Quickstart: Deploy Azure Bastion with default settings
In this quickstart, you'll learn how to deploy Azure Bastion with default settings to your virtual network using the Azure portal. After Bastion is deployed, you can connect (SSH/RDP) to virtual machines in the virtual network via Bastion using the private IP address of the VM. When you connect to a VM, it doesn't need a public IP address, client software, agent, or a special configuration. Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on one of your VMs and maintain yourself. For more information about Azure Bastion, see What is Azure Bastion?
The following steps walk you through how to deploy Bastion from your VM resource using the Azure portal. When you deploy using default settings, the settings are based on the virtual network to which Bastion will be deployed. After deploying Bastion, you'll then connect to your VM using RDP/SSH connectivity and the VM's private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it. While the steps in this quickstart help you deploy Bastion from your VM resource, you can deploy Bastion from a virtual network resource instead. The steps are similar, except you start from the virtual network resource instead of the VM resource.
An Azure account with an active subscription. If you don't have one, create one for free.
A VM in a VNet.
When you deploy Bastion using default values, the values are pulled from the VNet in which your VM resides. This VM doesn't become a part of the Bastion deployment itself, but you do connect to it later in the exercise.
- If you don't already have a VM in a VNet, create one using Quickstart: Create a Windows VM, or Quickstart: Create a Linux VM.
- If you need example values, see the Example values section.
- If you already have a virtual network, make sure it's selected on the Networking tab when you create your VM.
- If you don't have a virtual network, you can create one at the same time you create your VM.
Required VM roles:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
Required VM ports inbound ports:
- 3389 for Windows VMs
- 22 for Linux VMs
The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.
You can use the following example values when creating this configuration, or you can substitute your own.
Basic VNet and VM values:
When you deploy from VM settings, Bastion is automatically configured with default values from the VNet
|AzureBastionSubnet||This subnet is created within the VNet as a /26|
|Name||Based on the virtual network name|
|Public IP address name||Based on the virtual network name|
When you create Azure Bastion using default settings, the settings are configured for you. You can't modify or specify additional values for a default deployment. After deployment completes, you can always go to the bastion host Configuration page to select additional settings and features. For example, the default SKU is the Basic SKU. You can later upgrade to the Standard SKU to support more features. For more information, see About configuration settings.
Sign in to the Azure portal.
In the portal, go to the VM to which you want to connect. The values from the virtual network in which this VM resides will be used to create the Bastion deployment.
On the page for your VM, in the Operations section on the left menu, select Bastion. When the Bastion page opens, it checks to see if you have enough available address space to create the AzureBastionSubnet. If you don't, you'll see settings to allow you to add more address space to your VNet to meet this requirement.
On the Bastion page, you can view some of the values that will be used when creating the bastion host for your virtual network. Select Deploy Bastion to deploy bastion using default settings.
Bastion begins deploying. This can take around 10 minutes to complete.
Connect to a VM
When the Bastion deployment is complete, the screen changes to the Connect page.
Type your authentication credentials. Then, select Connect.
The connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Select Allow when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.
When you connect, the desktop of the VM may look different than the example screenshot.
Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.
To enable audio output
You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.
Audio output takes up bandwidth on your internet connection.
To enable remote audio output on a Windows VM:
- After you're connected to the VM, on the right-hand bottom corner of the toolbar, you'll see an audio button.
- Right-click the audio button and select "Sounds".
- A pop-up appears asking if you would like to enable the Windows Audio Service. Select "Yes". You can configure more audio options in Sound preferences.
- To verify sound output, hover your mouse over the audio button on the toolbar.
Remove VM public IP address
When you connect to a VM using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM. To dissociate a public IP address from your VM, use the following steps:
Go to your virtual machine and select Networking. Click the NIC Public IP to open the Public IP address page.
On the Public IP address page, you can see the VM network interface listed under Associated to on the lower right of the page. Click Dissociate at the top of the page.
Click Yes to dissociate the IP address from the network interface. Once the public IP address is dissociated from the VM network interface, you can see that it's no longer listed under Associated to.
After you dissociate the IP address, you can delete the public IP address resource. On the Public IP address page for the VM, select Delete.
Click Yes to delete the public IP address.
Clean up resources
When you're done using the virtual network and the virtual machines, delete the resource group and all of the resources it contains:
Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.
Select Delete resource group.
Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.
In this quickstart, you deployed Bastion to your virtual network, and then connected to a virtual machine securely via Bastion. Next, you can configure more features and work with VM connections.