Azure Bastion FAQ

Bastion FAQs

Which browsers are supported?

The browser must support HTML 5. Use the Microsoft Edge browser or Google Chrome on Windows. For Apple Mac, use Google Chrome browser. Microsoft Edge Chromium is also supported on both Windows and Mac, respectively.

How does pricing work?

Azure Bastion pricing is a combination of hourly pricing based on SKU and instances (scale units), plus data transfer rates. Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For the latest pricing information, see the Azure Bastion pricing page.

Is IPv6 supported?

At this time, IPv6 isn't supported. Azure Bastion supports IPv4 only. This means that you can only assign an IPv4 public IP address to your Bastion resource, and that you can use your Bastion to connect to IPv4 target VMs. You can also use your Bastion to connect to dual-stack target VMs, but you'll only be able to send and receive IPv4 traffic via Azure Bastion.

Where does Azure Bastion store customer data?

Azure Bastion doesn't move or store customer data out of the region it's deployed in.

Does Azure Bastion support Virtual WAN?

Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke VNet and use the IP-based connection feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub. For more information, see Set up routing configuration for a virtual network connection.

Can I use Azure Bastion with Azure Private DNS Zones?

Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources. Therefore, you can use Azure Bastion with Azure Private DNS Zones as long as the zone name you select doesn't overlap with the naming of these internal endpoints. Before you deploy your Azure Bastion resource, make sure that the host virtual network isn't linked to a private DNS zone with the following exact names:

  • management.azure.com
  • blob.core.windows.net
  • core.windows.net
  • vaultcore.windows.net
  • vault.azure.com
  • azure.com

You may use a private DNS zone ending with one of the names listed above (ex: privatelink.blob.core.windows.net).

Azure Bastion isn't supported with Azure Private DNS Zones in national clouds.

Does Azure Bastion support Private Link?"

No, Azure Bastion doesn't currently support private link.

Can I have an Azure Bastion subnet of size /27 or smaller (/28, /29, etc.)?

For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.

Can I deploy multiple Azure resources in my Azure Bastion subnet?

No. The Azure Bastion subnet (AzureBastionSubnet) is reserved only for the deployment of your Azure Bastion resource.

Is user-defined routing (UDR) supported on an Azure Bastion subnet?

No. UDR isn't supported on an Azure Bastion subnet.

For scenarios that include both Azure Bastion and Azure Firewall/Network Virtual Appliance (NVA) in the same virtual network, you don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private. For more information, see Accessing VMs behind Azure Firewall with Bastion.

Can I upgrade from a Basic SKU to a Standard SKU?

Yes. For steps, see Upgrade a SKU. For more information about SKUs, see the Configuration settings article.

Can I downgrade from a Standard SKU to a Basic SKU?

No. Downgrading from a Standard SKU to a Basic SKU isn't supported. For more information about SKUs, see the Configuration settings article.

Does Bastion support connectivity to Azure Virtual Desktop?

No, Bastion connectivity to Azure Virtual Desktop isn't supported.

Why do I get "Your session has expired" error message before the Bastion session starts?

A session should be initiated only from the Azure portal. Sign in to the Azure portal and begin your session again. If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal.

How do I handle deployment failures?

Review any error messages and raise a support request in the Azure portal as needed. Deployment failures may result from Azure subscription limits, quotas, and constraints. Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.

How do I incorporate Azure Bastion in my Disaster Recovery plan?

Azure Bastion is deployed within VNets or peered VNets, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site VNet. In the event of an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.

Does Bastion support zone redundancies?

Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions may or may not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.

Does Bastion support Azure AD guest accounts?

Yes, Azure AD guest accounts can be granted access to Bastion and can connect to virtual machines.

VM features and connection FAQs

Are any roles required to access a virtual machine?

In order to make a connection, the following roles are required:

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Reader Role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).

Do I need a public IP on my virtual machine to connect via Azure Bastion?

No. When you connect to a VM using Azure Bastion, you don't need a public IP on the Azure virtual machine that you're connecting to. The Bastion service will open the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network.

Do I need an RDP or SSH client?

No. You can access your virtual machine from the Azure portal using your browser. For available connections and methods, see About VM connections and features.

Can I connect to my VM using a native client?

Yes. You can connect to a VM from your local computer using a native client. See Connect to a VM using a native client.

Do I need an agent running in the Azure virtual machine?

No. You don't need to install an agent or any software on your browser or your Azure virtual machine. The Bastion service is agentless and doesn't require any additional software for RDP/SSH.

What features are supported for VM sessions?

See About VM connections and features for supported features.

Is remote audio available for VMs?

Yes. See About VM connections and features.

Does Azure Bastion support file transfer?

Azure Bastion offers support for file transfer between your target VM and local computer using Bastion and a native RDP or SSH client. At this time, you can’t upload or download files using PowerShell or via the Azure portal. For more information, see Upload and download files using the native client.

Does Bastion hardening work with AADJ VM extension-joined VMs?

This feature doesn't work with AADJ VM extension-joined machines using Azure AD users. For more information, see Log in to a Windows virtual machine in Azure by using Azure AD.

Does Azure Bastion require an RDS CAL for administrative purposes on Azure-hosted VMs?

No, access to Windows Server VMs by Azure Bastion doesn't require an RDS CAL when used solely for administrative purposes.

Which keyboard layouts are supported during the Bastion remote session?

Azure Bastion currently supports the following keyboard layouts inside the VM:

  • en-us-qwerty
  • en-gb-qwerty
  • de-ch-qwertz
  • de-de-qwertz
  • fr-be-azerty
  • fr-fr-azerty
  • fr-ch-qwertz
  • hu-hu-qwertz
  • it-it-qwerty
  • ja-jp-qwerty
  • pt-br-qwerty
  • es-es-qwerty
  • es-latam-qwerty
  • sv-se-qwerty
  • tr-tr-qwerty

To establish the correct key mappings for your target language, you must set the keyboard layout on your local computer to your target language and the keyboard layout inside the target VM to your target language. Both keyboards must be set to your target language to establish the correct key mappings inside the target VM.

To set your target language as your keyboard layout on a Windows workstation, navigate to Settings > Time & Language > Language & Region. Under "Preferred languages," select "Add a language" and add your target language. You'll then be able to see your keyboard layouts on your toolbar. To set English (United States) as your keyboard layout, select "ENG" on your toolbar or click Windows + Spacebar to open keyboard layouts.

What is the maximum screen resolution supported via Bastion?

Currently, 1920x1080 (1080p) is the maximum supported resolution.

Does Azure Bastion support timezone configuration or timezone redirection for target VMs?

Azure Bastion currently doesn't support timezone redirection and isn't timezone configurable.

Will an existing session disconnect during maintenance on the Bastion host?

Yes, existing sessions on the target Bastion resource will disconnect during maintenance on the Bastion resource.

VNet peering FAQs

Can I still deploy multiple Bastion hosts across peered virtual networks?

Yes. By default, a user sees the Bastion host that is deployed in the same virtual network in which VM resides. However, in the Connect menu, a user can see multiple Bastion hosts detected across peered networks. They can select the Bastion host that they prefer to use to connect to the VM deployed in the virtual network.

If my peered VNets are deployed in different subscriptions, will connectivity via Bastion work?

Yes, connectivity via Bastion will continue to work for peered VNets across different subscription for a single Tenant. Subscriptions across two different Tenants aren't supported. To see Bastion in the Connect drop down menu, the user must select the subs they have access to in Subscription > global subscription.

Global subscriptions filter.

I have access to the peered VNet, but I can't see the VM deployed there.

Make sure the user has read access to both the VM, and the peered VNet. Additionally, check under IAM that the user has read access to following resources:

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Reader Role on the virtual network (Not needed if there isn't a peered virtual network).
Permissions Description Permission type
Microsoft.Network/bastionHosts/read Gets a Bastion Host Action
Microsoft.Network/virtualNetworks/BastionHosts/action Gets Bastion Host references in a virtual network. Action
Microsoft.Network/virtualNetworks/bastionHosts/default/action Gets Bastion Host references in a virtual network. Action
Microsoft.Network/networkInterfaces/read Gets a network interface definition. Action
Microsoft.Network/networkInterfaces/ipconfigurations/read Gets a network interface IP configuration definition. Action
Microsoft.Network/virtualNetworks/read Get the virtual network definition Action
Microsoft.Network/virtualNetworks/subnets/virtualMachines/read Gets references to all the virtual machines in a virtual network subnet Action
Microsoft.Network/virtualNetworks/virtualMachines/read Gets references to all the virtual machines in a virtual network Action

Next steps

For more information, see What is Azure Bastion.