Azure Bastion with Azure Virtual Wan Microsoft #Azure #AzureBastion #AzureNetworking #Vwan #AzOps #blogpost #MVPBuzz

Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer. The Azure Bastion service is a fully platform-managed PaaS service that you provision inside your virtual . It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over from the Azure portal or via native client. When you connect via Azure Bastion, your virtual machines don't need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

A sample setup from Microsoft Learn

In basic the main purpose is get a RDP session to a VM without any direct from the portal.

Bastion SKUs

Azure Bastion has two available SKUs, Basic and Standard and the big difference between hub spoke or singel is that you will need the standard for a Azure virtual wan. only for this option : Connect to VMs via IP address.

don't forget the IP based connection checkbox. copy past is just as you want this.

thats all nice but on

Deploying Azure Bastion within a Virtual WAN hub is not supported. You can deploy Azure Bastion in a spoke VNet and use the IP-based connection feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub.

So in basic it might be supported and it will work.

what is needed for the bastion ?

What I did is create a new network just for bastion, I used a /26 network use the Subnet

With the default Azure provided DNS I used the NSG, all just as you would do this in any other network.

Here you can see it is part of my virtual wan just as the other networks

A quick overview of the Bastion NSG keep in mind this is important wrong configuration means no connection. This is all by the Microsoft book.

inbound bastion NSG rules

outbound bastion NSG rules

As I used a secure hub, this network need to be peered into the secure hub just as all your other networks in the virtual wan. my vnet remote is peered

A secured virtual hub is an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager. Use secured virtual hubs to easily create hub-and-spoke and transitive architectures with native security services for traffic governance and protection

Here you can see the vnet-remote is connected to the secure hub

In this step there are a few things different as the default route is disabled and the static route is set to no. this can be changed later or just be configured at creation. our net step is setting the security configuration in the secure hub.

As the entry is not the firewall but we create a extra entrance for the bastion in our secure hub virtual network. where I made sure that the internet traffic is unsecured and protected by NSGs.

Well Done all this but I still don't get connection well there is also a firewall in place right it is a secure hub.

just create a Firewall rule open port 3389 or 22 or both if you need it. I use Ip groups so much easier and quicker to update you firewall.

In the destination you can add your destinations (vnets)

Now that the configuration is done it is time to test this.

Keep in mind you have to go to bastion and use the IP number, the bastion option in the VM won't work and will tell you there is no bastion.

So used my IP to the Azure VM and username and password and got a web based connection.

Keep in mind Always use to the Azure portal connection.

Hope it was helpful thanks for visiting my blog.

Follow Me on Twitter @ClusterMVP

Follow My blog

Linkedin Profile Http://

Author: Robert Smit [MVP]

Robert Smit is Senior Technical Evangelist and is a current Microsoft MVP in Clustering as of 2009.
Robert has over 20 years experience in IT with experience in the educational, health-care and finance industries.
Robert's past IT experience in the trenches of IT gives him the knowledge and insight that allows him to communicate effectively with IT professionals
who are trying to address real concerns around business continuity, disaster recovery and regulatory compliance issues. Robert holds the following certifications:
MCT – Microsoft Certified Trainer, MCTS – Windows Server , MCSE, MCSA and MCPS. He is an active participant in the Microsoft newsgroup community and is currently focused on , Clustering, SQL Server, Azure and all things related to Cloud Computing and Infrastructure Optimalization.
Follow Robert on Twitter @ClusterMVP
Or follow his blog
Linkedin Profile Http://

Robert is also capable of transferring his knowledge to others which is a rare feature in the field of IT. He makes a point of not only solving issues but also of giving on the job training of his colleagues.

A customer says ” Robert has been a big influence on our technical staff and I have to come to know him as a brilliant specialist concerning Microsoft Products. He was Capable with his in-depth knowledge of Microsoft products to troubleshoot problems and develop our infrastructure to a higher level. I would certainly hire him again in the future. ”

Details of the Recommendation: “I have been coordinating with Robert implementing a very complex system. Although he was primarily a Microsoft infrastructure specialist; he was able to understand and debug .Net based complext Windows applications and websites. His input to improve performance of applications proved very helpful for the success of our project


This article was originally published by The Windows Server HA Blog. You can find the original article here.