Share via

unable to connect to bastion

dave 20 Reputation points
2025-04-25T19:02:41.2433333+00:00

We have our a prod SQL Server VM behind a bastion.
Got some alarms for higher than normal CPU usage.
Trying to connect via bastion I get 'The network connection to the Bastion Host appears unstable
I've restarted VM
But still unable to connect

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
293 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 5,520 Reputation points Microsoft External Staff Moderator
    2025-04-25T19:37:32.7266667+00:00

    Hello dave

    I understand that you are trying to connect to the VM using Bastion, but unfortunately, it is not working for you.

    • Cloud you please try one more time to restart the target VM and see the result because this suggestion working to other users.
    • And also check as documented here Can you please check there is not NSG associated with the BastionSubnet? You can troubleshoot your connectivity issues by navigating to the Connection Troubleshoot tab (in the Monitoring section) of your Azure Bastion resource in the Azure portal. Network Watcher Connection Troubleshoot provides the capability to check a direct TCP connection from a virtual machine (VM) to a VM, fully qualified domain name (FQDN), URI, or IPv4 address.
    • Check if there are no UDR's associated with the Virtual Network.
    • Please let me know if you can RDP using another VM with a private IP in the same subnet. Additionally, is the bastion working for other VMs in the subnet/VNET?

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. Jose Benjamin Solis Nolasco 3,511 Reputation points
    2025-04-25T19:50:53.05+00:00

    @dave I hope you are doing well,

    Please follow this troubleshooting guide I made for you;

    1. Verify VM State and Health:
      • Confirm VM is Running: Ensure the SQL Server VM is in a "Running" state in the Azure portal. A stopped or failed VM cannot be accessed via Bastion.
      • Check CPU Usage: High CPU usage may cause the VM to respond slowly or become unreachable. Use Azure Monitor to check metrics:
      • Navigate to the VM in the Azure portal > Monitoring > Metrics > Select "CPU Percentage."
      • If CPU usage is consistently above 80-90%, identify resource-intensive processes (e.g., SQL Server queries) using tools like SQL Server Management Studio (SSMS) or Azure Diagnostics once connected.
      • Action: If CPU usage is high, consider scaling up the VM (e.g., increasing vCPUs or memory) or optimizing SQL Server workloads (e.g., indexing, query tuning). Restarting the VM, as you’ve done, may not resolve persistent CPU issues.
    2. Validate Network Configuration:
      • Check Network Security Groups (NSGs):
      • Ensure the NSG on the VM’s subnet or NIC allows inbound RDP traffic (port 3389) from the AzureBastionSubnet.
      • Verify no NSG is applied to the AzureBastionSubnet itself, or if present, it allows:
        • Inbound: Port 443 (HTTPS) from the internet and GatewayManager service tag.
        • Outbound: Ports 3389 (RDP) and 22 (SSH) to the VM’s subnet.
      • Action: Update NSG rules to allow RDP traffic from the Bastion subnet’s IP range. Use the Azure portal’s Effective Security Rules to confirm.
      • Verify Subnet Configuration:
      • Confirm the AzureBastionSubnet is correctly configured with a minimum size of /26 and is in the same VNet as the VM or a peered VNet.
      • Action: If the VM is in a peered VNet, ensure VNet peering is bidirectional and not blocking traffic.
      • Check Firewall Rules:
      • If a firewall (e.g., Azure Firewall or third-party NVA) is deployed, confirm it allows traffic between Bastion and the VM on port 3389.
      • Action: Temporarily allow all traffic from the Bastion subnet to the VM to test connectivity.
    3. Test Bastion Connectivity:
      • Use Connection Troubleshoot:
      • Navigate to the Bastion resource in the Azure portal > Help or Monitoring > Connection Troubleshoot.
      • Test TCP connectivity from the Bastion to the VM’s private IP on port 3389.
      • Action: Review results for blocks (e.g., NSG, firewall, or VM issues).

    Validate Network Configuration

    • Check NSG Rules (Azure PowerShell): Verify NSG rules allow Bastion-to-VM RDP traffic (port 3389).
    $nsgName = "<YourNSGName>"
$resourceGroup = "<YourResourceGroupName>"
Get-AzNetworkSecurityGroup -Name $nsgName -ResourceGroupName $resourceGroup | Get-AzNetworkSecurityRuleConfig | Where-Object { $_.DestinationPortRange -contains "3389" -or $_.DestinationPortRange -eq "*" }

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.