- Article
The sections in this article discuss the resources and settings for Azure Bastion.
SKUs
A SKU is also known as a Tier. Azure Bastion supports multiple SKU tiers. When you configure Bastion, you select the SKU tier. You decide the SKU tier based on the features that you want to use. The following table shows the availability of features per corresponding SKU.
| Feature | Developer SKU | Basic SKU | Standard SKU | Premium SKU |
|---|---|---|---|---|
| Connect to target VMs in same virtual network | Yes | Yes | Yes | Yes |
| Connect to target VMs in peered virtual networks | No | Yes | Yes | Yes |
| Support for concurrent connections | No | Yes | Yes | Yes |
| Access Linux VM Private Keys in Azure Key Vault (AKV) | No | Yes | Yes | Yes |
| Connect to Linux VM using SSH | Yes | Yes | Yes | Yes |
| Connect to Windows VM using RDP | Yes | Yes | Yes | Yes |
| Connect to Linux VM using RDP | No | No | Yes | Yes |
| Connect to Windows VM using SSH | No | No | Yes | Yes |
| Specify custom inbound port | No | No | Yes | Yes |
| Connect to VMs using Azure CLI | No | No | Yes | Yes |
| Host scaling | No | No | Yes | Yes |
| Upload or download files | No | No | Yes | Yes |
| Kerberos authentication | No | Yes | Yes | Yes |
| Shareable link | No | No | Yes | Yes |
| Connect to VMs via IP address | No | No | Yes | Yes |
| VM audio output | Yes | Yes | Yes | Yes |
| Disable copy/paste (web-based clients) | No | No | Yes | Yes |
| Session recording | No | No | No | Yes |
| Private-only deployment | No | No | No | Yes |
Developer SKU
The Bastion Developer SKU is a free, lightweight SKU. This SKU is ideal for Dev/Test users who want to securely connect to their VMs, but don't need additional Bastion features or host scaling. With the Developer SKU, you can connect to one Azure VM at a time directly through the virtual machine connect page.
When you deploy Bastion using the Developer SKU, the deployment requirements are different than when you deploy using other SKUs. Typically when you create a bastion host, a host is deployed to the AzureBastionSubnet in your virtual network. The Bastion host is dedicated for your use. When you use the Developer SKU, a bastion host isn't deployed to your virtual network and you don't need an AzureBastionSubnet. However, the Developer SKU bastion host isn't a dedicated resource. Instead, it's part of a shared pool.
Because the Developer SKU bastion resource isn't dedicated, the features for the Developer SKU are limited. See the Bastion configuration settings SKU section for features listed by SKU. You can always upgrade the Developer SKU to a higher SKU if you need to support more features. See Upgrade a SKU.
The Developer SKU is currently available in the following regions:
- Central US EUAP
- East US 2 EUAP
- West Central US
- North Central US
- West US
- North Europe
Note
VNet peering isn't currently supported for the Developer SKU.
Premium SKU (Preview)
The Premium SKU is a new SKU that supports Bastion features such as Session Recording and Private-Only Bastion. When you deploy bastion, only select the Premium SKU if you need the features that it supports.
Specify SKU
| Method | SKU Value | Links |
|---|---|---|
| Azure portal | Tier - Developer | Quickstart |
| Azure portal | Tier - Basic | Quickstart |
| Azure portal | Tier - Basic or higher | Tutorial |
| Azure PowerShell | Tier - Basic or higher | How-to |
| Azure CLI | Tier - Basic or higher | How-to |
Upgrade a SKU
You can always upgrade a SKU to add more features. For more information, see Upgrade a SKU.
Note
Downgrading a SKU is not supported. To downgrade, you must delete and recreate Azure Bastion.
Azure Bastion subnet
Important
For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work, but we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of host scaling in the future.
When you deploy Azure Bastion using any SKU except the Developer SKU, Bastion requires a dedicated subnet named AzureBastionSubnet. You must create this subnet in the same virtual network that you want to deploy Azure Bastion to. The subnet must have the following configuration:
- Subnet name must be AzureBastionSubnet.
- Subnet size must be /26 or larger (/25, /24 etc.).
- For host scaling, a /26 or larger subnet is recommended. Using a smaller subnet space limits the number of scale units. For more information, see the Host scaling section of this article.
- The subnet must be in the same virtual network and resource group as the bastion host.
- The subnet can't contain other resources.
You can configure this setting using the following methods:
| Method | Value | Links |
|---|---|---|
| Azure portal | Subnet | Quickstart Tutorial |
| Azure PowerShell | -subnetName | cmdlet |
| Azure CLI | --subnet-name | command |
Public IP address
Azure Bastion deployments, except Developer SKU and Private-only, require a Public IP address. The Public IP must have the following configuration:
- The Public IP address SKU must be Standard.
- The Public IP address assignment/allocation method must be Static.
- The Public IP address name is the resource name by which you want to refer to this public IP address.
- You can choose to use a public IP address that you already created, as long as it meets the criteria required by Azure Bastion and isn't already in use.
You can configure this setting using the following methods:
| Method | Value | Links |
|---|---|---|
| Azure portal | Public IP address | Azure portal |
| Azure PowerShell | -PublicIpAddress | cmdlet |
| Azure CLI | --public-ip create | command |
Instances and host scaling
An instance is an optimized Azure VM that is created when you configure Azure Bastion. It's fully managed by Azure and runs all of the processes needed for Azure Bastion. An instance is also referred to as a scale unit. You connect to client VMs via an Azure Bastion instance. When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU or higher, you can specify the number of instances (with a minimum of two instances). This is called host scaling.
Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads (see Azure subscription limits and quotas for more information). The number of connections per instances depends on what actions you're taking when connected to the client VM. For example, if you're doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, another scale unit (instance) is required.
Instances are created in the AzureBastionSubnet. To allow for host scaling, the AzureBastionSubnet should be /26 or larger. Using a smaller subnet limits the number of instances you can create. For more information about the AzureBastionSubnet, see the subnets section in this article.
You can configure this setting using the following methods:
| Method | Value | Links | Requires Standard SKU or higher |
|---|---|---|---|
| Azure portal | Instance count | How-to | Yes |
| Azure PowerShell | ScaleUnit | How-to | Yes |
Custom ports
You can specify the port that you want to use to connect to your VMs. By default, the inbound ports used to connect are 3389 for RDP and 22 for SSH. If you configure a custom port value, specify that value when you connect to the VM.
Custom port values are supported for the Standard SKU or higher only.
The Bastion Shareable Link feature lets users connect to a target resource using Azure Bastion without accessing the Azure portal.
When a user without Azure credentials clicks a shareable link, a webpage opens that prompts the user to sign in to the target resource via RDP or SSH. Users authenticate using username and password or private key, depending on what you configured in the Azure portal for that target resource. Users can connect to the same resources that you can currently connect to with Azure Bastion: VMs or virtual machine scale set.
| Method | Value | Links | Requires Standard SKU or higher |
|---|---|---|---|
| Azure portal | Shareable Link | Configure | Yes |
Private-only deployment
Private-only Bastion deployments lock down workloads end-to-end by creating a non-internet routable deployment of Bastion that allows only private IP address access. Private-only Bastion deployments don't allow connections to the bastion host via public IP address. In contrast, a regular Azure Bastion deployment allows users to connect to the bastion host using a public IP address. For more information, see Deploy Bastion as private-only.
Session recording
When the Azure Bastion Session recording feature is enabled, you can record the graphical sessions for connections made to virtual machines (RDP and SSH) via the bastion host. After the session is closed or disconnected, recorded sessions are stored in a blob container within your storage account (via SAS URL). When a session is disconnected, you can access and view your recorded sessions in the Azure portal on the Session Recording page. Session recording requires the Bastion Premium SKU. For more information, see Bastion session recording.
Availability zones
Some regions support the ability to deploy Azure Bastion in an availability zone (or multiple, for zone redundancy). To deploy zonally, deploy Bastion using manually specified settings (don't deploy using the automatic default settings). Specify the desired availability zones at the time of deployment. You can't change zonal availability after Bastion is deployed.
Support for Availability Zones is currently in preview. During preview, the following regions are available:
- East US
- Australia East
- East US 2
- Central US
- Qatar Central
- South Africa North
- West Europe
- West US 2
- North Europe
- Sweden Central
- UK South
- Canada Central
Next steps
For frequently asked questions, see the Azure Bastion FAQ.
