Quickstart: Deploy Azure Bastion with default settings

In this quickstart, you'll learn how to deploy Azure Bastion with default settings to your virtual network using the Azure portal. After Bastion is deployed, you can connect (SSH/RDP) to virtual machines (VM) in the virtual network via Bastion using the private IP address of the VM. The VMs you connect to don't need a public IP address, client software, agent, or a special configuration. For more information about Azure Bastion, see What is Azure Bastion?

Diagram showing Azure Bastion architecture.

The steps in this article help you do the following:

  • Deploy Bastion with default settings from your VM resource using the Azure portal. When you deploy using default settings, the settings are based on the virtual network to which Bastion will be deployed.
  • After you deploy Bastion, you'll then connect to your VM via the portal using RDP/SSH connectivity and the VM's private IP address.
  • If your VM has a public IP address that you don't need for anything else, you can remove it.


Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource once you've finished using it.


  • Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

  • A VM in a VNet.

    When you deploy Bastion using default values, the values are pulled from the VNet in which your VM resides. This VM doesn't become a part of the Bastion deployment itself, but you do connect to it later in the exercise.

    • If you don't already have a VM in a VNet, create one using Quickstart: Create a Windows VM, or Quickstart: Create a Linux VM.
    • If you need example values, see the Example values section.
    • If you already have a virtual network, make sure it's selected on the Networking tab when you create your VM.
    • If you don't have a virtual network, you can create one at the same time you create your VM.
  • Required VM roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
  • Required VM ports inbound ports:

    • 3389 for Windows VMs
    • 22 for Linux VMs


The use of Azure Bastion with Azure Private DNS Zones is supported. However, there are certain restrictions. See the Bastion FAQ for more information.

Example values

You can use the following example values when creating this configuration, or you can substitute your own.

Basic VNet and VM values:

Name Value
Virtual machine TestVM
Resource group TestRG1
Region East US
Virtual network VNet1
Address space
Subnets FrontEnd:

Bastion values:

When you deploy from VM settings, Bastion is automatically configured with default values from the VNet

Name Default value
AzureBastionSubnet This subnet is created within the VNet as a /26
SKU Basic
Name Based on the virtual network name
Public IP address name Based on the virtual network name

Deploy Bastion

When you create Azure Bastion using default settings, the settings are configured for you. You can't modify or specify additional values for a default deployment. After deployment completes, you can always go to the bastion host Configuration page to select additional settings and features. For example, the default SKU is the Basic SKU. You can later upgrade to the Standard SKU to support more features. For more information, see About configuration settings.

  1. Sign in to the Azure portal.

  2. In the portal, go to the VM to which you want to connect. The values from the virtual network in which this VM resides will be used to create the Bastion deployment.

  3. On the page for your VM, in the Operations section on the left menu, select Bastion. When the Bastion page opens, it checks to see if you have enough available address space to create the AzureBastionSubnet. If you don't, you'll see settings to allow you to add more address space to your VNet to meet this requirement.

  4. On the Bastion page, you can view some of the values that will be used when creating the bastion host for your virtual network. Select Deploy Bastion to deploy bastion using default settings.

    Screenshot of Deploy Bastion.

  5. Bastion begins deploying. This can take around 10 minutes to complete.

Connect to a VM

When the Bastion deployment is complete, the screen changes to the Connect page.

  1. Type your authentication credentials. Then, select Connect.

    Screenshot shows the Connect using Azure Bastion dialog.

  2. The connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Select Allow when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.

    • When you connect, the desktop of the VM may look different than the example screenshot.

    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

      Screenshot of RDP connection.

To enable audio output

You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.


Audio output takes up bandwidth on your internet connection.

To enable remote audio output on a Windows VM:

  1. After you're connected to the VM, on the right-hand bottom corner of the toolbar, you'll see an audio button.
  2. Right-click the audio button and select "Sounds".
  3. A pop-up appears asking if you would like to enable the Windows Audio Service. Select "Yes". You can configure more audio options in Sound preferences.
  4. To verify sound output, hover your mouse over the audio button on the toolbar.

Remove VM public IP address

When you connect to a VM using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM. To dissociate a public IP address from your VM, use the following steps:

  1. Go to your virtual machine and select Networking. Click the NIC Public IP to open the Public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page, you can see the VM network interface listed under Associated to on the lower right of the page. Click Dissociate at the top of the page.

    Screenshot of public IP address for the VM.

  3. Click Yes to dissociate the IP address from the network interface. Once the public IP address is dissociated from the VM network interface, you can see that it's no longer listed under Associated to.

  4. After you dissociate the IP address, you can delete the public IP address resource. On the Public IP address page for the VM, select Delete.

    Screenshot of delete the public IP address resource.

  5. Click Yes to delete the public IP address.

Clean up resources

When you're done using the virtual network and the virtual machines, delete the resource group and all of the resources it contains:

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

In this quickstart, you deployed Bastion to your virtual network, and then connected to a virtual machine securely via Bastion. Next, you can configure more features and work with VM connections.