Configure secure access to virtual networks
📘Microsoft Certified: Azure Administrator Associate (AZ-104)
1. What Is Azure Bastion?
Azure Bastion is a fully managed Azure service that allows you to connect securely to your virtual machines (VMs) in Azure without exposing them to the public internet.
It provides secure RDP and SSH access directly through the Azure Portal, using your web browser.
This means:
- No need for public IPs on your VMs
- No need to open RDP (3389) or SSH (22) ports
- Reduced attack surface
- Centralized and encrypted access
Azure Bastion is often used in IT environments where administrators require secure management access to virtual machines without exposing them to external attacks.
2. Why Azure Bastion Is Important for AZ-104 Exam
The AZ-104 exam focuses heavily on securing network access, and Azure Bastion is a key tool for secure VM access. You must understand:
- How Azure Bastion works
- Deployment requirements
- Configuration steps
- Integration with NSGs
- Access methods
- Pricing considerations
3. Key Features of Azure Bastion
Azure Bastion provides:
✔ Browser-based RDP and SSH
You connect to your VMs directly from Azure Portal—no remote desktop client needed.
✔ No Public IP Required
VMs can have private IP addresses only, increasing security.
✔ Built-in Protection
Because the VM’s RDP/SSH ports never open to the internet, attacks like port scanning and brute force attempts are prevented.
✔ Fully Managed
Microsoft manages patching, security updates, scaling, and availability.
✔ Works with Windows and Linux VMs
You can use RDP for Windows and SSH for Linux.
✔ Supports Tunneling (For Native Clients)
You can use an Azure Bastion tunnel to connect with local tools (e.g., SSH client, SQL Management Studio).
✔ Session Recording (Premium)
Records admin sessions for auditing (used in IT security/regulatory environments).
4. Azure Bastion Deployment Requirements
Before deploying Azure Bastion, ensure the following:
☑ Virtual Network Requirement
- Must exist in a virtual network (VNet)
- Azure Bastion is deployed per VNet, not per VM
☑ Dedicated Subnet Required
A specific subnet MUST be created:
Subnet name: AzureBastionSubnet
Minimum size: /26 or larger
Azure Bastion will not work with any other subnet name.
☑ Public IP for Bastion Host
Bastion itself requires one Standard Public IP, but the VMs do not.
☑ NSG Considerations
NSGs should not be applied to the AzureBastionSubnet.
If needed, Microsoft recommends very limited NSG rules, but exam expects:
Do NOT attach NSGs to AzureBastionSubnet.
5. Steps to Deploy Azure Bastion (AZ-104 Exam Focus)
Step 1: Create/Use an Existing Virtual Network
- Ensure correct IP address space (e.g., 10.0.0.0/16)
Step 2: Create the AzureBastionSubnet
- Go to VNet → Subnets → Add subnet
- Name must be
AzureBastionSubnet - Use prefix /26 or larger (e.g., 10.0.1.0/26)
Step 3: Create Azure Bastion Host
- Go to Portal → “Bastion” → Create
- Select:
- Resource group
- VNet
- AzureBastionSubnet
- Public IP (Standard SKU)
Step 4: Connect to a VM
- Open VM in portal
- Click “Connect” → “Bastion”
- Enter credentials
- Browser session opens (RDP/SSH)
6. How Azure Bastion Works Internally
- User authenticates in Azure Portal (requires RBAC permissions: VM Reader + VM Login or full VM Contributor)
- Azure Bastion sits inside your VNet
- Traffic flows over private IP, encrypted using TLS
- VM never exposes public ports like RDP/SSH externally
- Session is isolated and protected in Azure Portal
7. Azure Bastion Access Methods
Azure Bastion supports multiple access mechanisms:
➡ Web-based RDP/SSH (most common)
Used directly from Azure Portal.
➡ SSH/RDP Client Tunneling (Bastion Native Client support)
You can use commands like:
az network bastion tunnel ...
Useful for IT administrators needing tools such as:
- SQL Server Management Studio
- PuTTY
- VS Code Remote SSH
➡ Bastion Shareable Links
Generate a temporary secure link to allow controlled access to a VM without giving portal access.
8. Azure Bastion SKU Types
1. Basic SKU
- Standard browser-based RDP/SSH
- Single instance
- No autoscaling
2. Standard SKU
- Autoscaling
- Tunneling support
- Shareable links
3. Premium SKU
- Session recording
- Advanced audit controls
- More enterprise features
Exam Tip:
If the question mentions session recording, compliance, or auditing, the answer is:
Azure Bastion Premium SKU
9. Security Benefits of Using Azure Bastion
Azure Bastion improves security in several ways:
✔ Eliminates Public IPs on VMs
VMs can remain completely private.
✔ No Need for Inbound NSG Rules
RDP/SSH ports stay closed.
✔ Prevents Brute-Force Attacks
Attackers cannot scan or reach RDP/SSH endpoints.
✔ Integrated with Azure AD Authentication (For Linux SSH)
Supports tighter access policies using Azure AD.
✔ Managed & Updated by Microsoft
Security patches applied automatically.
10. Common Use Cases in IT Environments
Azure Bastion is used when:
- Administrators need secure access to production VMs
- Organizations want to avoid maintaining jump servers
- Companies follow zero-trust security models
- Security teams require that no public IPs exist on workloads
- Teams need temporary access to VMs through secure links
- Developers need remote access to test VMs without leaking credentials
11. Permissions Required to Use Bastion
To connect to a VM using Azure Bastion, a user needs:
Required Azure RBAC Permissions
- Reader (to see the VM)
- Virtual Machine User Login or Virtual Machine Administrator Login
Or
- Contributor on the VM or resource group
This is exam-relevant.
12. Azure Bastion Pricing (Conceptual)
You should know pricing includes:
- Hourly cost for the Bastion host
- Data transfer cost
- Standard and Premium SKUs cost more
Exam Tip:
Azure Bastion is charged even when not used, as long as it is deployed.
13. Azure Bastion vs. Jump Box (Exam Comparison)
| Feature | Azure Bastion | Jump Box VM |
|---|---|---|
| Public IP required | No | Yes (usually) |
| Management | Fully managed | You manage OS, updates |
| Security | High | Lower, depends on admin |
| Scaling | Automatic (Standard SKU) | Manual |
| Portal access | Yes | No, requires RDP/SSH client |
Exam questions often test when to choose Bastion vs. Jump box → Bastion is more secure and easier.
14. Azure Bastion Best Practices
- Use private IP VMs only
- Deploy Bastion per VNet (hub VNet recommended in large networks)
- Use Standard or Premium SKU for enterprise workloads
- Ensure subnet prefix is /26 or larger
- Do not attach NSGs to AzureBastionSubnet
- Enable session recording for compliance environments (Premium SKU)
- Monitor usage with Azure Monitor logs
15. AZ-104 Exam Tips for Azure Bastion
Expect exam questions like:
- “How to securely access a VM without exposing public IP?”
Answer: Deploy Azure Bastion - “What is the required subnet name?”
AzureBastionSubnet - “What size must the subnet be?”
At least /26 - “What ports does Bastion require on VMs?”
None—no inbound ports - “Which SKU supports session recording?”
Premium - “What permissions are needed to log in?”
Virtual Machine User Login / Admin Login RBAC roles
Final Summary
Azure Bastion is a secure, managed service used to access Azure VMs privately through the Azure portal using RDP or SSH. It removes the need for public IPs, protects VMs from internet threats, simplifies administration, and is essential knowledge for the AZ-104 exam.
If you study and understand everything in this guide, you will be fully prepared to answer any Azure Bastion–related questions on the AZ-104 exam.
