IP-based connection lets you connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion over ExpressRoute or a VPN site-to-site connection using a specified private IP address. The steps in this article show you how to configure your Bastion deployment, and then connect to an on-premises resource using IP-based connection. For more information about Azure Bastion, see the Overview.
Note
This configuration requires the Standard SKU tier for Azure Bastion. To upgrade, see Upgrade a SKU.
Limitations
IP-based connection won’t work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisem*nt will result in traffic blackholing.
Microsoft Entra authentication isn't supported for RDP connections. Microsoft Entra authentication is supported for SSH connections via native client.
Custom ports and protocols aren't currently supported when connecting to a VM via native client.
UDR isn't supported on Bastion subnet, including with IP-based connection.
Prerequisites
Before you begin these steps, verify that you have the following environment set up:
A VNet with Bastion already deployed.
Make sure that you have deployed Bastion to the virtual network. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM deployed in any of the virtual networks that is reachable from Bastion.
In the Azure portal, go to your Bastion deployment.
IP based connection requires the Standard SKU tier. On the Configuration page, for Tier, verify the tier is set to the Standard SKU. If the tier is set to the Basic SKU, select Standard from the dropdown.
To enable IP based connection, select IP based connection.
Select Apply to apply the changes. It takes a few minutes for the Bastion configuration to complete.
Connect to VM - Azure portal
To connect to a VM using a specified private IP address, you make the connection from Bastion to the VM, not directly from the VM page. On your Bastion page, select Connect to open the Connect page.
On the Bastion Connect page, for IP address, enter the private IP address of the target VM.
Adjust your connection settings to the desired Protocol and Port.
Enter your credentials in Username and Password.
Select Connect to connect to your virtual machine.
Connect to VM - native client
You can connect to VMs using a specified IP address with native client via SSH, RDP, or tunneling. To learn more about configuring native client support, see Configure Bastion native client support.
Note
This feature does not currently support Microsoft Entra authentication or custom port and protocol.
Use the following commands as examples:
RDP:
az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>
To connect to a VM using a specified private IP address, you make the connection from Bastion to the VM, not directly from the VM page. On your Bastion page, select Connect to open the Connect page. On the Bastion Connect page, for IP address, enter the private IP address of the target VM.
In the Azure portal, go to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown to open the Bastion page. You can also select Bastion from the left pane. On the Bastion page, enter the required authentication credentials, then click Connect.
There isn't a requirement for a separate public IP on the virtual machine when connecting via Azure Bastion. Traffic is first routed to the public IP of Bastion. Bastion then routes RDP or SSH connections to the private IP address associated with the virtual machine.
Azure Bastion deployments require a Public IP address, except Developer SKU deployments. The Public IP must have the following configuration: The Public IP address SKU must be Standard. The Public IP address assignment/allocation method must be Static.
Connect to the virtual machine via VNC or SPICE. To do so, in VMmanager go to Virtual machines → click on the VM name → VNC (SPICE). Right click on the network connection → Properties. Check that IPv6 (TCP/IPv6) is enabled.
Azure Bastion is deployed within virtual networks or peered virtual networks, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site virtual network.
So I initiate a bastion session from the Azure portal: from my VM page I click on connect > bastion, I fill in my credentials (I use a password from an Azure Key Vault), and click on connect.
Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses.
The primary difference between bastion hosts and VPNs is that a bastion host, by necessity, creates a single point of entry or failure, whereas a VPN creates separate encrypted private tunnels for each connection.
Each correct answer presents a complete solution. Here's the best way to solve it. You can deploy the Azure Bastion service using either the Azure portal or Azure PowerShell.
For example, for "medium" workload each instance can support 20 concurrent RDP and 40 concurrent SSH sessions. For Azure Bastion Basic SKU, you are limited to 2 instances, whereas with Standard SKU you can have up to 50 instances.
A virtual network in Azure can have private and public IP addresses. Private IP addresses are only accessible from within the virtual network and public IP addresses can be accessed from the internet as well. You can access private IP addresses from a VPN Gateway or an ExpressRoute connection.
Azure Virtual Machines is the main compute service in Azure. Customers can create Linux or Windows virtual machines. A public IP address can be assigned to a virtual machine for inbound connections to the virtual machine. A virtual machine doesn't require a public IP address for its configuration.
Like Azure Bastion, using a VPN connection to remotely connect to a virtual machine, a VPN connection does not require your virtual machine to have a public IP address assigned to it, which simplifies NSG management and reduce the cost associated with the virtual machine.
Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204
Phone: +2135150832870
Job: Regional Design Producer
Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games
Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
