MicrosoftDocs
diff --git a/‎articles/bastion/TOC.yml
Lines changed: 2 additions & 2 deletions b/‎articles/bastion/TOC.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/bastion/connect-vm-native-client-linux.md
Lines changed: 58 additions & 28 deletions b/‎articles/bastion/connect-vm-native-client-linux.md
Lines changed: 58 additions & 28 deletions
diff --git a/‎articles/bastion/connect-vm-native-client-windows.md
Lines changed: 60 additions & 53 deletions b/‎articles/bastion/connect-vm-native-client-windows.md
Lines changed: 60 additions & 53 deletions
@@ -79,10 +79,10 @@
         href: bastion-connect-vm-ssh-linux.md
   - name: Connect to a VM - native client
     items:
-    - name: Connect from Linux client
-      href: connect-vm-native-client-linux.md
     - name: Connect from Windows client
       href: connect-vm-native-client-windows.md
+    - name: Connect from Linux client
+      href: connect-vm-native-client-linux.md
   - name: Connect to a VM - IP address
     href: connect-ip-address.md
   - name: Connect to a VM scale set
 
@@ -5,58 +5,88 @@ description: Learn how to connect to a VM from a Linux computer by using Bastion
 author: cherylmc
 ms.service: bastion
 ms.topic: how-to
-ms.date: 06/12/2023
+ms.date: 06/23/2023
 ms.author: cherylmc
 ---
 
 # Connect to a VM using Bastion and a Linux native client
 
-This article helps you connect to a VM in the VNet using the native client (SSH or RDP) on your local computer using the **az network bastion tunnel** command. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.
+This article helps you connect via Azure Bastion to a VM in VNet using the native client on your local Linux computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). For more information and steps to configure Bastion for native client connections, see [Configure Bastion for native client connections](native-client.md). Connections via native client require the Bastion Standard SKU.
 
 :::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
 
-After you've configured Bastion for native client support, you can connect to a VM using the **az network bastion tunnel** command. When you use this command, you can do the following:
+After you've configured Bastion for native client support, you can connect to a VM using a native Linux client. The method you use to connect depends on both the client you're connecting from, and the VM you're connecting to. The following list shows some of the available ways you can connect from a Linux native client. See [Connect to VMs](native-client.md#connect) for the full list showing available client connection/feature combinations.
 
-  * Use native clients on *non*-Windows local computers (example: a Linux computer).
-  * Use the native client of your choice. (This includes the Windows native client.)
-  * Connect using SSH or RDP. (The bastion tunnel doesn't relay web servers or hosts.)
-  * Set up concurrent VM sessions with Bastion.
-  * [Upload files](vm-upload-download-native.md#tunnel-command) to your target VM from your local computer. File download from the target VM to the local client is currently not supported for this command.
+* Connect to a Linux VM using **az network bastion ssh**.
+* Connect to a Windows VM using **az network bastion tunnel**.
+* Connect to any VM using **az network bastion tunnel**.
+* [Upload files](vm-upload-download-native.md#tunnel-command) to your target VM over SSH using **az network bastion tunnel**. File download from the target VM to the local client is currently not supported for this command.
 
-Limitations:
-
-* Signing in using an SSH private key stored in Azure Key Vault isn’t supported with this feature. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.
-* This feature isn't supported on Cloud Shell.
-
-## <a name="prereq"></a>Prerequisites
+## Prerequisites
 
 [!INCLUDE [VM connect prerequisites](../../includes/bastion-native-pre-vm-connect.md)]
 
-## <a name="verify"></a>Verify roles and ports
+## Verify roles and ports
 
 Verify that the following roles and ports are configured in order to connect to the VM.
 
 [!INCLUDE [roles and ports](../../includes/bastion-native-roles-ports.md)]
 
-## <a name="connect-tunnel"></a>Connect to a VM
+## <a name="ssh"></a>Connect to a Linux VM
 
-This section helps you connect to your virtual machine from native clients on *non*-Windows local computers (example: Linux) using the **az network bastion tunnel** command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM. The bastion tunnel supports RDP/SSH connection, but doesn't relay web servers or hosts.
+The steps in the following sections help you connect to a Linux VM from a Linux native client using the **az network bastion** command.  This extension can be installed by running, `az extension add --name ssh`.
 
-This connection supports file upload from the local computer to the target VM. For more information, see [Upload files](vm-upload-download-native.md).
+When you connect using this command, file transfers aren't supported. If you want to upload files, connect using the [az network bastion tunnel](#tunnel) command instead.
 
-[!INCLUDE [non-Windows-clients](../../includes/bastion-native-non-windows.md)]
+This command lets you do the following:
 
-## <a name="connect-IP"></a>Connect to VM via IP Address
+* Connect to a Linux VM using SSH.
+* Authenticate via Azure Active Directory
+* Connect to concurrent VM sessions within the virtual network.
 
-[!INCLUDE [IP address](../../includes/bastion-native-ip-address.md)]
+To sign in, use one of the following examples. Once you sign in to your target VM, the native client on your computer opens up with your VM session.
+
+**SSH key pair**
+
+To sign in to your VM using an SSH key pair, use the following example.
+
+```azurecli
+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
+```
+
+**Azure AD authentication**
+
+If you’re signing in to an Azure AD login-enabled VM, use the following example. For more information, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).
+
+```azurecli
+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"
+```
+
+**Username/password**
 
-Use the following command as an example:
-   
-   **Tunnel:**
-   
-   ```azurecli
-   az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"
-   ```
+If you’re signing in to your VM using a local username and password, use the following example. You’ll then be prompted for the password for the target VM.
+
+```azurecli
+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"
+```
+
+#### <a name="VM-IP"></a>SSH to a Linux VM IP address
+
+You can connect to a VM private IP address instead of the resource ID. Be aware that Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
+
+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM. The following example uses --ssh-key for the authentication method.
+
+```azurecli
+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-addres "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
+```
+
+## <a name="tunnel"></a>Connect to a VM - tunnel command
+
+[!INCLUDE [tunnel command](../../includes/bastion-native-connect-tunnel.md)]
+
+### <a name="tunnel-IP"></a>Tunnel to a VM IP address
+
+[!INCLUDE [IP address](../../includes/bastion-native-ip-address.md)]
 
 ## Next steps
 
 
@@ -5,7 +5,7 @@ description: Learn how to connect to a VM from a Windows computer by using Basti
 author: cherylmc
 ms.service: bastion
 ms.topic: how-to
-ms.date: 06/12/2023
+ms.date: 06/23/2023
 ms.author: cherylmc
 ---
 
@@ -15,16 +15,13 @@ This article helps you connect to a VM in the VNet using the native client (SSH
 
 :::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
 
-After you've configured Bastion for native client support, you can connect to a VM using the native Windows client. This lets you do the following:
+After you've configured Bastion for native client support, you can connect to a VM using a native Windows client. The method you use to connect depends on both the client you're connecting from, and the VM you're connecting to. The following list shows some of the available ways you can connect from a Windows native client. See [Connect to VMs](native-client.md#connect) for the full list showing available client connection/feature combinations.
 
-  * Connect using SSH or RDP.
-  * [Upload and download files](vm-upload-download-native.md#rdp) over RDP.
-  * If you want to connect using SSH and need to upload files to your target VM, you can use the instructions for the [az network bastion tunnel](connect-vm-native-client-linux.md) command instead.
-
-Limitations:
-
-* Signing in using an SSH private key stored in Azure Key Vault isn’t supported with this feature. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.
-* This feature isn't supported on Cloud Shell.
+* Connect to a Windows VM using **az network bastion rdp**.
+* Connect to a Linux VM using **az network bastion ssh**.
+* Connect to a VM using **az network bastion tunnel**.
+* [Upload and download files](vm-upload-download-native.md#rdp) over RDP.
+* Upload files over SSH using **az network bastion tunnel**.
 
 ## <a name="prereq"></a>Prerequisites
 
@@ -36,60 +33,70 @@ Verify that the following roles and ports are configured in order to connect to
 
 [!INCLUDE [roles and ports](../../includes/bastion-native-roles-ports.md)]
 
-## <a name="connect-windows"></a>Connect to a Windows VM
+## Connect to a VM
 
-1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.
-
-   ```azurecli
-   az login
-   az account list
-   az account set --subscription "<subscription ID>"
-   ```
+The steps in the following sections help you connect to a VM from a Windows native client using the **az network bastion** command.
 
-1. Sign in to your target Windows VM using one of the following example options. If you want to specify a custom port value, you should also include the field **--resource-port** in the sign-in command.
+### <a name="connect-windows"></a>RDP to a Windows VM
 
-   **RDP:**
+1. Sign in to your Azure account using `az login`. If you have more than one subscription, you can view them using `az account list` and select the subscription containing your Bastion resource using `az account set --subscription "<subscription ID>"`.
 
-   To connect via RDP, use the following command. You’ll then be prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. For more information, see [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).
+1. To connect via RDP, use the following example.
 
    ```azurecli
    az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
    ```
 
+1. After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via **MSTSC**.
+
    > [!IMPORTANT]
-   > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM. 
+   > Remote connection to VMs that are joined to Azure AD is allowed only from Windows 10 or later PCs that are Azure AD registered (starting with Windows 10 20H1), Azure AD joined, or hybrid Azure AD joined to the *same* directory as the VM.
 
-   **SSH:**
+#### Specify authentication method
 
-   The extension can be installed by running, ```az extension add --name ssh```. To sign in using an SSH key pair, use the following example.
+Optionally, you can also specify the authentication method as part of the command.
 
-   ```azurecli
-   az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
-   ```
+* **Azure AD authentication:** `--auth-type "AAD"` For more information, see [Azure Windows VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-windows.md).
 
-   Once you sign in to your target VM, the native client on your computer opens up with your VM session; **MSTSC** for RDP sessions, and **SSH CLI extension (az ssh)** for SSH sessions.
+* **User name and password:** `--auth-type "password" --username "<Username>"`
 
-## <a name="connect-linux"></a>Connect to a Linux VM
+#### Specify a custom port
 
-1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.
+You can specify a custom port when you connect to a Windows VM via RDP.
 
-   ```azurecli
-   az login
-   az account list
-   az account set --subscription "<subscription ID>"
-   ```
+One scenario where this could be especially useful would be connecting to a Windows VM via port 22. This is a potential workaround for the limitation with the *az network bastion ssh* command, which can't be used by a Windows native client to connect to a Windows VM.
+
+To specify a custom port, include the field **--resource-port** in the sign-in command, as shown in the following example.
+
+```azurecli
+az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --resource-port "22"
+```
+
+#### RDP to a Windows VM IP address
+
+You can also connect to a VM private IP address, instead of the resource ID. Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
 
-1. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, you should also include the field **--resource-port** in the sign-in command.
+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.
+
+```azurecli
+az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>"
+```
+
+### <a name="connect-linux"></a>SSH to a Linux VM
+
+1. Sign in to your Azure account using `az login`. If you have more than one subscription, you can view them using `az account list` and select the subscription containing your Bastion resource using `az account set --subscription "<subscription ID>"`.
+
+1. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, include the field **--resource-port** in the sign-in command.
 
    **Azure AD:**
 
    If you’re signing in to an Azure AD login-enabled VM, use the following command. For more information, see [Azure Linux VMs and Azure AD](../active-directory/devices/howto-vm-sign-in-azure-ad-linux.md).
 
      ```azurecli
-     az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type  "AAD"
+     az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"
      ```
 
-   **SSH:**
+   **SSH key pair:**
 
    The extension can be installed by running, ```az extension add --name ssh```. To sign in using an SSH key pair, use the following example.
 
@@ -105,25 +112,25 @@ Verify that the following roles and ports are configured in order to connect to
       az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"
       ```
 
-   1. Once you sign in to your target VM, the native client on your computer opens up with your VM session; **MSTSC** for RDP sessions, and **SSH CLI extension (az ssh)** for SSH sessions.
+1. Once you sign in to your target VM, the native client on your computer opens up with your VM session using **SSH CLI extension (az ssh)**.
 
-## <a name="connect-IP"></a>Connect to VM via IP Address
+#### SSH to a Linux VM IP address
 
-[!INCLUDE [IP address](../../includes/bastion-native-ip-address.md)]
+You can also connect to a VM private IP address, instead of the resource ID. Azure AD authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see [Connect to a VM - IP address](connect-ip-address.md).
 
-Use the following commands as examples:
+Using the `az network bastion` command, replace `--target-resource-id` with `--target-ip-address` and the specified IP address to connect to your VM.
 
-   **RDP:**
-   
-   ```azurecli
-   az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>
-   ```
-   
-   **SSH:**
-   
-   ```azurecli
-   az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-addres "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
-   ```
+```azurecli
+az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
+```
+
+## Connect to a VM - tunnel command
+
+[!INCLUDE [tunnel command](../../includes/bastion-native-connect-tunnel.md)]
+
+### <a name="tunnel-IP"></a>Tunnel to a VM IP address
+
+[!INCLUDE [IP address](../../includes/bastion-native-ip-address.md)]
 
 ## Next steps