This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 91%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
We have a hub and spoke architecture with Bastion deployed in the hub. On the spoke side we're forcing all traffic to an NVA in the hub with a UDR. When I detach the UDR from the subnet that the destination spoke VM is in, I'm able to connect in with Bastion with no problem. Re-attaching the UDR breaks it again.
Can't seem to find info from MS about this. Thinking something has to be added to the UDR. I don't see any service tags for Bastion and I tried using the Bastion subnet as the prefix destination but not sure what the next hop would be. Has anyone got this work?
Thanks.
Hi @CS10NET ,
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are using UDR on subnets in spoke VNet(s) to force default traffic to an NVA in Hub and you would like to access the VMs in these Spoke subnet(s) using Bastion.
You are halfway there.
The trick is to set the nextHop as "VirtualNetwork" for the address range of the Bastion subnet in the spoke subnet(s).
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
If the Bastion resource is in the same subnet as the spoke Vnet, no additional configuration is required.
However, should the Bastion resource be in a peered Vnet, you must make sure you have enabled "Traffic to remote virtual network" in the peering.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-manage-peering
I hope this helps.
Please let us know should you have additional queries on the same.
Thanks,
Kapil
----------------------------------------------------------------------------------------------------------------
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
This is exactly what I tried but when I look under Effective routes it shows the next hop as "None" and not "Virtual network".
So the UDR is attached to the subnet in the spoke that contains the VM I'm trying to access. The destination is Bastion subnet (which is in the hub) and next hop is set to Virtual network. When you click on the UDR, the Overview shows the hop as Virtual network and when you click on the Routes section, it displays it as VnetLocal.
It just seems off that the effective route is is not showing Virtual network to prove that the UDR is working. I have power cycled the VM too.
Hi @CS10NET ,
You are right.
Apologies for the previous comment.
I checked this internally and I see the "VirtualNetwork" nextHop type in UDR does not include the address range of Peered Virtual Networks.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-udr-overview
The other way I can think of is to subnet the address prefix.
i.e,
However, if you do not have a requirement for traffic between Spoke and Hub to flow via the NVA, you can simply use a 0.0.0.0/0 -------> NVA route in the UDR.
This way, the Hub (including Bastion) routes would take the default route of Vnet Peering
Refer: https://azure.microsoft.com/en-in/blog/accessing-virtual-machines-behind-azure-firewall-with-azure-bastion/
I hope this provides some clarity.
Thanks,
Kapil
Thanks, we were able to solve this by just using an entirely different address space for bastion in its own vnet and subnet. So there are no routes in any UDR for this network so it will use vnet peering.
Thanks for your help with this.
We were able to solve this by just using an entirely different address space for bastion in its own vnet and subnet. So there are no routes in any UDR for this network so it will use vnet peering.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 24%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Hi @CS10NET
Based on the following document, I am not sure if the scenario you described if supported currently.
Ref : https://learn.microsoft.com/en-us/azure/bastion/bastion-faq#udr
If the response helped, please don't forget to accept answer and up-vote - Sai
Hi @CS10NET ,
based on the information of the link above UDRs aren't supported in the Bastion subnet.
In a similar environment we are using a "jump host VM" in the same vNet with the Bastion subnet. Connecting to the "jump host VM" via Bastion is possible and from the jump host we are able to connect to any other VM in all the hub and spoke vents/subnets.
Maybe using a "jump host VM" is an option for you as well.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten