Microsoft.Network bastionHosts 2023-11-01
The bastionHosts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/bastionHosts resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/bastionHosts@2023-11-01' = {
location: 'string'
name: 'string'
properties: {
disableCopyPaste: bool
dnsName: 'string'
enableFileCopy: bool
enableIpConnect: bool
enableKerberos: bool
enableShareableLink: bool
enableTunneling: bool
ipConfigurations: [
id: 'string'
name: 'string'
properties: {
privateIPAllocationMethod: 'string'
publicIPAddress: {
id: 'string'
subnet: {
id: 'string'
networkAcls: {
ipRules: [
addressPrefix: 'string'
scaleUnits: int
virtualNetwork: {
id: 'string'
sku: {
name: 'string'
tags: {
{customized property}: 'string'
zones: [
Name | Description | Value |
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Represents the ip configuration associated with the resource. | BastionHostIPConfigurationPropertiesFormat |
Name | Description | Value |
privateIPAllocationMethod | Private IP allocation method. | 'Dynamic' 'Static' |
publicIPAddress | Reference of the PublicIP resource. | SubResource (required) |
subnet | Reference of the subnet resource. | SubResource (required) |
Name | Description | Value |
disableCopyPaste | Enable/Disable Copy/Paste feature of the Bastion Host resource. | bool |
dnsName | FQDN for the endpoint on which bastion host is accessible. | string |
enableFileCopy | Enable/Disable File Copy feature of the Bastion Host resource. | bool |
enableIpConnect | Enable/Disable IP Connect feature of the Bastion Host resource. | bool |
enableKerberos | Enable/Disable Kerberos feature of the Bastion Host resource. | bool |
enableShareableLink | Enable/Disable Shareable Link of the Bastion Host resource. | bool |
enableTunneling | Enable/Disable Tunneling feature of the Bastion Host resource. | bool |
ipConfigurations | IP configuration of the Bastion Host resource. | BastionHostIPConfiguration[] |
networkAcls | BastionHostPropertiesFormatNetworkAcls | |
scaleUnits | The scale units for the Bastion Host resource. | int Constraints: Min value = 2 Max value = 50 |
virtualNetwork | Reference to an existing virtual network required for Developer Bastion Host only. | SubResource |
Name | Description | Value |
ipRules | Sets the IP ACL rules for Developer Bastion Host. | IPRule[] |
Name | Description | Value |
addressPrefix | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string |
Name | Description | Value |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Represents the bastion host resource. | BastionHostPropertiesFormat |
sku | The sku of this Bastion Host. | Sku |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
Name | Description | Value |
Name | Description | Value |
name | The name of this Bastion Host. | 'Basic' 'Developer' 'Standard' |
Name | Description | Value |
id | Resource ID. | string |
The following Azure Verified Modules can be used to deploy this resource type.
Module | Description |
Bastion Host | AVM Resource Module for Bastion Host |
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
Bicep File | Description |
AKS Cluster with a NAT Gateway and an Application Gateway | This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller | This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Bastion as a Service | This template provisions Azure Bastion in a Virtual Network |
Azure Bastion as a Service with NSG | This template provisions Azure Bastion in a Virtual Network |
Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Create a cross-region load balancer | This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Create a Private AKS Cluster | This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create a standard internal load balancer | This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80 |
Create a standard load-balancer | This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
Deploy a Bastion host in a hub Virtual Network | This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet |
Deploy Secure Azure AI Studio with a managed virtual network | This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Public Load Balancer chained to a Gateway Load Balancer | This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool. |
SharePoint Subscription / 2019 / 2016 fully configured | Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Testing environment for Azure Firewall Premium | This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
The bastionHosts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/bastionHosts resource, add the following JSON to your template.
"type": "Microsoft.Network/bastionHosts",
"apiVersion": "2023-11-01",
"name": "string",
"location": "string",
"properties": {
"disableCopyPaste": "bool",
"dnsName": "string",
"enableFileCopy": "bool",
"enableIpConnect": "bool",
"enableKerberos": "bool",
"enableShareableLink": "bool",
"enableTunneling": "bool",
"ipConfigurations": [
"id": "string",
"name": "string",
"properties": {
"privateIPAllocationMethod": "string",
"publicIPAddress": {
"id": "string"
"subnet": {
"id": "string"
"networkAcls": {
"ipRules": [
"addressPrefix": "string"
"scaleUnits": "int",
"virtualNetwork": {
"id": "string"
"sku": {
"name": "string"
"tags": {
"{customized property}": "string"
"zones": [ "string" ]
Name | Description | Value |
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Represents the ip configuration associated with the resource. | BastionHostIPConfigurationPropertiesFormat |
Name | Description | Value |
privateIPAllocationMethod | Private IP allocation method. | 'Dynamic' 'Static' |
publicIPAddress | Reference of the PublicIP resource. | SubResource (required) |
subnet | Reference of the subnet resource. | SubResource (required) |
Name | Description | Value |
disableCopyPaste | Enable/Disable Copy/Paste feature of the Bastion Host resource. | bool |
dnsName | FQDN for the endpoint on which bastion host is accessible. | string |
enableFileCopy | Enable/Disable File Copy feature of the Bastion Host resource. | bool |
enableIpConnect | Enable/Disable IP Connect feature of the Bastion Host resource. | bool |
enableKerberos | Enable/Disable Kerberos feature of the Bastion Host resource. | bool |
enableShareableLink | Enable/Disable Shareable Link of the Bastion Host resource. | bool |
enableTunneling | Enable/Disable Tunneling feature of the Bastion Host resource. | bool |
ipConfigurations | IP configuration of the Bastion Host resource. | BastionHostIPConfiguration[] |
networkAcls | BastionHostPropertiesFormatNetworkAcls | |
scaleUnits | The scale units for the Bastion Host resource. | int Constraints: Min value = 2 Max value = 50 |
virtualNetwork | Reference to an existing virtual network required for Developer Bastion Host only. | SubResource |
Name | Description | Value |
ipRules | Sets the IP ACL rules for Developer Bastion Host. | IPRule[] |
Name | Description | Value |
addressPrefix | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string |
Name | Description | Value |
apiVersion | The api version | '2023-11-01' |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Represents the bastion host resource. | BastionHostPropertiesFormat |
sku | The sku of this Bastion Host. | Sku |
tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
type | The resource type | 'Microsoft.Network/bastionHosts' |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
Name | Description | Value |
Name | Description | Value |
name | The name of this Bastion Host. | 'Basic' 'Developer' 'Standard' |
Name | Description | Value |
id | Resource ID. | string |
The following Azure Quickstart templates deploy this resource type.
Template | Description |
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Bastion as a Service |
This template provisions Azure Bastion in a Virtual Network |
Azure Bastion as a Service with NSG |
This template provisions Azure Bastion in a Virtual Network |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Create a cross-region load balancer |
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Create a Private AKS Cluster |
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Create a standard internal load balancer |
This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80 |
Create a standard load-balancer |
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
Deploy a Bastion host in a hub Virtual Network |
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet |
Deploy Darktrace Autoscaling vSensors |
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
Deploy Secure Azure AI Studio with a managed virtual network |
This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Example Parameterized Deployment With Linked Templates |
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user. |
Public Load Balancer chained to a Gateway Load Balancer |
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool. |
SharePoint Subscription / 2019 / 2016 fully configured |
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...). |
Standard Load Balancer with Backend Pool by IP Addresses |
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document. |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
The bastionHosts resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/bastionHosts resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/bastionHosts@2023-11-01"
name = "string"
location = "string"
sku = {
name = "string"
tags = {
{customized property} = "string"
zones = [
body = jsonencode({
properties = {
disableCopyPaste = bool
dnsName = "string"
enableFileCopy = bool
enableIpConnect = bool
enableKerberos = bool
enableShareableLink = bool
enableTunneling = bool
ipConfigurations = [
id = "string"
name = "string"
properties = {
privateIPAllocationMethod = "string"
publicIPAddress = {
id = "string"
subnet = {
id = "string"
networkAcls = {
ipRules = [
addressPrefix = "string"
scaleUnits = int
virtualNetwork = {
id = "string"
Name | Description | Value |
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Represents the ip configuration associated with the resource. | BastionHostIPConfigurationPropertiesFormat |
Name | Description | Value |
privateIPAllocationMethod | Private IP allocation method. | 'Dynamic' 'Static' |
publicIPAddress | Reference of the PublicIP resource. | SubResource (required) |
subnet | Reference of the subnet resource. | SubResource (required) |
Name | Description | Value |
disableCopyPaste | Enable/Disable Copy/Paste feature of the Bastion Host resource. | bool |
dnsName | FQDN for the endpoint on which bastion host is accessible. | string |
enableFileCopy | Enable/Disable File Copy feature of the Bastion Host resource. | bool |
enableIpConnect | Enable/Disable IP Connect feature of the Bastion Host resource. | bool |
enableKerberos | Enable/Disable Kerberos feature of the Bastion Host resource. | bool |
enableShareableLink | Enable/Disable Shareable Link of the Bastion Host resource. | bool |
enableTunneling | Enable/Disable Tunneling feature of the Bastion Host resource. | bool |
ipConfigurations | IP configuration of the Bastion Host resource. | BastionHostIPConfiguration[] |
networkAcls | BastionHostPropertiesFormatNetworkAcls | |
scaleUnits | The scale units for the Bastion Host resource. | int Constraints: Min value = 2 Max value = 50 |
virtualNetwork | Reference to an existing virtual network required for Developer Bastion Host only. | SubResource |
Name | Description | Value |
ipRules | Sets the IP ACL rules for Developer Bastion Host. | IPRule[] |
Name | Description | Value |
addressPrefix | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string |
Name | Description | Value |
location | Resource location. | string |
name | The resource name | string (required) |
properties | Represents the bastion host resource. | BastionHostPropertiesFormat |
sku | The sku of this Bastion Host. | Sku |
tags | Resource tags | Dictionary of tag names and values. |
type | The resource type | "Microsoft.Network/bastionHosts@2023-11-01" |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
Name | Description | Value |
Name | Description | Value |
name | The name of this Bastion Host. | 'Basic' 'Developer' 'Standard' |
Name | Description | Value |
id | Resource ID. | string |
The following Azure Verified Modules can be used to deploy this resource type.
Module | Description |
Bastion Host | AVM Resource Module for Bastion Host |