Microsoft on 18 June 2019 announced a new service called AzureBastion [Preview], this is a service where the users can connect remotely to Azure VM without the danger of exposing RDP or SSH ports. This way critical VM deployments that need to be isolated from the internet are secured.


There are a lot of features available come with the Azure Bastion service

  • No need for Public IP
  • Connect using RDP or SSH via the Azure Portal
  • Compatible with the most known Internet Browsers (Edge, IE, Chrome, Firefox, etc.)
  • No need for maintenance from the user side like updates for vulnerabilities, because the Azure Bastion service is managed by Microsoft.
  • No need for P2S VPN to RDP or SSH a Jumpbox VM

Try Azure Bastion

Currently, the service Bastion is in Public Preview and to try it we must meet certain conditions.

Available Regions

The service is not yet available to all Regions but only in specific, which are :

West Europe
West US
East US
South Central US
Australia  East
Japan East


Register The Azure Bastion Provider

First, we must register the Azure Bastion Provider and this can be achieved by running the following PowerShell scripts.

Step 1. Register the feature AllowBastionHost

Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network

Step 2. Re-register Microsoft.Network provider

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

Step 3. Verify that the feature is registered

Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

Create Azure Bastion Host

The following steps will guide us to create an Azure Bastion Host.

Step 1. Log in to the Azure Portal – Preview

At the first step, we have to log in to the Azure Portal – Preview  .

Step 2. Select To Create Azure Bastion Host

Click on the left blade, select All services, type [Bastions] in the search field and press Enter.

Step 3.  Add a Bastion Host

Select +Add to create an Azure Bastion Host.

Step 4. Create a Bastion Host – Basic Tab

In the Basics Tab, we have to fill in few fields and then click Next to move to the other Tab.

SubscriptionCreate a New or Select a valid subscription
 Resource GroupSelect an existing or Create a New Resource Group
NameType a Name for the Bastion Host Service
RegionSelect a region for the Bastion Host
Virtual networkCreate a New or Select an existing VNet *
SubnetCreate a New Subnet with name “AzureBastionSubnet” or Select an existing with this name
Public IP addressCreate a new Public IP address or Select an existing
Public IP address nameType a Name for Public IP address
Public IP address SKU


Step 5. Review + create

Before we create the Azure Bastion service we can review the configuration. If the validation is successful we have to select Create to proceed with the deployment.

* At the image below we can see how to configure the VNet and more specifically the subnet where the Azure Bastion feature enabled. The name of the subnet MUST be AzureBastionSubnet.

When the deployment completed. Into the resource group, we have 3 services, like the image below shows.

Use Azure Bastion Host

To use the Azure Bastion Host service we must deploy an Azure VM in the VNet where the Bastion Host feature is enabled.

After a few minutes, the VM deployment is complete and as we can see the Public IP address is dissociated.

To connect to the VM over the web using the BASTION, we click Connect and from the pop-up window in the right of the menu select BASTION, type Username, and Password and click Connect.

A few seconds later, we are connected to the VM using an Internet Browser.


Azure Bastion is a new service which can offer more security to users when they connect to an Azure VM. By using this service there is no need to enable RDP or SSH ports on the VM.

See Also


Share This