Merge pull request #194433 from cherylmc/bas-ipconnect

Bastion IP connect feature

Author: laurabren

articles/bastion/TOC.yml

@@ -71,6 +71,8 @@
         href: bastion-connect-vm-ssh-linux.md
   - name: Connect to a VM - native client
     href: connect-native-client-windows.md
+  - name: Connect to a VM - IP address
+    href: connect-ip-address.md
   - name: Connect to a VM scale set
     href: bastion-connect-vm-scale-set.md
   - name: Connect to DevTest Labs VMs

articles/bastion/bastion-faq.md

@@ -4,7 +4,7 @@ description: Learn about frequently asked questions for Azure Bastion.
 author: cherylmc
 ms.service: bastion
 ms.topic: conceptual
-ms.date: 03/22/2022
+ms.date: 04/26/2022
 ms.author: cherylmc
 ---
 # Azure Bastion FAQ
@@ -27,9 +27,13 @@ At this time, IPv6 isn't supported. Azure Bastion supports IPv4 only. This means
 
 Azure Bastion doesn't move or store customer data out of the region it's deployed in.
 
+### <a name="vwan"></a>Does Azure Bastion support Virtual WAN?
+
+Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke VNet and use the [IP-based connection](connect-ip-address.md) feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub. For more information, see [Set up routing configuration for a virtual network connection](../virtual-wan/how-to-virtual-hub-routing.md#routing-configuration).
+
 ### <a name="dns"></a>Can I use Azure Bastion with Azure Private DNS Zones?
 
-Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources. Therefore, you *can* use Azure Bastion with Azure Private DNS Zones as long as the zone name you select doesn't overlap with the naming of these internal endpoints. Before you deploy your Azure Bastion resource, please make sure that the host virtual network is not linked to a private DNS zone with the following exact names:
+Azure Bastion needs to be able to communicate with certain internal endpoints to successfully connect to target resources. Therefore, you *can* use Azure Bastion with Azure Private DNS Zones as long as the zone name you select doesn't overlap with the naming of these internal endpoints. Before you deploy your Azure Bastion resource, make sure that the host virtual network isn't linked to a private DNS zone with the following exact names:
 
 * management.azure.com
 * blob.core.windows.net
@@ -40,7 +44,7 @@ Azure Bastion needs to be able to communicate with certain internal endpoints to
 
 You may use a private DNS zone ending with one of the names listed above (ex: dummy.blob.core.windows.net).
 
-The use of Azure Bastion is also not supported with Azure Private DNS Zones in national clouds.
+Azure Bastion isn't supported with Azure Private DNS Zones in national clouds.
 
 ### <a name="subnet"></a>Can I have an Azure Bastion subnet of size /27 or smaller (/28, /29, etc.)?
 

articles/bastion/connect-ip-address.md

@@ -0,0 +1,68 @@
+---
+title: 'Connect to a VM - specified private IP address: Azure portal'
+titleSuffix: Azure Bastion
+description: Learn how to connect to your virtual machines using a specified private IP address via Azure Bastion.
+author: cherylmc
+
+ms.service: bastion
+ms.topic: how-to
+ms.date: 04/26/2022
+ms.author: cherylmc
+
+---
+
+# Connect to a VM via specified private IP address through the portal
+
+IP-based connection lets you connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion over ExpressRoute or a VPN site-to-site connection using a specified private IP address. The steps in this article show you how to configure your Bastion deployment, and then connect to an on-premises resource using IP-based connection. For more information about Azure Bastion, see the [Overview](bastion-overview.md).
+
+:::image type="content" source="./media/connect-ip-address/architecture.png" alt-text="Architecture diagram." lightbox="./media/connect-ip-address/architecture.png":::
+
+> [!NOTE]
+> This configuration requires the Standard SKU tier for Azure Bastion. To upgrade, see [Upgrade a SKU](upgrade-sku.md).
+>
+
+**Limitations**
+
+IP-based connection won’t work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisement will result in traffic blackholing.
+
+## Prerequisites
+
+Before you begin these steps, verify that you have the following environment set up:
+
+* A VNet with Bastion already deployed.
+
+  * Make sure that you have deployed Bastion to the virtual network. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM deployed in any of the virtual networks that is reachable from Bastion.
+  * To deploy Bastion, see [Quickstart: Deploy Bastion with default settings](quickstart-host-portal.md).
+
+* A virtual machine in any reachable virtual network. This is the virtual machine to which you'll connect.
+
+## Configure Bastion
+
+1. Sign in to the [Azure portal](https://ms.portal.azure.com/).
+
+1. In the Azure portal, go to your Bastion deployment.
+
+1. IP based connection requires the Standard SKU tier. On the **Configuration** page, for **Tier**, verify the tier is set to the **Standard** SKU. If the tier is set to the Basic SKU, select **Standard** from the dropdown.
+1. To enable **IP based connection**, select **IP based connection**.
+
+    :::image type="content" source="./media/connect-ip-address/ip-connection.png" alt-text="Screenshot of Configuration page." lightbox="./media/connect-ip-address/ip-connection.png":::
+
+1. Select **Apply** to apply the changes. It takes a few minutes for the Bastion configuration to complete.
+
+## Connect to VM
+
+1. To connect to a VM using a specified private IP address, you make the connection from Bastion to the VM, not directly from the VM page. On your Bastion page, select **Connect** to open the Connect page.
+
+1. On the Bastion **Connect** page, for **Hostname**, enter the private IP address of the target VM.
+
+    :::image type="content" source="./media/connect-ip-address/ip-address.png" alt-text="Screenshot of Connect using Azure Bastion page." lightbox="./media/connect-ip-address/ip-address.png":::
+
+1. Adjust your connection settings to the desired **Protocol** and **Port**.
+
+1. Enter your credentials in **Username** and **Password**.
+
+1. Select **Connect** to connect to your virtual machine.  
+
+## Next steps
+
+Read the [Bastion FAQ](bastion-faq.md) for additional information.