Do I need bastion?

Question

Do I need bastion?

Sunshine Admin 0

We are a non profit and have a subscription and at some point last year I was setting up a VM, got it all working but I am realizing microsoft told me to setup bastion, i had no idea it costs more then the VM.
So I have questions,
do i need it for the RDP and Terminal Server to function?
There is zero session history

How can I stop it without deleting it in case there is an issue after deletion?

I am confused as to why the only option is deletion, why cant i stop it and test or download it or get a backup in case there is an issue after deletion?

Also, why can't I just open a ticket, what is this posting nonsense?

Am I missing something?

Praveen Bandaru 3,250 Reputation points Microsoft External Staff Moderator

2025-04-22T18:57:38+00:00

Hello Sunshine Admin

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to "Accept Answer" or “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

2 answers

Your answer

Praveen Bandaru 3,250 Reputation points Microsoft External Staff Moderator

2025-04-22T18:57:38+00:00

Hello Sunshine Admin

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to "Accept Answer" or “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 1

TP 119K Moderator

Hi,

If you are using Azure Bastion to connect, you would typically be aware since users would navigate to the VM in Azure portal -- Connect -- Azure Bastion when they want to connect. Are you or any of your users doing that? Or are they using Remote Desktop Connection (mstsc) to connect to your RD Session Host (aka Terminal Server)?

How can I stop it without deleting it in case there is an issue after deletion?

A: There is no option to stop Azure Bastion. The only option to eliminate hourly charges for it is to delete it, as you already mentioned. Charges accrue for Azure Bastion Basic/Standard/Premium simply by it existing, regardless of whether or not you use it.

Excerpt from Azure Bastion pricing page:

Azure Bastion is billed hourly from the moment the resource is deployed until the resource is deleted, regardless of outbound data usage. The hourly pricing will be based on the SKU selected, number of scale units configured, and data transfer rates.

An option for testing whether or not you are using Azure Bastion would be to set Network Security Group rule on AzureBastionSubnet that blocks RDP traffic to your server. If people attempted to use Bastion it would no longer work and you could quickly delete the NSG rule to unblock.

If you are still unsure whether or not you are using Azure Bastion to connect to your server, please describe in detail how users are connecting. From what you have written so far my sense is you have not been using it.

In regards to opening a ticket, they recently changed it so that if you have Developer level support you ask your question here on Q & A. With Standard or higher level support you create ticket via the Azure portal.

Priority community support (PCS) for Azure developer support plan customers

https://learn.microsoft.com/en-us/azure/azure-portal/supportability/priority-community-support

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Sunshine Admin 0 Reputation points

2025-04-21T23:09:02.8266667+00:00

Only use rdp, no one logs in online to the virtual server

the issue is your tech guy told me I needed it and the end user is a non-profit and now I realize they were paying more for bastion every month then they do for the Terminal Server I deployed. It's crazy

Anyway can you just confirm I can delete it without blocking all rdp access?

tks
TP 119K Reputation points Moderator

2025-04-21T23:28:00.5966667+00:00

Only use rdp, no one logs in online to the virtual server the issue is your tech guy told me I needed it and the end user is a non-profit and now I realize they were paying more for bastion every month then they do for the Terminal Server I deployed. It's crazy Anyway can you just confirm I can delete it without blocking all rdp access?

I don't work for Microsoft. Generally, Microsoft (via messages in portal and otherwise) recommends a lot of different services that may or may not make sense for a specific use case. I can't speak to what their tech guy told you since I wasn't involved in that conversation.

Often these recommendations are standard "best practices", but without all the detailed explanations of precisely which circumstances they make sense for (or not), what the pricing will be each month, pros/cons, etc.

If you don't like the "block RDP from AzureBastionSubnet" method of double-checking whether Bastion is being used, another method would be to enable logging and check the logs for use over time. If no usage you know for sure you can delete.

Article below describes how to do that. You want to add diagnostic setting for BastionAuditLogs so that you can query and see usage.

Monitor Azure Bastion

https://learn.microsoft.com/en-us/azure/bastion/monitor-bastion

As I mentioned above, it doesn't seem like they are using Bastion. If no one in their organization knows how to go in the portal and connect using Bastion, then it doesn't make sense that they are using it.

If you have any questions please let me know.

Thanks.
Sunshine Admin 0 Reputation points

2025-04-22T20:52:17.0833333+00:00

So I am going to delete the bastion on Friday, so I can test over the weekend.
Will let you know how i make out

tks
TP 119K Reputation points Moderator

2025-04-25T16:25:11.6233333+00:00

So I am going to delete the bastion on Friday, so I can test over the weekend. Will let you know how i make out

@Sunshine Admin I'm around this weekend so if you run into any issues let me know. Depending on what I'm doing it may take me few hours or so to respond, but I'll get back to you in case you need help.

Answer 2

Hello Sunshine Admin

I understand that you need clarification on Azure Bastion In addition to TP response,

do i need it for the RDP and Terminal Server to function?

Azure Bastion is not mandatory for RDP (Remote Desktop Protocol) or Terminal Server access to your VM. It provides secure and seamless RDP and SSH connectivity to your VMs directly in the Azure portal without exposing them to the public internet. If you prefer direct RDP connection, ensure your VM has a public IP address and that the necessary ports (such as 3389 for RDP) are open in the network security group (NSG).

Please check the Azure Bastion document for more understanding.

How can I stop it without deleting it in case there is an issue after deletion? I am confused as to why the only option is deletion, why cant i stop it and test or download it or get a backup in case there is an issue after deletion

Unfortunately, Azure Bastion does not have a "stop" option like VMs. The only way to reduce costs related to Azure Bastion is to delete it.

For Azure Bastion, the design is such that it is meant to be a managed service that is always available when needed. The lack of a "stop" option is likely due to the nature of how the service is architected to provide continuous availability and security.

If you would like, you can upvote the feedback in the forum below requesting this feature. All feedback shared in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.

Feedback link: https://feedback.azure.com/d365community

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Share via

Do I need bastion?

2 answers

Your answer