Microsoft.Network bastionHosts

Bicep resource definition

The bastionHosts resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/bastionHosts resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/bastionHosts@2023-11-01' = {
  name: 'string'
  location: 'string'
  tags: {
    tagName1: 'tagValue1'
    tagName2: 'tagValue2'
  }
  sku: {
    name: 'string'
  }
  properties: {
    disableCopyPaste: bool
    dnsName: 'string'
    enableFileCopy: bool
    enableIpConnect: bool
    enableKerberos: bool
    enableShareableLink: bool
    enableTunneling: bool
    ipConfigurations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          privateIPAllocationMethod: 'string'
          publicIPAddress: {
            id: 'string'
          }
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    networkAcls: {
      ipRules: [
        {
          addressPrefix: 'string'
        }
      ]
    }
    scaleUnits: int
    virtualNetwork: {
      id: 'string'
    }
  }
  zones: [
    'string'
  ]
}

Property values

bastionHosts

Name Description Value
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku The sku of this Bastion Host. Sku
properties Represents the bastion host resource. BastionHostPropertiesFormat
zones A list of availability zones denoting where the resource needs to come from. string[]

BastionHostPropertiesFormat

Name Description Value
disableCopyPaste Enable/Disable Copy/Paste feature of the Bastion Host resource. bool
dnsName FQDN for the endpoint on which bastion host is accessible. string
enableFileCopy Enable/Disable File Copy feature of the Bastion Host resource. bool
enableIpConnect Enable/Disable IP Connect feature of the Bastion Host resource. bool
enableKerberos Enable/Disable Kerberos feature of the Bastion Host resource. bool
enableShareableLink Enable/Disable Shareable Link of the Bastion Host resource. bool
enableTunneling Enable/Disable Tunneling feature of the Bastion Host resource. bool
ipConfigurations IP configuration of the Bastion Host resource. BastionHostIPConfiguration[]
networkAcls BastionHostPropertiesFormatNetworkAcls
scaleUnits The scale units for the Bastion Host resource. int

Constraints:
Min value = 2
Max value = 50
virtualNetwork Reference to an existing virtual network required for Developer Bastion Host only. SubResource

BastionHostIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Represents the ip configuration associated with the resource. BastionHostIPConfigurationPropertiesFormat

BastionHostIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod Private IP allocation method. 'Dynamic'
'Static'
publicIPAddress Reference of the PublicIP resource. SubResource (required)
subnet Reference of the subnet resource. SubResource (required)

SubResource

Name Description Value
id Resource ID. string

BastionHostPropertiesFormatNetworkAcls

Name Description Value
ipRules Sets the IP ACL rules for Developer Bastion Host. IPRule[]

IPRule

Name Description Value
addressPrefix Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string

Sku

Name Description Value
name The name of this Bastion Host. 'Basic'
'Developer'
'Standard'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Deploy Darktrace Autoscaling vSensors

Deploy to Azure
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors
SharePoint Subscription / 2019 / 2016 / 2013 all configured

Deploy to Azure
This template creates a SharePoint Subscription / 2019 / 2016 / 2013 farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones that contains multiple path based and host-named site collections. On the SharePoint virtual machines, Chocolatey is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip.
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Public Load Balancer chained to a Gateway Load Balancer

Deploy to Azure
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool.
Example Parameterized Deployment With Linked Templates

Deploy to Azure
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user.
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Azure Bastion as a Service with NSG

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Deploy a Bastion host in a hub Virtual Network

Deploy to Azure
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.

ARM template resource definition

The bastionHosts resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/bastionHosts resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/bastionHosts",
  "apiVersion": "2023-11-01",
  "name": "string",
  "location": "string",
  "tags": {
    "tagName1": "tagValue1",
    "tagName2": "tagValue2"
  },
  "sku": {
    "name": "string"
  },
  "properties": {
    "disableCopyPaste": "bool",
    "dnsName": "string",
    "enableFileCopy": "bool",
    "enableIpConnect": "bool",
    "enableKerberos": "bool",
    "enableShareableLink": "bool",
    "enableTunneling": "bool",
    "ipConfigurations": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "privateIPAllocationMethod": "string",
          "publicIPAddress": {
            "id": "string"
          },
          "subnet": {
            "id": "string"
          }
        }
      }
    ],
    "networkAcls": {
      "ipRules": [
        {
          "addressPrefix": "string"
        }
      ]
    },
    "scaleUnits": "int",
    "virtualNetwork": {
      "id": "string"
    }
  },
  "zones": [ "string" ]
}

Property values

bastionHosts

Name Description Value
type The resource type 'Microsoft.Network/bastionHosts'
apiVersion The resource api version '2023-11-01'
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
tags Resource tags. Dictionary of tag names and values. See Tags in templates
sku The sku of this Bastion Host. Sku
properties Represents the bastion host resource. BastionHostPropertiesFormat
zones A list of availability zones denoting where the resource needs to come from. string[]

BastionHostPropertiesFormat

Name Description Value
disableCopyPaste Enable/Disable Copy/Paste feature of the Bastion Host resource. bool
dnsName FQDN for the endpoint on which bastion host is accessible. string
enableFileCopy Enable/Disable File Copy feature of the Bastion Host resource. bool
enableIpConnect Enable/Disable IP Connect feature of the Bastion Host resource. bool
enableKerberos Enable/Disable Kerberos feature of the Bastion Host resource. bool
enableShareableLink Enable/Disable Shareable Link of the Bastion Host resource. bool
enableTunneling Enable/Disable Tunneling feature of the Bastion Host resource. bool
ipConfigurations IP configuration of the Bastion Host resource. BastionHostIPConfiguration[]
networkAcls BastionHostPropertiesFormatNetworkAcls
scaleUnits The scale units for the Bastion Host resource. int

Constraints:
Min value = 2
Max value = 50
virtualNetwork Reference to an existing virtual network required for Developer Bastion Host only. SubResource

BastionHostIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Represents the ip configuration associated with the resource. BastionHostIPConfigurationPropertiesFormat

BastionHostIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod Private IP allocation method. 'Dynamic'
'Static'
publicIPAddress Reference of the PublicIP resource. SubResource (required)
subnet Reference of the subnet resource. SubResource (required)

SubResource

Name Description Value
id Resource ID. string

BastionHostPropertiesFormatNetworkAcls

Name Description Value
ipRules Sets the IP ACL rules for Developer Bastion Host. IPRule[]

IPRule

Name Description Value
addressPrefix Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string

Sku

Name Description Value
name The name of this Bastion Host. 'Basic'
'Developer'
'Standard'

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Deploy Darktrace Autoscaling vSensors

Deploy to Azure
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors
SharePoint Subscription / 2019 / 2016 / 2013 all configured

Deploy to Azure
This template creates a SharePoint Subscription / 2019 / 2016 / 2013 farm with an extensive configuration that would take ages to perform manually, including a federated authentication with ADFS, an OAuth trust, the User Profiles service and a web application with 2 zones that contains multiple path based and host-named site collections. On the SharePoint virtual machines, Chocolatey is used to install the latest version of Notepad++, Visual Studio Code, Azure Data Studio, Fiddler, ULS Viewer and 7-Zip.
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
Public Load Balancer chained to a Gateway Load Balancer

Deploy to Azure
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool.
Example Parameterized Deployment With Linked Templates

Deploy to Azure
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user.
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Azure Bastion as a Service with NSG

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Deploy a Bastion host in a hub Virtual Network

Deploy to Azure
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.

Terraform (AzAPI provider) resource definition

The bastionHosts resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/bastionHosts resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/bastionHosts@2023-11-01"
  name = "string"
  location = "string"
  parent_id = "string"
  tags = {
    tagName1 = "tagValue1"
    tagName2 = "tagValue2"
  }
  body = jsonencode({
    properties = {
      disableCopyPaste = bool
      dnsName = "string"
      enableFileCopy = bool
      enableIpConnect = bool
      enableKerberos = bool
      enableShareableLink = bool
      enableTunneling = bool
      ipConfigurations = [
        {
          id = "string"
          name = "string"
          properties = {
            privateIPAllocationMethod = "string"
            publicIPAddress = {
              id = "string"
            }
            subnet = {
              id = "string"
            }
          }
        }
      ]
      networkAcls = {
        ipRules = [
          {
            addressPrefix = "string"
          }
        ]
      }
      scaleUnits = int
      virtualNetwork = {
        id = "string"
      }
    }
    zones = [
      "string"
    ]
    sku = {
      name = "string"
    }
  })
}

Property values

bastionHosts

Name Description Value
type The resource type "Microsoft.Network/bastionHosts@2023-11-01"
name The resource name string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
location Resource location. string
parent_id To deploy to a resource group, use the ID of that resource group. string (required)
tags Resource tags. Dictionary of tag names and values.
sku The sku of this Bastion Host. Sku
properties Represents the bastion host resource. BastionHostPropertiesFormat
zones A list of availability zones denoting where the resource needs to come from. string[]

BastionHostPropertiesFormat

Name Description Value
disableCopyPaste Enable/Disable Copy/Paste feature of the Bastion Host resource. bool
dnsName FQDN for the endpoint on which bastion host is accessible. string
enableFileCopy Enable/Disable File Copy feature of the Bastion Host resource. bool
enableIpConnect Enable/Disable IP Connect feature of the Bastion Host resource. bool
enableKerberos Enable/Disable Kerberos feature of the Bastion Host resource. bool
enableShareableLink Enable/Disable Shareable Link of the Bastion Host resource. bool
enableTunneling Enable/Disable Tunneling feature of the Bastion Host resource. bool
ipConfigurations IP configuration of the Bastion Host resource. BastionHostIPConfiguration[]
networkAcls BastionHostPropertiesFormatNetworkAcls
scaleUnits The scale units for the Bastion Host resource. int

Constraints:
Min value = 2
Max value = 50
virtualNetwork Reference to an existing virtual network required for Developer Bastion Host only. SubResource

BastionHostIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Represents the ip configuration associated with the resource. BastionHostIPConfigurationPropertiesFormat

BastionHostIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod Private IP allocation method. "Dynamic"
"Static"
publicIPAddress Reference of the PublicIP resource. SubResource (required)
subnet Reference of the subnet resource. SubResource (required)

SubResource

Name Description Value
id Resource ID. string

BastionHostPropertiesFormatNetworkAcls

Name Description Value
ipRules Sets the IP ACL rules for Developer Bastion Host. IPRule[]

IPRule

Name Description Value
addressPrefix Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string

Sku

Name Description Value
name The name of this Bastion Host. "Basic"
"Developer"
"Standard"