Deploy Bastion using Azure CLI

This article shows you how to deploy Azure Bastion using CLI. Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on your VM and maintain yourself. An Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. For more information about Azure Bastion, see What is Azure Bastion?

Once you deploy Bastion to your virtual network, you can connect to your VMs via private IP address. This seamless RDP/SSH experience is available to all the VMs in the same virtual network. If your VM has a public IP address that you don't need for anything else, you can remove it.

You can also deploy Bastion by using the following other methods:


Azure subscription

Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

Azure CLI

This article uses the Azure CLI. To run commands, you can use Azure Cloud Shell. The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.

To open the Cloud Shell, just select Try it from the upper right corner of a code block. You can also launch Cloud Shell in a separate browser tab by going to and toggle the dropdown in the left corner to reflect Bash or PowerShell. Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.


The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Deploy Bastion

This section helps you deploy Azure Bastion using Azure CLI.


As shown in the examples, use the --location parameter with --resource-group for every command to ensure that the resources are deployed together.

  1. Create a virtual network and an Azure Bastion subnet. You must create the Azure Bastion subnet using the name value AzureBastionSubnet. This value lets Azure know which subnet to deploy the Bastion resources to. This is different than a VPN gateway subnet.


    For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.

    • The smallest subnet AzureBastionSubnet size you can create is /26. We recommend that you create a /26 or larger size to accommodate host scaling.
    • Create the AzureBastionSubnet without any route tables or delegations.
    • If you use Network Security Groups on the AzureBastionSubnet, refer to the Work with NSGs article.
    az network vnet create --resource-group MyResourceGroup --name MyVnet --address-prefix --subnet-name AzureBastionSubnet --subnet-prefix --location northeurope
  2. Create a public IP address for Azure Bastion. The public IP is the public IP address the Bastion resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating.

    The following example uses the Standard SKU. The Standard SKU lets you configure more Bastion features and connect to VMs using more connection types. For more information, see Bastion SKUs.

    az network public-ip create --resource-group MyResourceGroup --name MyIp --sku Standard --location northeurope
  3. Create a new Azure Bastion resource in the AzureBastionSubnet of your virtual network. It takes about 10 minutes for the Bastion resource to create and deploy.

    az network bastion create --name MyBastion --public-ip-address MyIp --resource-group MyResourceGroup --vnet-name MyVnet --location northeurope

Connect to a VM

You can use the Connection steps in the section below to connect to your VM. You can also use any of the following articles to connect to a VM. Some connection types require the Bastion Standard SKU.

Connection steps

  1. In the Azure portal, go to the virtual machine to which you want to connect.

  2. At the top of the page, select Connect->Bastion to go to the Bastion page. You can also go to the Bastion page using the left menu.

  3. The options available on the Bastion page are dependant on the Bastion SKU tier. If you're using the Basic SKU, you connect to a Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22. You don't have options to change the port number or the protocol. However, you can change the keyboard language for RDP by expanding Connection Settings.

    Screenshot of Bastion connection page.

    If you're using the Standard SKU, you have more connection protocol and port options available. Expand Connection Settings to see the options. Typically, unless you have configured different settings for your VM, you connect to a Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22.

    Screenshot of connection settings expanded.

  4. Select the Authentication Type from the dropdown. The protocol determines the available authentication types. Complete the required authentication values.

    Screenshot showing authentication type dropdown.

  5. To open the VM session in a new browser tab, leave Open in a new browser tab selected.

  6. Click Connect to connect to the VM.

  7. The connection to this virtual machine, via Bastion, will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    • When you connect, the desktop of the VM will look different than the example screenshot.
    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

    Screenshot of Connect using port 443.

To enable audio output

You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.


Audio output takes up bandwidth on your internet connection.

To enable remote audio output on a Windows VM:

  1. After you're connected to the VM, on the right-hand bottom corner of the toolbar, you'll see an audio button.
  2. Right-click the audio button and select "Sounds".
  3. A pop-up appears asking if you would like to enable the Windows Audio Service. Select "Yes". You can configure more audio options in Sound preferences.
  4. To verify sound output, hover your mouse over the audio button on the toolbar.

Remove VM public IP address

Azure Bastion doesn't use the public IP address to connect to the client VM. If you don't need the public IP address for your VM, you can disassociate the public IP address. See Dissociate a public IP address from an Azure VM.

Next steps