About Bastion configuration settings

The sections in this article discuss the resources and settings for Azure Bastion.

SKUs

A SKU is also known as a Tier. Azure Bastion supports two SKU types: Basic and Standard. The SKU is configured in the Azure portal during the workflow when you configure Bastion. You can upgrade a Basic SKU to a Standard SKU.

  • The Basic SKU provides base functionality, enabling Azure Bastion to manage RDP/SSH connectivity to virtual machines (VMs) without exposing public IP addresses on the target application VMs.
  • The Standard SKU enables premium features.

The following table shows the availability of features per corresponding SKU.

Feature Basic SKU Standard SKU
Connect to target VMs in peered virtual networks Yes Yes
Access Linux VM Private Keys in Azure Key Vault (AKV) Yes Yes
Connect to Linux VM using SSH Yes Yes
Connect to Windows VM using RDP Yes Yes
Kerberos authentication Yes Yes
VM audio output Yes Yes
Shareable link No Yes
Connect to VMs using a native client No Yes
Connect to VMs via IP address No Yes
Host scaling No Yes
Specify custom inbound port No Yes
Connect to Linux VM using RDP No Yes
Connect to Windows VM using SSH No Yes
Upload or download files No Yes
Disable copy/paste (web-based clients) No Yes

Specify SKU

Currently, you must use the Azure portal if you want to specify the Standard SKU. If you use the Azure CLI or Azure PowerShell to configure Bastion, the SKU can't be specified and defaults to the Basic SKU.

Method SKU Value Links
Azure portal Tier - Basic or Standard Tutorial
Azure portal Tier - Basic Quickstart
Azure PowerShell Basic How-to
Azure CLI Basic How-to

Upgrade a SKU

Azure Bastion supports upgrading from a Basic to a Standard SKU.

Note

Downgrading from a Standard SKU to a Basic SKU is not supported. To downgrade, you must delete and recreate Azure Bastion.

You can configure this setting using the following method:

Method Value Links
Azure portal Tier How-to

Azure Bastion subnet

Important

For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.

Azure Bastion requires a dedicated subnet: AzureBastionSubnet. You must create this subnet in the same virtual network that you want to deploy Azure Bastion to. The subnet must have the following configuration:

  • Subnet name must be AzureBastionSubnet.
  • Subnet size must be /26 or larger (/25, /24 etc.).
  • For host scaling, a /26 or larger subnet is recommended. Using a smaller subnet space limits the number of scale units. For more information, see the Host scaling section of this article.
  • The subnet must be in the same VNet and resource group as the bastion host.
  • The subnet cannot contain additional resources.

You can configure this setting using the following methods:

Method Value Links
Azure portal Subnet Quickstart
Tutorial
Azure PowerShell -subnetName cmdlet
Azure CLI --subnet-name command

Public IP address

Azure Bastion requires a Public IP address. The Public IP must have the following configuration:

  • The Public IP address SKU must be Standard.
  • The Public IP address assignment/allocation method must be Static.
  • The Public IP address name is the resource name by which you want to refer to this public IP address.
  • You can choose to use a public IP address that you already created, as long as it meets the criteria required by Azure Bastion and is not already in use.

You can configure this setting using the following methods:

Method Value Links Requires Standard SKU
Azure portal Public IP address Azure portal Yes
Azure PowerShell -PublicIpAddress cmdlet Yes
Azure CLI --public-ip create command Yes

Instances and host scaling

An instance is an optimized Azure VM that is created when you configure Azure Bastion. It's fully managed by Azure and runs all of the processes needed for Azure Bastion. An instance is also referred to as a scale unit. You connect to client VMs via an Azure Bastion instance. When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances. This is called host scaling.

Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads (see Azure subscription limits and quotas for more information). The number of connections per instances depends on what actions you are taking when connected to the client VM. For example, if you are doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required.

Instances are created in the AzureBastionSubnet. To allow for host scaling, the AzureBastionSubnet should be /26 or larger. Using a smaller subnet limits the number of instances you can create. For more information about the AzureBastionSubnet, see the subnets section in this article.

You can configure this setting using the following methods:

Method Value Links Requires Standard SKU
Azure portal Instance count How-to Yes
Azure PowerShell ScaleUnit How-to Yes

Custom ports

You can specify the port that you want to use to connect to your VMs. By default, the inbound ports used to connect are 3389 for RDP and 22 for SSH. If you configure a custom port value, specify that value when you connect to the VM.

Custom port values are supported for the Standard SKU only.

The Bastion Shareable Link feature lets users connect to a target resource using Azure Bastion without accessing the Azure portal.

When a user without Azure credentials clicks a shareable link, a webpage will open that prompts the user to sign in to the target resource via RDP or SSH. Users authenticate using username and password or private key, depending on what you have configured in the Azure portal for that target resource. Users can connect to the same resources that you can currently connect to with Azure Bastion: VMs or virtual machine scale set.

Method Value Links Requires Standard SKU
Azure portal Shareable Link Configure Yes

Next steps

For frequently asked questions, see the Azure Bastion FAQ.