Private-only bastion deployment (no public IP on the Bastion host itself).
Key Security Benefits
- No public IP exposure: VMs remain fully private with no inbound internet access required.
- Protection against port scanning: Since RDP/SSH ports are not exposed, automated attack tools cannot discover targets.
- Hardened gateway: Bastion is regularly patched and updated by Microsoft, eliminating jump box maintenance overhead.
- Azure AD integration: Azure AD authentication and conditional access policies can be enforced for Bastion connections.
- Audit logging: All connection events are logged in Azure Monitor for compliance and forensic analysis.
Deployment Best Practices
- Use a dedicated /26 or larger subnet named AzureBastionSubnet
- Enable Standard SKU for production environments requiring native client access
- Configure NSG on the AzureBastionSubnet to allow only required traffic
- Use Azure Private Link with Premium SKU for zero-public-IP architectures
- Monitor connection logs via Azure Monitor Diagnostic Settings
Pricing
Azure Bastion is billed per hour of deployment plus data transfer. Basic starts at approximately $0.19/hour, Standard at $0.35/hour per instance. For organizations with predictable usage, keeping Bastion deployed continuously is more practical than creating and deleting instances.
FAQ
Can I use Bastion with native RDP/SSH clients?
Yes, Standard and Premium SKUs support native client connections through the Azure CLI tunnel command (az network bastion tunnel), enabling tools like mstsc.exe, PuTTY, and SSH clients.
Does Bastion work across peered VNets?
Yes. Bastion can connect to VMs in peered virtual networks without additional Bastion deployments, reducing costs in hub-spoke topologies.
Advanced Azure Bastion Configurations
Beyond basic portal-based connectivity, Azure Bastion Standard and Premium SKUs unlock powerful enterprise scenarios. The native client feature allows using familiar tools like mstsc.exe for RDP, PuTTY for SSH, and Azure CLI tunnels (az network bastion tunnel) for arbitrary TCP port forwarding. This enables database management tools, custom administrative applications, and file transfer utilities to connect through Bastion without browser limitations.
Shareable Links
Standard SKU introduces shareable links — time-limited URLs that grant Bastion access to specific VMs without requiring the recipient to have Azure portal access or even an Azure account. This is invaluable for vendor support scenarios, temporary contractor access, and cross-team troubleshooting where creating Azure RBAC assignments would be excessive. Links can be configured with expiration times from 1 hour to 7 days.
Session Recording
Premium SKU adds complete session recording for compliance and forensic purposes. Every RDP and SSH session is captured and stored in a designated Azure Storage account. Financial institutions, healthcare providers, and government agencies use session recordings to satisfy SOC 2, HIPAA, and FedRAMP audit requirements. Recordings can be reviewed through Azure portal or integrated with SIEM solutions for automated analysis.
Network Architecture Patterns
Hub-Spoke Topology
In hub-spoke virtual network designs, deploy Azure Bastion once in the hub VNet. Through VNet peering, Bastion reaches VMs in all spoke VNets without additional deployments. This reduces cost by 60-80% compared to deploying Bastion in every spoke. Ensure peering connections allow gateway transit and configure NSGs to permit Bastion traffic between hub and spoke subnets.
Private-Only Deployment
Premium SKU supports removing the public IP from the Bastion host itself, creating a fully private architecture. Access flows through Azure Private Link, ExpressRoute, or VPN Gateway — critical for organizations with zero-public-IP mandates. This configuration requires Standard Load Balancer and specific NSG rules for the AzureBastionSubnet.
Cost Optimization Strategies
Azure Bastion billing is continuous while deployed. For development and testing environments used only during business hours, consider automation: deploy Bastion at 8 AM and delete at 6 PM using Azure Automation runbooks or Logic Apps. This reduces costs by ~58% compared to 24/7 deployment. For production, the convenience and security benefits typically justify continuous deployment.
Scaling Considerations
Standard SKU supports 2-50 scale units, each handling approximately 20 concurrent RDP sessions or 40 SSH sessions. Monitor connection metrics through Azure Monitor to right-size scale units. Over-provisioning wastes budget; under-provisioning creates connection queues during incident response when multiple engineers need simultaneous VM access.
Comparison with Alternatives
| Feature | Azure Bastion | Jump Box VM | VPN Gateway |
|---|---|---|---|
| Management | Fully managed | Self-managed | Fully managed |
| Public IP on targets | Not required | Not required | Not required |
| Client software | Browser or native | RDP/SSH client | VPN client |
| Session recording | Yes (Premium) | Manual setup | No |
| Start cost | ~$140/month | ~$30/month | ~$140/month |
Security Hardening Checklist
- Deploy in a dedicated /26 subnet named exactly AzureBastionSubnet
- Enable Azure DDoS Protection on the Bastion VNet
- Configure Diagnostic Settings to send logs to Log Analytics and Azure Sentinel
- Enforce Azure AD MFA through Conditional Access policies for Bastion users
- Restrict management plane access using Azure RBAC (Reader role sufficient for connection)
- Set NSG rules: allow inbound 443 from Internet to AzureBastionSubnet, allow outbound to VirtualNetwork for 3389/22
