Merge pull request #267414 from cherylmc/Bastion-faq1

prmerger-automator[bot] · web-flow · commit 76433ee7a01c · 2024-02-27T17:29:34.000Z
Update bastion-faq.md
diff --git a/articles/bastion/bastion-faq.md b/articles/bastion/bastion-faq.md
@@ -4,12 +4,12 @@ description: Learn about frequently asked questions for Azure Bastion.
 author: cherylmc
 ms.service: bastion
 ms.topic: conceptual
-ms.date: 01/18/2024
+ms.date: 02/27/2024
 ms.author: cherylmc
 ---
 # Azure Bastion FAQ
 
-## <a name="host"></a>Bastion FAQs
+## <a name="host"></a>Bastion service and deployment FAQs
 
 ### <a name="browsers"></a>Which browsers are supported?
 
@@ -29,13 +29,11 @@ Azure Bastion doesn't move or store customer data out of the region it's deploye
 
 ### <a name="vwan"></a>Does Azure Bastion support Virtual WAN?
 
-Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke VNet and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the VNet connection level. 
+Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a [Secured Virtual Hub](../firewall-manager/secured-virtual-hub.md), the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level.
 
-### <a name="vwan"></a>Does Azure Bastion support Virtual WAN?
-
-### <a name="forcedtunnel"></a>Can I use Azure Bastion if I am force-tunneling Internet traffic back to On-Premises?
+### <a name="forcedtunnel"></a>Can I use Azure Bastion if I'm force-tunneling Internet traffic back to my on-premises location?
 
-No, if you are advertising a default route (0.0.0.0/0) over ExpressRoute or VPN, and this route is being injected in to your Virtual Networks, this will break the Azure Bastion service. 
+No, if you're advertising a default route (0.0.0.0/0) over ExpressRoute or VPN, and this route is being injected in to your Virtual Networks, this will break the Azure Bastion service.
 
 Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources. Therefore, you *can* use Azure Bastion with Azure Private DNS Zones as long as the zone name you select doesn't overlap with the naming of these internal endpoints. Before you deploy your Azure Bastion resource, make sure that the host virtual network isn't linked to a private DNS zone with the following exact names:
 
@@ -46,21 +44,25 @@ Azure Bastion needs to be able to communicate with certain internal endpoints to
 * vault.azure.net
 * azure.com
 
-You may use a private DNS zone ending with one of the names listed above (ex: privatelink.blob.core.windows.net).
+You can use a private DNS zone ending with one of the names in the previous list (ex: privatelink.blob.core.windows.net).
 
 Azure Bastion isn't supported with Azure Private DNS Zones in national clouds.
 
+### My privatelink.azure.com can't resolve to management.privatelink.azure.com
+
+This might be due to the private DNS zone for privatelink.azure.com linked to the Bastion virtual network causing management.azure.com CNAMEs to resolve to management.privatelink.azure.com behind the scenes. Create a CNAME record in their privatelink.azure.com zone for management.privatelink.azure.com to arm-frontdoor-prod.trafficmanager.net to enable successful DNS resolution.
+
 ### <a name="dns"></a>Does Azure Bastion support Private Link?
 
-No, Azure Bastion doesn't currently support private link.
+No, Azure Bastion doesn't currently support Azure Private Link.
 
 ### Why do I get a "Failed to add subnet" error when using "Deploy Bastion" in the portal?
 
 At this time, for most address spaces, you must add a subnet named **AzureBastionSubnet** to your virtual network before you select **Deploy Bastion**.
 
 ### <a name="subnet"></a>Can I have an Azure Bastion subnet of size /27 or smaller (/28, /29, etc.)?
 
-For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 prior to this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future.
+For Azure Bastion resources deployed on or after November 2, 2021, the minimum AzureBastionSubnet size is /26 or larger (/25, /24, etc.). All Azure Bastion resources deployed in subnets of size /27 before this date are unaffected by this change and will continue to work. However, we highly recommend increasing the size of any existing AzureBastionSubnet to /26 in case you choose to take advantage of [host scaling](./configure-host-scaling.md) in the future.
 
 ### <a name="subnet"></a> Can I deploy multiple Azure resources in my Azure Bastion subnet?
 
@@ -88,21 +90,21 @@ No. Downgrading a SKU isn't supported. For more information about SKUs, see the
 
 No, Bastion connectivity to Azure Virtual Desktop isn't supported.
 
-### <a name="session"></a>Why do I get "Your session has expired" error message before the Bastion session starts?
-
-A session should be initiated only from the Azure portal. Sign in to the Azure portal and begin your session again. If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal.
-
 ### <a name="udr"></a>How do I handle deployment failures?
 
-Review any error messages and [raise a support request in the Azure portal](../azure-portal/supportability/how-to-create-azure-support-request.md) as needed. Deployment failures may result from [Azure subscription limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md). Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.
+Review any error messages and [raise a support request in the Azure portal](../azure-portal/supportability/how-to-create-azure-support-request.md) as needed. Deployment failures can result from [Azure subscription limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md). Specifically, customers might encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.
 
 ### <a name="dr"></a>How do I incorporate Azure Bastion in my Disaster Recovery plan?
 
-Azure Bastion is deployed within VNets or peered VNets, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site VNet. In the event of an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.
+Azure Bastion is deployed within virtual networks or peered virtual networks, and is associated to an Azure region. You're responsible for deploying Azure Bastion to a Disaster Recovery (DR) site virtual network. If there is an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.
+
+### <a name="move-virtual-network"></a>Does Bastion support moving a VNet to another resource group?
+
+No. If you move your virtual network to another resource group (even if it's in the same subscription), you'll need to first delete Bastion from virtual network, and then proceed to move the virtual network to the new resource group. Once the virtual network is in the new resource group, you can deploy Bastion to the virtual network.
 
 ### <a name="zone-redundant"></a>Does Bastion support zone redundancies?
 
-Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions may or may not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.
+Currently, by default, new Bastion deployments don't support zone redundancies. Previously deployed bastions might or might not be zone-redundant. The exceptions are Bastion deployments in Korea Central and Southeast Asia, which do support zone redundancies.
 
 ### <a name="azure-ad-guests"></a>Does Bastion support Microsoft Entra guest accounts?
 
@@ -112,7 +114,7 @@ Yes, [Microsoft Entra guest accounts](../active-directory/external-identities/wh
 
 No, custom domains aren't supported with Bastion shareable links. Users receive a certificate error upon trying to add specific domains in the CN/SAN of the Bastion host certificate.
 
-## <a name="vm"></a>VM features and connection FAQs
+## <a name="vm"></a>VM connection and available features FAQs
 
 ### <a name="roles"></a>Are any roles required to access a virtual machine?
 
@@ -125,6 +127,10 @@ In order to make a connection, the following roles are required:
 
 Additionally, the user must have the rights (if required) to connect to the VM. For example, if the user is connecting to a Windows VM via RDP and isn't a member of the local Administrators group, they must be a member of the Remote Desktop Users group.
 
+### <a name="session"></a>Why do I get "Your session has expired" error message before the Bastion session starts?
+
+If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal. Sign in to the Azure portal and begin your session again.
+
 ### <a name="publicip"></a>Do I need a public IP on my virtual machine to connect via Azure Bastion?
 
 No. When you connect to a VM using Azure Bastion, you don't need a public IP on the Azure virtual machine that you're connecting to. The Bastion service opens the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network.
@@ -167,7 +173,7 @@ This feature doesn't work with AADJ VM extension-joined machines using Microsoft
 
 ### <a name="rdscal-compatibility"></a>Is Bastion compatible with VMs set up as RDS session hosts?
 
-Bastion does not support connecting to a VM that is set up as an RDS session host.
+Bastion doesn't support connecting to a VM that is set up as an RDS session host.
 
 ### <a name="keyboard"></a>Which keyboard layouts are supported during the Bastion remote session?
 
@@ -207,11 +213,15 @@ Currently, 1920x1080 (1080p) is the maximum supported resolution.
 
 ### <a name="timezone"></a>Does Azure Bastion support timezone configuration or timezone redirection for target VMs?
 
-Azure Bastion currently doesn't support timezone redirection and isn't timezone configurable. Timezone settings for a VM can be manually updated after successfully connecting to the Guest OS. 
+Azure Bastion currently doesn't support timezone redirection and isn't timezone configurable. Timezone settings for a VM can be manually updated after successfully connecting to the Guest OS.
 
 ### <a name="disconnect"></a>Will an existing session disconnect during maintenance on the Bastion host?
 
-Yes, existing sessions on the target Bastion resource will disconnect during maintenance on the Bastion resource. 
+Yes, existing sessions on the target Bastion resource will disconnect during maintenance on the Bastion resource.
+
+### I'm connecting to a VM using a JIT policy, do I need additional permissions?
+
+If user is connecting to a VM using a JIT policy, there are no additional permissions needed. For more information on connecting to a VM using a JIT policy, see [Enable just-in-time access on VMs](../defender-for-cloud/just-in-time-access-usage.md).
 
 ## <a name="peering"></a>VNet peering FAQs
 
@@ -221,13 +231,13 @@ Yes. By default, a user sees the Bastion host that is deployed in the same virtu
 
 ### If my peered VNets are deployed in different subscriptions, will connectivity via Bastion work?
 
-Yes, connectivity via Bastion will continue to work for peered VNets across different subscription for a single Tenant. Subscriptions across two different Tenants aren't supported. To see Bastion in the **Connect** drop down menu, the user must select the subs they have access to in **Subscription > global subscription**.
+Yes, connectivity via Bastion will continue to work for peered virtual networks across different subscription for a single Tenant. Subscriptions across two different Tenants aren't supported. To see Bastion in the **Connect** drop down menu, the user must select the subs they have access to in **Subscription > global subscription**.
 
 :::image type="content" source="./media/bastion-faq/global-subscriptions.png" alt-text="Global subscriptions filter." lightbox="./media/bastion-faq/global-subscriptions.png":::
 
 ### I have access to the peered VNet, but I can't see the VM deployed there.
 
-Make sure the user has **read** access to both the VM, and the peered VNet. Additionally, check under IAM that the user has **read** access to following resources:
+Make sure the user has **read** access to both the VM, and the peered virtual network. Additionally, check under IAM that the user has **read** access to following resources:
 
 * Reader role on the virtual machine.
 * Reader role on the NIC with private IP of the virtual machine.
@@ -245,16 +255,6 @@ Make sure the user has **read** access to both the VM, and the peered VNet. Addi
 |Microsoft.Network/virtualNetworks/subnets/virtualMachines/read|Gets references to all the virtual machines in a virtual network subnet|Action|
 |Microsoft.Network/virtualNetworks/virtualMachines/read|Gets references to all the virtual machines in a virtual network|Action|
 
-### I am connecting to a VM using a JIT policy, do I need additional permissions?
-
-If user is connecting to a VM using a JIT policy, there is no additional permissions needed. For more information on connecting to a VM using a JIT policy, see [Enable just-in-time access on VMs](../defender-for-cloud/just-in-time-access-usage.md)
-
-### My privatelink.azure.com can't resolve to management.privatelink.azure.com
-
-This may be due to the Private DNS zone for privatelink.azure.com linked to the Bastion virtual network causing management.azure.com CNAMEs to resolve to management.privatelink.azure.com behind the scenes. Create a CNAME record in their privatelink.azure.com zone for management.privatelink.azure.com to arm-frontdoor-prod.trafficmanager.net to enable successful DNS resolution.
-
-
-
 ## Next steps
 
 For more information, see [What is Azure Bastion](bastion-overview.md).
