![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 8%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
242 questions
Hello @Jakub Míka ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know the difference between the connection to a virtual server using Bastion Standard and Developer.
Azure Bastion requires that the virtual machine (VM) you're connecting to has internet access. Azure Bastion itself is a fully managed Platform as a Service (PaaS) that provides secure and seamless RDP and SSH connectivity to your VMs directly from the Azure portal over TLS. When you connect to a VM using Azure Bastion, the connection is established through the Azure Bastion service, which acts as a jump server. This means that the VM you're connecting to needs to have outbound internet access to communicate with Azure Bastion. If the VM doesn't have access to the internet, you won't be able to establish a connection to it via Azure Bastion.
However, when you deploy Bastion using the Developer SKU, the deployment requirements are different than when you deploy using other SKUs. Typically, when you create a bastion host, a host is deployed to the AzureBastionSubnet in your virtual network. The Bastion host is dedicated for your use. When using the Developer SKU, a bastion host isn't deployed to your virtual network, and you don't need an AzureBastionSubnet. The Developer SKU bastion host isn't a dedicated resource and is, instead, part of a shared pool. The traffic between the Bastion developer resource and the user is sent via a Bastion agent and a Bastion pool. This may be the reason that Bastion developer is able to access the server directly without Internet access (I have not tested this on my side though).
Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview#architecture
https://learn.microsoft.com/en-us/azure/bastion/quickstart-developer-sku#about-the-developer-sku
All the SKU comparison can be found in the below doc:
https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#skus
Coming to your second question,
I would have to move the whole server, virtual network and associated resources to another location to connect via bastion developer, but I want to avoid that. Is it somehow possible to connect to the virtual server via bastion standard/basic even if it is running the aforementioned VPN, like the developer option? Or can you think of a better solution?
Like I mentioned above, Azure Bastion Standard/Basic requires that the virtual machine (VM) you're connecting to has internet access. You can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network and that host is deployed to the AzureBastionSubnet in your virtual network. Bastion Standard/Basic SKU are VNET injected services.
Also, you cannot use Azure Bastion Standard/Basic if you are advertising a default route (0.0.0.0/0) over ExpressRoute or VPN. Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources.
Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#forcedtunnel
If you would like to use Azure Bastion Standard/Basic, you need to make sure that the VM server has Internet access.
You may configure Network Security Groups (NSGs) on the Azure Bastion resource to restrict outbound internet access for your VMs while still allowing them to connect to Azure Bastion. This allows you to maintain a higher level of security for your VMs while still benefiting from the convenience and security features of Azure Bastion for remote connectivity.
Refer: https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg
So, there is no way to use Azure Bastion Standard/Basic if your server has no Internet access. Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
