Microsoft.Network bastionHosts
Bicep resource definition
The bastionHosts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/bastionHosts resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/bastionHosts@2023-11-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
sku: {
name: 'string'
}
properties: {
disableCopyPaste: bool
dnsName: 'string'
enableFileCopy: bool
enableIpConnect: bool
enableKerberos: bool
enableShareableLink: bool
enableTunneling: bool
ipConfigurations: [
{
id: 'string'
name: 'string'
properties: {
privateIPAllocationMethod: 'string'
publicIPAddress: {
id: 'string'
}
subnet: {
id: 'string'
}
}
}
]
networkAcls: {
ipRules: [
{
addressPrefix: 'string'
}
]
}
scaleUnits: int
virtualNetwork: {
id: 'string'
}
}
zones: [
'string'
]
}
Property values
bastionHosts
Name | Description | Value |
---|---|---|
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
sku | The sku of this Bastion Host. | Sku |
properties | Represents the bastion host resource. | BastionHostPropertiesFormat |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
BastionHostPropertiesFormat
Name | Description | Value |
---|---|---|
disableCopyPaste | Enable/Disable Copy/Paste feature of the Bastion Host resource. | bool |
dnsName | FQDN for the endpoint on which bastion host is accessible. | string |
enableFileCopy | Enable/Disable File Copy feature of the Bastion Host resource. | bool |
enableIpConnect | Enable/Disable IP Connect feature of the Bastion Host resource. | bool |
enableKerberos | Enable/Disable Kerberos feature of the Bastion Host resource. | bool |
enableShareableLink | Enable/Disable Shareable Link of the Bastion Host resource. | bool |
enableTunneling | Enable/Disable Tunneling feature of the Bastion Host resource. | bool |
ipConfigurations | IP configuration of the Bastion Host resource. | BastionHostIPConfiguration[] |
networkAcls | BastionHostPropertiesFormatNetworkAcls | |
scaleUnits | The scale units for the Bastion Host resource. | int Constraints: Min value = 2 Max value = 50 |
virtualNetwork | Reference to an existing virtual network required for Developer Bastion Host only. | SubResource |
BastionHostIPConfiguration
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Represents the ip configuration associated with the resource. | BastionHostIPConfigurationPropertiesFormat |
BastionHostIPConfigurationPropertiesFormat
Name | Description | Value |
---|---|---|
privateIPAllocationMethod | Private IP allocation method. | 'Dynamic' 'Static' |
publicIPAddress | Reference of the PublicIP resource. | SubResource (required) |
subnet | Reference of the subnet resource. | SubResource (required) |
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
BastionHostPropertiesFormatNetworkAcls
Name | Description | Value |
---|---|---|
ipRules | Sets the IP ACL rules for Developer Bastion Host. | IPRule[] |
IPRule
Name | Description | Value |
---|---|---|
addressPrefix | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string |
Sku
Name | Description | Value |
---|---|---|
name | The name of this Bastion Host. | 'Basic' 'Developer' 'Standard' |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Deploy Darktrace Autoscaling vSensors |
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
SharePoint Subscription / 2019 / 2016 / 2013 all configured |
This template creates a SharePoint Subscription / 2019 / 2016 / 2013 farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones that contains multiple path based and host-named site collections. On the SharePoint virtual machines, Chocolatey is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip. |
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
Public Load Balancer chained to a Gateway Load Balancer |
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool. |
Example Parameterized Deployment With Linked Templates |
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user. |
Create a Private AKS Cluster |
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Bastion as a Service |
This template provisions Azure Bastion in a Virtual Network |
Azure Bastion as a Service with NSG |
This template provisions Azure Bastion in a Virtual Network |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Deploy a Bastion host in a hub Virtual Network |
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet |
Create a cross-region load balancer |
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Standard Load Balancer with Backend Pool by IP Addresses |
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document. |
Create a standard load-balancer |
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
ARM template resource definition
The bastionHosts resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/bastionHosts resource, add the following JSON to your template.
{
"type": "Microsoft.Network/bastionHosts",
"apiVersion": "2023-11-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"sku": {
"name": "string"
},
"properties": {
"disableCopyPaste": "bool",
"dnsName": "string",
"enableFileCopy": "bool",
"enableIpConnect": "bool",
"enableKerberos": "bool",
"enableShareableLink": "bool",
"enableTunneling": "bool",
"ipConfigurations": [
{
"id": "string",
"name": "string",
"properties": {
"privateIPAllocationMethod": "string",
"publicIPAddress": {
"id": "string"
},
"subnet": {
"id": "string"
}
}
}
],
"networkAcls": {
"ipRules": [
{
"addressPrefix": "string"
}
]
},
"scaleUnits": "int",
"virtualNetwork": {
"id": "string"
}
},
"zones": [ "string" ]
}
Property values
bastionHosts
Name | Description | Value |
---|---|---|
type | The resource type | 'Microsoft.Network/bastionHosts' |
apiVersion | The resource api version | '2023-11-01' |
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
sku | The sku of this Bastion Host. | Sku |
properties | Represents the bastion host resource. | BastionHostPropertiesFormat |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
BastionHostPropertiesFormat
Name | Description | Value |
---|---|---|
disableCopyPaste | Enable/Disable Copy/Paste feature of the Bastion Host resource. | bool |
dnsName | FQDN for the endpoint on which bastion host is accessible. | string |
enableFileCopy | Enable/Disable File Copy feature of the Bastion Host resource. | bool |
enableIpConnect | Enable/Disable IP Connect feature of the Bastion Host resource. | bool |
enableKerberos | Enable/Disable Kerberos feature of the Bastion Host resource. | bool |
enableShareableLink | Enable/Disable Shareable Link of the Bastion Host resource. | bool |
enableTunneling | Enable/Disable Tunneling feature of the Bastion Host resource. | bool |
ipConfigurations | IP configuration of the Bastion Host resource. | BastionHostIPConfiguration[] |
networkAcls | BastionHostPropertiesFormatNetworkAcls | |
scaleUnits | The scale units for the Bastion Host resource. | int Constraints: Min value = 2 Max value = 50 |
virtualNetwork | Reference to an existing virtual network required for Developer Bastion Host only. | SubResource |
BastionHostIPConfiguration
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Represents the ip configuration associated with the resource. | BastionHostIPConfigurationPropertiesFormat |
BastionHostIPConfigurationPropertiesFormat
Name | Description | Value |
---|---|---|
privateIPAllocationMethod | Private IP allocation method. | 'Dynamic' 'Static' |
publicIPAddress | Reference of the PublicIP resource. | SubResource (required) |
subnet | Reference of the subnet resource. | SubResource (required) |
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
BastionHostPropertiesFormatNetworkAcls
Name | Description | Value |
---|---|---|
ipRules | Sets the IP ACL rules for Developer Bastion Host. | IPRule[] |
IPRule
Name | Description | Value |
---|---|---|
addressPrefix | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string |
Sku
Name | Description | Value |
---|---|---|
name | The name of this Bastion Host. | 'Basic' 'Developer' 'Standard' |
Quickstart templates
The following quickstart templates deploy this resource type.
Template | Description |
---|---|
Deploy Darktrace Autoscaling vSensors |
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
SharePoint Subscription / 2019 / 2016 / 2013 all configured |
This template creates a SharePoint Subscription / 2019 / 2016 / 2013 farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones that contains multiple path based and host-named site collections. On the SharePoint virtual machines, Chocolatey is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip. |
AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
Public Load Balancer chained to a Gateway Load Balancer |
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool. |
Example Parameterized Deployment With Linked Templates |
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user. |
Create a Private AKS Cluster |
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create a Private AKS Cluster with a Public DNS Zone |
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Bastion as a Service |
This template provisions Azure Bastion in a Virtual Network |
Azure Bastion as a Service with NSG |
This template provisions Azure Bastion in a Virtual Network |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Deploy a Bastion host in a hub Virtual Network |
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet |
Create a cross-region load balancer |
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Standard Load Balancer with Backend Pool by IP Addresses |
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document. |
Create a standard load-balancer |
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
Terraform (AzAPI provider) resource definition
The bastionHosts resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/bastionHosts resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/bastionHosts@2023-11-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
disableCopyPaste = bool
dnsName = "string"
enableFileCopy = bool
enableIpConnect = bool
enableKerberos = bool
enableShareableLink = bool
enableTunneling = bool
ipConfigurations = [
{
id = "string"
name = "string"
properties = {
privateIPAllocationMethod = "string"
publicIPAddress = {
id = "string"
}
subnet = {
id = "string"
}
}
}
]
networkAcls = {
ipRules = [
{
addressPrefix = "string"
}
]
}
scaleUnits = int
virtualNetwork = {
id = "string"
}
}
zones = [
"string"
]
sku = {
name = "string"
}
})
}
Property values
bastionHosts
Name | Description | Value |
---|---|---|
type | The resource type | "Microsoft.Network/bastionHosts@2023-11-01" |
name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
location | Resource location. | string |
parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
tags | Resource tags. | Dictionary of tag names and values. |
sku | The sku of this Bastion Host. | Sku |
properties | Represents the bastion host resource. | BastionHostPropertiesFormat |
zones | A list of availability zones denoting where the resource needs to come from. | string[] |
BastionHostPropertiesFormat
Name | Description | Value |
---|---|---|
disableCopyPaste | Enable/Disable Copy/Paste feature of the Bastion Host resource. | bool |
dnsName | FQDN for the endpoint on which bastion host is accessible. | string |
enableFileCopy | Enable/Disable File Copy feature of the Bastion Host resource. | bool |
enableIpConnect | Enable/Disable IP Connect feature of the Bastion Host resource. | bool |
enableKerberos | Enable/Disable Kerberos feature of the Bastion Host resource. | bool |
enableShareableLink | Enable/Disable Shareable Link of the Bastion Host resource. | bool |
enableTunneling | Enable/Disable Tunneling feature of the Bastion Host resource. | bool |
ipConfigurations | IP configuration of the Bastion Host resource. | BastionHostIPConfiguration[] |
networkAcls | BastionHostPropertiesFormatNetworkAcls | |
scaleUnits | The scale units for the Bastion Host resource. | int Constraints: Min value = 2 Max value = 50 |
virtualNetwork | Reference to an existing virtual network required for Developer Bastion Host only. | SubResource |
BastionHostIPConfiguration
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
name | Name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
properties | Represents the ip configuration associated with the resource. | BastionHostIPConfigurationPropertiesFormat |
BastionHostIPConfigurationPropertiesFormat
Name | Description | Value |
---|---|---|
privateIPAllocationMethod | Private IP allocation method. | "Dynamic" "Static" |
publicIPAddress | Reference of the PublicIP resource. | SubResource (required) |
subnet | Reference of the subnet resource. | SubResource (required) |
SubResource
Name | Description | Value |
---|---|---|
id | Resource ID. | string |
BastionHostPropertiesFormatNetworkAcls
Name | Description | Value |
---|---|---|
ipRules | Sets the IP ACL rules for Developer Bastion Host. | IPRule[] |
IPRule
Name | Description | Value |
---|---|---|
addressPrefix | Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. | string |
Sku
Name | Description | Value |
---|---|---|
name | The name of this Bastion Host. | "Basic" "Developer" "Standard" |