az network bastion
Note
This reference is part of the bastion extension for the Azure CLI (version 2.62.0 or higher). The extension will automatically install the first time you run an az network bastion command. Learn more about extensions.
Manage Azure Bastion host machines.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az network bastion create |
Create the specified Bastion Host. |
Extension | GA |
| az network bastion delete |
Delete the specified Bastion Host. |
Extension | GA |
| az network bastion list |
List all Bastion Hosts in a resource group. |
Extension | GA |
| az network bastion rdp |
RDP to target Virtual Machine using Tunneling from Azure Bastion. |
Extension | GA |
| az network bastion show |
Get the specified Bastion Host. |
Extension | GA |
| az network bastion ssh |
SSH to a virtual machine using Tunneling from Azure Bastion. |
Extension | GA |
| az network bastion tunnel |
Open a tunnel through Azure Bastion to a target virtual machine. |
Extension | GA |
| az network bastion update |
Update the specified Bastion Host. |
Extension | GA |
| az network bastion wait |
Place the CLI in a waiting state until a condition is met. |
Extension | GA |
az network bastion create
Create the specified Bastion Host.
az network bastion create --name
--public-ip-address
--resource-group
--vnet-name
[--disable-copy-paste {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-ip-connect {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-tunneling {0, 1, f, false, n, no, t, true, y, yes}]
[--file-copy {0, 1, f, false, n, no, t, true, y, yes}]
[--kerberos {0, 1, f, false, n, no, t, true, y, yes}]
[--location]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--scale-units]
[--session-recording {0, 1, f, false, n, no, t, true, y, yes}]
[--shareable-link {0, 1, f, false, n, no, t, true, y, yes}]
[--sku {Basic, Premium, Standard}]
[--tags]
[--zones]Examples
Create a Azure Bastion host machine.
az network bastion create --location westus2 --name MyBastionHost --public-ip-address MyPublicIpAddress --resource-group MyResourceGroup --vnet-name MyVnetCreate a Azure Bastion host machine with zones.
az network bastion create --location westus2 --name MyBastionHost --public-ip-address MyPublicIpAddress --resource-group MyResourceGroup --vnet-name MyVnet --zones 1 2 3Required Parameters
The name of the Bastion Host.
Name or ID of Azure Public IP. The SKU of the public IP must be Standard.
Resource group name of the Bastion Host.
Name of the virtual network. It must have a subnet called AzureBastionSubnet.
Optional Parameters
Enable/Disable Copy/Paste feature of the Bastion Host resource.
Enable/Disable IP Connect feature of the Bastion Host resource.
Enable/Disable Tunneling feature of the Bastion Host resource.
Enable/Disable File Copy feature of the Bastion Host resource.
Enable/Disable Kerberos feature of the Bastion Host resource.
Resource location.
Do not wait for the long-running operation to finish.
The scale units for the Bastion Host resource.
Enable/Disable Session Recording feature of the Bastion Host resource.
Enable/Disable Shareable Link of the Bastion Host resource.
Sku of this Bastion Host.
Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
A list of availability zones denoting where the resource needs to come from. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion delete
Delete the specified Bastion Host.
az network bastion delete [--ids]
[--name]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--resource-group]
[--subscription]
[--yes]Examples
Delete a Azure Bastion host machine.
az network bastion delete --name MyBastionHost --resource-group MyResourceGroupOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The name of the Bastion Host.
Do not wait for the long-running operation to finish.
Resource group name of the Bastion Host.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion list
List all Bastion Hosts in a resource group.
az network bastion list [--max-items]
[--next-token]
[--resource-group]Examples
List all Azure Bastion host machines in a resource group.
az network bastion list -g MyResourceGroupOptional Parameters
Total number of items to return in the command's output. If the total number of items available is more than the value specified, a token is provided in the command's output. To resume pagination, provide the token value in --next-token argument of a subsequent command.
Token to specify where to start paginating. This is the token value from a previously truncated response.
Resource group name of the Bastion Host.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion rdp
RDP to target Virtual Machine using Tunneling from Azure Bastion.
az network bastion rdp [--auth-type]
[--configure]
[--disable-gateway {false, true}]
[--enable-mfa {false, true}]
[--ids]
[--name]
[--resource-group]
[--resource-port]
[--subscription]
[--target-ip-address]
[--target-resource-id]Examples
RDP to virtual machine using Azure Bastion.
az network bastion rdp --name MyBastionHost --resource-group MyResourceGroup --target-resource-id vmResourceIdRDP to machine using reachable IP address.
az network bastion rdp --name MyBastionHost --resource-group MyResourceGroup --target-ip-address 10.0.0.1Optional Parameters
Auth type to use for RDP connections.
Flag to configure RDP session.
Flag to disable access through RD gateway.
Login to AAD enabled Windows machines using new protocol that authenticates using MFA if supported by target machine. Available on Windows 10 20H2+, Windows 11 21H2+, WS 2022.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the bastion host.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource port of the target VM to which the bastion will connect.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
IP address of target Virtual Machine.
ResourceId of the target Virtual Machine.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion show
Get the specified Bastion Host.
az network bastion show [--ids]
[--name]
[--resource-group]
[--subscription]Examples
Show a Azure Bastion host machine.
az network bastion show --name MyBastionHost --resource-group MyResourceGroupOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
The name of the Bastion Host.
Resource group name of the Bastion Host.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion ssh
SSH to a virtual machine using Tunneling from Azure Bastion.
az network bastion ssh --auth-type
[--ids]
[--name]
[--resource-group]
[--resource-port]
[--ssh-key]
[--subscription]
[--target-ip-address]
[--target-resource-id]
[--username]
[<SSH_ARGS>]Examples
SSH to virtual machine using Azure Bastion using password.
az network bastion ssh --name MyBastionHost --resource-group MyResourceGroup --target-resource-id vmResourceId --auth-type password --username xyzSSH to virtual machine using Azure Bastion using ssh key file.
az network bastion ssh --name MyBastionHost --resource-group MyResourceGroup --target-resource-id vmResourceId --auth-type ssh-key --username xyz --ssh-key C:/filepath/sshkey.pemSSH to virtual machine using Azure Bastion using AAD.
az network bastion ssh --name MyBastionHost --resource-group MyResourceGroup --target-resource-id vmResourceId --auth-type AADSSH to virtual machine using Azure Bastion using AAD, while supplying additional SSH arguments.
az network bastion ssh --name MyBastionHost --resource-group MyResourceGroup --target-resource-id vmResourceId --auth-type AAD -- -L 8080:127.0.0.1:8080Required Parameters
Auth type to use for SSH connections.
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the bastion host.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Resource port of the target VM to which the bastion will connect.
SSH key file location for SSH connections.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
IP address of target Virtual Machine.
ResourceId of the target Virtual Machine.
User name for SSH connections.
Additional arguments passed to OpenSSH.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion tunnel
Open a tunnel through Azure Bastion to a target virtual machine.
az network bastion tunnel --port
--resource-port
[--ids]
[--name]
[--resource-group]
[--subscription]
[--target-ip-address]
[--target-resource-id]
[--timeout]Examples
Open a tunnel through Azure Bastion to a target virtual machine using resourceId.
az network bastion tunnel --name MyBastionHost --resource-group MyResourceGroup --target-resource-id vmResourceId --resource-port 22 --port 50022Open a tunnel through Azure Bastion to a target virtual machine using its IP address.
az network bastion tunnel --name MyBastionHost --resource-group MyResourceGroup --target-ip-address 10.0.0.1 --resource-port 22 --port 50022Required Parameters
Local port to use for the tunneling.
Resource port of the target VM to which the bastion will connect.
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the bastion host.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
IP address of target Virtual Machine.
ResourceId of the target Virtual Machine.
Timeout for connection to bastion host tunnel.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion update
Update the specified Bastion Host.
az network bastion update [--add]
[--bastion-host-name]
[--disable-copy-paste {0, 1, f, false, n, no, t, true, y, yes}]
[--dns-name]
[--enable-ip-connect {0, 1, f, false, n, no, t, true, y, yes}]
[--enable-tunneling {0, 1, f, false, n, no, t, true, y, yes}]
[--file-copy {0, 1, f, false, n, no, t, true, y, yes}]
[--force-string {0, 1, f, false, n, no, t, true, y, yes}]
[--ids]
[--ip-configurations]
[--kerberos {0, 1, f, false, n, no, t, true, y, yes}]
[--location]
[--network-acls]
[--no-wait {0, 1, f, false, n, no, t, true, y, yes}]
[--remove]
[--resource-group]
[--scale-units]
[--session-recording {0, 1, f, false, n, no, t, true, y, yes}]
[--set]
[--shareable-link {0, 1, f, false, n, no, t, true, y, yes}]
[--sku]
[--subscription]
[--tags]
[--virtual-network]
[--zones]Examples
Update a Azure Bastion host machine to enable native client support.
az network bastion update --name MyBastionHost --resource-group MyResourceGroup --enable-tunnelingOptional Parameters
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
The name of the Bastion Host.
Enable/Disable Copy/Paste feature of the Bastion Host resource.
FQDN for the endpoint on which bastion host is accessible.
Enable/Disable IP Connect feature of the Bastion Host resource.
Enable/Disable Tunneling feature of the Bastion Host resource.
Enable/Disable File Copy feature of the Bastion Host resource.
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
IP configuration of the Bastion Host resource. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Enable/Disable Kerberos feature of the Bastion Host resource.
Resource location.
ACL rules for Developer Bastion Host. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Do not wait for the long-running operation to finish.
Remove a property or an element from a list. Example: --remove property.list <indexToRemove> OR --remove propertyToRemove.
Resource group name of the Bastion Host.
The scale units for the Bastion Host resource.
Enable/Disable Session Recording feature of the Bastion Host resource.
Update an object by specifying a property path and value to set. Example: --set property1.property2=<value>.
Enable/Disable Shareable Link of the Bastion Host resource.
The sku of this Bastion Host. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Resource tags. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Reference to an existing virtual network required for Developer Bastion Host only. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
A list of availability zones denoting where the resource needs to come from. Support shorthand-syntax, json-file and yaml-file. Try "??" to show more.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network bastion wait
Place the CLI in a waiting state until a condition is met.
az network bastion wait [--bastion-host-name]
[--created]
[--custom]
[--deleted]
[--exists]
[--ids]
[--interval]
[--resource-group]
[--subscription]
[--timeout]
[--updated]Optional Parameters
The name of the Bastion Host.
Wait until created with 'provisioningState' at 'Succeeded'.
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
Wait until deleted.
Wait until the resource exists.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Polling interval in seconds.
Resource group name of the Bastion Host.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Maximum wait in seconds.
Wait until updated with provisioningState at 'Succeeded'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
