Tutorial: Deploy Bastion using specified settings

This tutorial helps you deploy Azure Bastion from the Azure portal using your own specified manual settings. When you use manual settings, you can specify configuration values such as instance counts and the SKU at the time of deployment. After Bastion is deployed, you can connect (SSH/RDP) to virtual machines in the virtual network via Bastion using the private IP address of the VM. When you connect to a VM, it doesn't need a public IP address, client software, agent, or a special configuration.

Diagram showing Azure Bastion architecture.

In this tutorial, you deploy Bastion using the Standard SKU tier and adjust host scaling (instance count). After the deployment is complete, you connect to your VM via private IP address. If your VM has a public IP address that you don't need for anything else, you can remove it.

Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on one of your VMs and maintain yourself. For more information about Azure Bastion, see What is Azure Bastion?

In this tutorial, you'll learn how to:

  • Deploy Bastion to your VNet.
  • Connect to a virtual machine.
  • Remove the public IP address from a virtual machine.


  • If you don’t have an Azure subscription, create a free account before you begin.

  • A virtual network. This will be the VNet to which you deploy Bastion.

  • A virtual machine in the virtual network. This VM isn't a part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in this tutorial via Bastion. If you don't have a VM, create one using Quickstart: Create a VM.

  • Required VM roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
  • Required inbound ports:

    • For Windows VMs - RDP (3389)
    • For Linux VMs - SSH (22)


The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.

Example values

You can use the following example values when creating this configuration, or you can substitute your own.

Basic VNet and VM values:

Name Value
Virtual machine TestVM
Resource group TestRG1
Region East US
Virtual network VNet1
Address space
Subnets FrontEnd:

Azure Bastion values:

Name Value
Name VNet1-bastion
+ Subnet Name AzureBastionSubnet
AzureBastionSubnet addresses A subnet within your VNet address space with a subnet mask /26 or larger.
For example,
Tier/SKU Standard
Instance count (host scaling) 3 or greater
Public IP address Create new
Public IP address name VNet1-ip
Public IP address SKU Standard
Assignment Static

Deploy Bastion

This section helps you deploy Bastion to your VNet. Once Bastion is deployed, you can connect securely to any VM in the VNet using its private IP address.


Hourly pricing starts from the moment Bastion is deployed, regardless of outbound data usage. For more information, see Pricing and SKUs. If you're deploying Bastion as part of a tutorial or test, we recommend that you delete this resource once you've finished using it.

  1. Sign in to the Azure portal.

  2. Go to your virtual network.

  3. On the page for your virtual network, in the left pane, select Bastion to open the Bastion page.

  4. On the Bastion page, select Configure manually. This lets you configure specific additional settings when deploying Bastion to your VNet.

    Screenshot of Bastion page showing configure bastion on my own.

  5. On the Create a Bastion page, configure the settings for your bastion host. Project details are populated from your virtual network values. Configure the Instance details values.

    • Name: Type the name that you want to use for your bastion resource.

    • Region: The Azure public region in which the resource will be created. Choose the region in which your virtual network resides.

    • Tier: The tier is also known as the SKU. For this tutorial, select Standard. The Standard SKU lets you configure the instance count for host scaling and other features. For more information about features that require the Standard SKU, see Configuration settings - SKU.

    • Instance count: This is the setting for host scaling. It's configured in scale unit increments. Use the slider or type a number to configure the instance count that you want. For this tutorial, you can select the instance count you'd prefer. For more information, see Host scaling and Pricing.

    Screenshot of Bastion page instance values.

  6. Configure the virtual networks settings. Select your VNet from the dropdown. If you don't see your VNet in the dropdown list, make sure you selected the correct Region in the previous settings on this page.

  7. To configure the AzureBastionSubnet, select Manage subnet configuration.

    Screenshot of configure virtual networks section.

  8. On the Subnets page, select +Subnet to open the Add subnet page.

  9. On the Add subnet page, create the 'AzureBastionSubnet' subnet using the following values. Leave the other values as default.

    • The subnet name must be AzureBastionSubnet.
    • The subnet must be at least /26 or larger (/26, /25, /24 etc.) to accommodate features available with the Standard SKU.

    Select Save at the bottom of the page to save your values.

  10. At the top of the Subnets page, select Create a Bastion to return to the Bastion configuration page.

    Screenshot of Create a Bastion.

  11. The Public IP address section is where you configure the public IP address of the Bastion host resource on which RDP/SSH will be accessed (over port 443). The public IP address must be in the same region as the Bastion resource you're creating. Create a new IP address. You can leave the default naming suggestion.

  12. When you finish specifying the settings, select Review + Create. This validates the values.

  13. Once validation passes, you can deploy Bastion. Select Create. You'll see a message letting you know that your deployment is in process. Status displays on this page as the resources are created. It takes about 10 minutes for the Bastion resource to be created and deployed.

Connect to a VM

You can use any of the following detailed articles to connect to a VM. Some connection types require the Bastion Standard SKU.

You can also use the basic Connection steps in the section below to connect to your VM.

Connection steps

  1. In the Azure portal, go to the virtual machine to which you want to connect.

  2. At the top of the page, select Connect->Bastion to go to the Bastion page. You can also go to the Bastion page using the left menu.

  3. The options available on the Bastion page are dependant on the Bastion SKU tier. If you're using the Basic SKU, you connect to a Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22. You don't have options to change the port number or the protocol. However, you can change the keyboard language for RDP by expanding Connection Settings.

    Screenshot of Bastion connection page.

    If you're using the Standard SKU, you have more connection protocol and port options available. Expand Connection Settings to see the options. Typically, unless you have configured different settings for your VM, you connect to a Windows computer using RDP and port 3389, and to a Linux computer using SSH and port 22.

    Screenshot of connection settings expanded.

  4. Select the Authentication Type from the dropdown. The protocol determines the available authentication types. Complete the required authentication values.

    Screenshot showing authentication type dropdown.

  5. To open the VM session in a new browser tab, leave Open in a new browser tab selected.

  6. Click Connect to connect to the VM.

  7. The connection to this virtual machine, via Bastion, will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service.

    • When you connect, the desktop of the VM will look different than the example screenshot.
    • Using keyboard shortcut keys while connected to a VM may not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

    Screenshot of Connect using port 443.

To enable audio output

You can enable remote audio output for your VM. Some VMs automatically enable this setting, others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.


Audio output takes up bandwidth on your internet connection.

To enable remote audio output on a Windows VM:

  1. After you're connected to the VM, on the right-hand bottom corner of the toolbar, you'll see an audio button.
  2. Right-click the audio button and select "Sounds".
  3. A pop-up appears asking if you would like to enable the Windows Audio Service. Select "Yes". You can configure more audio options in Sound preferences.
  4. To verify sound output, hover your mouse over the audio button on the toolbar.

Remove VM public IP address

When you connect to a VM using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM. To dissociate a public IP address from your VM, use the following steps:

  1. Go to your virtual machine and select Networking. Click the NIC Public IP to open the Public IP address page.

    Screenshot of networking page.

  2. On the Public IP address page, you can see the VM network interface listed under Associated to on the lower right of the page. Click Dissociate at the top of the page.

    Screenshot of public IP address for the VM.

  3. Click Yes to dissociate the IP address from the network interface. Once the public IP address is dissociated from the VM network interface, you can see that it's no longer listed under Associated to.

  4. After you dissociate the IP address, you can delete the public IP address resource. On the Public IP address page for the VM, select Delete.

    Screenshot of delete the public IP address resource.

  5. Click Yes to delete the public IP address.

Clean up resources

If you're not going to continue to use this application, delete your resources using the following steps:

  1. Enter the name of your resource group in the Search box at the top of the portal. When you see your resource group in the search results, select it.
  2. Select Delete resource group.
  3. Enter the name of your resource group for TYPE THE RESOURCE GROUP NAME: and select Delete.

Next steps

In this tutorial, you deployed Bastion to a virtual network and connected to a VM. You then removed the public IP address from the VM. Next, learn about and configure additional Bastion features.