Blogpost: Azure Bastion news

Azure Bastion news

Main content

In that short Blogpost, I’m describing the different SKUs of Azure Bastion and also the different functionalities. I also describe the new features for the “standard” SKU like

  • IP based connection
  • Native client support

!Important! booth features are in preview.

Azure Bastion

Azure bastion is the most important service when we speak about remote connections without the ability to use a VPN connection or something else. Azure Bastion works as a reverse proxy and is fully implemented into the Azure Portal. You can connect to VMs (Port 3389 or 22) hosted in Azure and connected in the same vNet directly or connected over vNet peering.

I love that feature and often implement it into my customer environments because it’s

  • Fast
  • Secure
  • Easy

But there is also a bad thing too, Azure bastion is not the cheapest service, for the basic SKU you have to pay around 140€/Month excluding the egress traffic. But from the other perspective, it’s a fully managed service and you pay for a service with the criteria above.

Okay, let’s cover the new preview features. Before we start, we have to think about the different SKUs which are available. Azure bastion came with two different SKUs the

  • Basic
  • Standard

Here is a short overview of the difference between booth SKUs.

Basic SKU
Standard SKU
Connect to target VMs in peered virtual networksAvailableAvailable
Access Linux VM Private Keys in Azure Key Vault (AKV)AvailableAvailable
Host scalingN/AAvailable
Specify custom inbound portN/AAvailable
Connect to Linux VM using RDPN/AAvailable
Connect to Windows VM using SSHN/AAvailable

Today we want to have a look at the new two preview features present above. Those features are in preview and available for the “Standard SKU” Okay so let’s start with the first one.

IP based connection

A cool new feature. In the past and with the “basic” SKU you only can connect to VMs hosted in Azure and connected into the same or peered vNet. With the new SKU and the new preview feature, you are now able to connect to VMs that are reachable by the Azure Bastion Host. Huge investment and for my point of view, the perfect way to bring the Azure Bastion host into a hybrid cloud scenario. The next preview feature is also very interesting.

Native client support

Okay, so let’s start with the past. In the past and with the “basic” SKU you only can connect to VMs in Azure over an HTML compatible browser, which all current browsers are. But with the “standard” SKU you are now able to connect over the native Windows client (MSTSC) to the VM over the private IP.

Private IP, how should that work without a VPN?.

It will trust me. But before we can do this, we have to enable that feature during the installation or on existing “standard” SKU environments. You can find the setting when you open the “Configuration” section of Azure Bastion.

Enable the native client support
Install the latest Azure CLI

Then we have to install the latest Azure CLI version. You can find it here.

When everything is installed and configured, we use the Azure CLI to the VM over the private IP. To do this open the command line and execute the following command first

az login
az account list
az account set --subscription "<subscription ID>"

The command above logs you in into Azure AD, get all subscriptions and select the right subscription where the Azure Bastion service is installed. With the following command, you can connect to a Linux us Windows VM over their private IP.

Connect to Linux VM:

az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type  "AAD"

Connect to Windows VM:

az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"

There are some other requirements. To connect to a VM you need one of the following RBAC permissions.

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Virtual Machine Administrator Login or Virtual Machine User Login role, if you are using the Azure AD login method.


As mentioned above, I love the Azure Bastion service, and now there are different SKUs available. For the foundation, the basic SKU is for my point of view enough, but for enterprise environments, you have to think about the “standard” SKU because you have much more features and auto-scaling options in place.

Get more information’s on my channels

Feel free to write me an E-Mail or ping me on the social channels listed below.

Similar Posts