Merge pull request #165086 from MicrosoftDocs/release-preview-bastionsku

Release preview bastionsku--Scheduled release at 10AM of 7/12

Author: huypub

articles/bastion/TOC.yml

@@ -21,6 +21,8 @@
     href: work-remotely-support.md
   - name: Bastion FAQ
     href: bastion-faq.md
+  - name: Configuration settings
+    href: configuration-settings.md
   - name: Bastion and VNet peering
     href: vnet-peering.md
   - name: Security
@@ -43,6 +45,10 @@
       href: bastion-connect-vm-ssh.md
     - name: RDP (Windows)
       href: bastion-connect-vm-rdp.md
+  - name: Upgrade a SKU
+    href: upgrade-sku.md
+  - name: Configure host scaling
+    href: configure-host-scaling.md
   - name: Connect to a virtual machine scale set
     href: bastion-connect-vm-scale-set.md
   - name: Connect to DevTest Labs virtual machines
@@ -79,6 +85,8 @@
     href: https://azure.microsoft.com/roadmap/?category=networking
   - name: Blog
     href: https://azure.microsoft.com/blog/topics/networking
+  - name: Pricing
+    href: https://azure.microsoft.com/pricing/details/azure-bastion
   - name: Microsoft Q&A question page
     href: /answers/topics/azure-virtual-network.html
   - name: Preview SLA

articles/bastion/bastion-create-host-powershell.md

@@ -6,7 +6,7 @@ author: cherylmc
 
 ms.service: bastion
 ms.topic: how-to
-ms.date: 10/14/2020
+ms.date: 07/12/2021
 ms.author: cherylmc
 # Customer intent: As someone with a networking background, I want to create an Azure Bastion host.
 
@@ -16,23 +16,29 @@ ms.author: cherylmc
 
 This article shows you how to create an Azure Bastion host using PowerShell. Once you provision the Azure Bastion service in your virtual network, the seamless RDP/SSH experience is available to all of the VMs in the same virtual network. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.
 
-Optionally, you can create an Azure Bastion host by using the [Azure portal](./tutorial-create-host-portal.md).
+Optionally, you can create an Azure Bastion host by using the following methods:
+* [Azure portal](./tutorial-create-host-portal.md)
+* [Azure CLI](create-host-cli.md)
+
+[!INCLUDE [Note about SKU limitations for preview.](../../includes/bastion-preview-sku-note.md)]
 
 ## Prerequisites
 
 Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your [MSDN subscriber benefits](https://azure.microsoft.com/pricing/member-offers/msdn-benefits-details) or sign up for a [free account](https://azure.microsoft.com/pricing/free-trial).
 
 [!INCLUDE [PowerShell](../../includes/vpn-gateway-cloud-shell-powershell-about.md)]
 
- >[!NOTE]
- >The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.
+ > [!NOTE]
+ > The use of Azure Bastion with Azure Private DNS Zones is not supported at this time. Before you begin, please make sure that the virtual network where you plan to deploy your Bastion resource is not linked to a private DNS zone.
  >
 
 ## <a name="createhost"></a>Create a bastion host
 
 This section helps you create a new Azure Bastion resource using Azure PowerShell.
 
-1. Create a virtual network and an Azure Bastion subnet. You must create the Azure Bastion subnet using the name value **AzureBastionSubnet**. This value lets Azure know which subnet to deploy the Bastion resources to. This is different than a Gateway subnet. You must use a subnet of at least /27 or larger subnet (/27, /26, and so on). Create the **AzureBastionSubnet** without any route tables or delegations. If you use Network Security Groups on the **AzureBastionSubnet**, refer to the [Work with NSGs](bastion-nsg.md) article.
+1. Create a virtual network and an Azure Bastion subnet. You must create the Azure Bastion subnet using the name value **AzureBastionSubnet**. This value lets Azure know which subnet to deploy the Bastion resources to. This is different than a VPN gateway subnet.
+
+   [!INCLUDE [Note about BastionSubnet size.](../../includes/bastion-subnet-size.md)]
 
    ```azurepowershell-interactive
    $subnetName = "AzureBastionSubnet"

articles/bastion/bastion-faq.md

@@ -6,7 +6,7 @@ author: cherylmc
 
 ms.service: bastion
 ms.topic: conceptual
-ms.date: 06/22/2021
+ms.date: 07/12/2021
 ms.author: cherylmc
 ---
 # Azure Bastion FAQ

articles/bastion/bastion-overview.md

@@ -7,7 +7,7 @@ author: cherylmc
 
 ms.service: bastion
 ms.topic: overview
-ms.date: 06/22/2021
+ms.date: 07/12/2021
 ms.author: cherylmc
 
 ---
@@ -17,13 +17,32 @@ Azure Bastion is a service you deploy that lets you connect to a virtual machine
 
 Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
 
-## Architecture
+:::image type="content" source="./media/bastion-overview/architecture.png" alt-text="Diagram showing Azure Bastion architecture.":::
 
-Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. Once you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.
+## <a name="key"></a>Key benefits
+
+* **RDP and SSH directly in Azure portal:** You can get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
+* **Remote Session over TLS and firewall traversal for RDP/SSH:** Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. You get your RDP/SSH session over TLS on port 443, enabling you to traverse corporate firewalls securely.
+* **No Public IP required on the Azure VM:** Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don't need a public IP on your virtual machine.
+* **No hassle of managing NSGs:** Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
+* **Protection against port scanning:** Because you do not need to expose your virtual machines to the public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
+* **Protect against zero-day exploits. Hardening in one place only:** Azure Bastion is a fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.
+
+## <a name="sku"></a>SKUs
+
+Azure Bastion has two available SKUs, Basic and Standard. The Standard SKU is currently in Preview. For more information, including how to upgrade a SKU, see the [Configuration settings](configuration-settings.md#skus) article. 
+
+The following table shows features and corresponding SKUs.
+
+[!INCLUDE [Azure Bastion SKUs](../../includes/bastion-sku.md)]
+
+## <a name="architecture"></a>Architecture
+
+Azure Bastion is deployed to a virtual network and supports virtual network peering. Specifically, Azure Bastion manages RDP/SSH connectivity to VMs created in the local or peered virtual networks.
 
 RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.
 
-![Azure Bastion Architecture](./media/bastion-overview/architecture.png)
+:::image type="content" source="./media/bastion-overview/architecture.png" alt-text="Diagram showing the Azure Bastion architecture.":::
 
 This figure shows the architecture of an Azure Bastion deployment. In this diagram:
 
@@ -33,22 +52,21 @@ This figure shows the architecture of an Azure Bastion deployment. In this diagr
 * With a single click, the RDP/SSH session opens in the browser.
 * No public IP is required on the Azure VM.
 
-## Key features
+## <a name="host-scaling"></a>Host scaling
 
-The following features are available:
+Azure Bastion supports manual host scaling. You can configure the number of host instances (scale units) in order to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for the Azure Bastion Standard SKU only.
 
-* **RDP and SSH directly in Azure portal:** You can directly get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.
-* **Remote Session over TLS and firewall traversal for RDP/SSH:** Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device, so that you get your RDP/SSH session over TLS on port 443 enabling you to traverse corporate firewalls securely.
-* **No Public IP required on the Azure VM:** Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don't need a public IP on your virtual machine.
-* **No hassle of managing NSGs:** Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. You don't need to apply any NSGs on Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.
-* **Protection against port scanning:** Because you do not need to expose your virtual machines to public Internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
-* **Protect against zero-day exploits. Hardening in one place only:** Azure Bastion is a fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each of the virtual machines in your virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.
+For more information, see the [Configuration settings](configuration-settings.md#instance) article.
+
+## <a name="pricing"></a>Pricing
+
+Azure Bastion pricing involves a combination of hourly pricing based on SKU, scale units, and data transfer rates. Pricing information can be found on the [Pricing](https://azure.microsoft.com/pricing/details/azure-bastion) page.
 
 ## <a name="new"></a>What's new?
 
 Subscribe to the RSS feed and view the latest Azure Bastion feature updates on the [Azure Updates](https://azure.microsoft.com/updates/?category=networking&query=Azure%20Bastion) page.
 
-## FAQ
+## Bastion FAQ
 
 For frequently asked questions, see the Bastion [FAQ](bastion-faq.md).
 

articles/bastion/bastion-vm-full-screen.md

@@ -6,13 +6,13 @@ author: cherylmc
 
 ms.service: bastion
 ms.topic: how-to
-ms.date: 02/03/2020
+ms.date: 07/12/2021
 ms.author: cherylmc
 # Customer intent: I want to manage my VM experience using Azure Bastion.
 
 ---
 
-# Change to full screen view for a vm session: Azure Bastion
+# Change to full screen view for a VM session: Azure Bastion
 
 This article helps you change the virtual machine view to full screen and back in your browser. Before you work with a VM, make sure you have followed the steps to [Create a Bastion host](./tutorial-create-host-portal.md). Then, connect to the VM that you want to work with using either [RDP](bastion-connect-vm-rdp.md) or [SSH](bastion-connect-vm-ssh.md).
 

articles/bastion/configuration-settings.md

@@ -0,0 +1,110 @@
+---
+title: 'About Azure Bastion configuration settings'
+description: Learn about the available configuration settings for Azure Bastion.
+services: bastion
+author: cherylmc
+
+ms.service: bastion
+ms.topic: conceptual
+ms.date: 07/12/2021
+ms.author: cherylmc
+
+---
+
+# About Bastion configuration settings
+
+The sections in this article discuss the resources and settings for Azure Bastion.
+
+## <a name="skus"></a>SKUs
+
+A SKU is also known as a Tier. Azure Bastion supports two SKU types: Basic and Standard. The SKU is configured in the Azure portal during the workflow when you configure Bastion. You can [upgrade a Basic SKU to a Standard SKU](#upgradesku).
+
+* The **Basic SKU** provides base functionality, enabling Azure Bastion to manage RDP/SSH connectivity to Virtual Machines (VMs) without exposing public IP addresses on the target application VMs. 
+* The **Standard SKU** is in **Preview**. The Standard SKU enables premium features that allow Azure Bastion to manage remote connectivity at a larger scale. 
+
+The following table shows features and corresponding SKUs. 
+
+[!INCLUDE [Azure Bastion SKUs](../../includes/bastion-sku.md)]
+
+### Configuration methods
+
+During Preview, you must use the Azure portal if you want to specify the Standard SKU. If you use the Azure CLI or Azure PowerShell to configure Bastion, the SKU can't be specified and defaults to the Basic SKU.
+
+| Method | Value | Links |
+| --- | --- | --- |
+| Azure portal | Tier - Basic or <br>Standard (Preview) | [Quickstart - Configure Bastion from VM settings](quickstart-host-portal.md)<br>[Tutorial - Configure Bastion](tutorial-create-host-portal.md) |
+| Azure PowerShell | Basic only - no settings |[Configure Bastion - PowerShell](bastion-create-host-powershell.md) |
+| Azure CLI |  Basic only - no settings | [Configure Bastion - CLI](create-host-cli.md) |
+
+### <a name="upgradesku"></a>Upgrade a SKU
+
+Azure Bastion supports upgrading from a Basic to a Standard SKU. However, downgrading from Standard to Basic is not supported. To downgrade, you must delete and recreate Azure Bastion. The Standard SKU is in Preview. 
+
+#### Configuration methods
+
+You can configure this setting using the following method:
+
+| Method | Value | Links |
+| --- | --- | --- |
+| Azure portal |Tier  | [Upgrade a SKU - Preview](upgrade-sku.md)|
+
+## <a name="instance"></a>Instances and host scaling (Preview)
+
+An instance is an optimized Azure VM that is created when you configure Azure Bastion. It's fully managed by Azure and runs all of the processes needed for Azure Bastion. An instance is also referred to as a scale unit. You connect to client VMs via an Azure Bastion instance. When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances. This is called **host scaling**. 
+
+Each instance can support 10-12 concurrent RDP/SSH connections. The number of connections per instances depends on what actions you are taking when connected to the client VM. For example, if you are doing something data intensive, it creates a larger load for the instance to process. Once the concurrent sessions are exceeded, an additional scale unit (instance) is required. 
+
+Instances are created in the AzureBastionSubnet. For host scaling, the AzureBastionSubnet should be /26 or larger. Using a smaller subnet limits the number of instances you can create. For more information about the AzureBastionSubnet, see the [subnets](#subnet) section in this article.
+
+### Configuration methods
+
+You can configure this setting using the following method:
+
+| Method | Value | Links |
+| --- | --- | --- |
+| Azure portal |Instance count  | [Configure host scaling - Preview](configure-host-scaling.md)|
+
+
+## <a name="subnet"></a>Azure Bastion subnet
+
+Azure Bastion requires a dedicated subnet: **AzureBastionSubnet**. This subnet needs to be created in the same Virtual Network that Azure Bastion is deployed to. The subnet must have the following configuration:
+
+* Subnet name must be *AzureBastionSubnet*.
+* Subnet size must be /27 or larger (/26, /25 etc.).
+* For host scaling, a /26 or larger subnet is recommended. Using a smaller subnet space limits the number of scale units. For more information, see the [Host scaling](#instance) section of this article.
+* The subnet must be in the same VNet and resource group as the bastion host.
+* The subnet cannot contain additional resources.
+
+### Configuration methods
+
+You can configure this setting using the following methods:
+
+| Method | Value | Links |
+| --- | --- |--- |
+| Azure portal | Subnet  |[Quickstart - Configure Bastion from VM settings](quickstart-host-portal.md)<br>[Tutorial - Configure Bastion](tutorial-create-host-portal.md)|
+| Azure PowerShell | -subnetName|[cmdlet](/powershell/module/az.network/new-azbastion#parameters) |
+| Azure CLI |  --subnet-name | [command](/cli/azure/network/vnet#az_network_vnet_create) |
+
+## <a name="public-ip"></a>Public IP address
+
+Azure Bastion requires a Public IP address. The Public IP must have the following configuration:
+
+* The Public IP address SKU must be **Standard**.
+* The Public IP address assignment/allocation method must be **Static**.
+* The Public IP address name is the resource name by which you want to refer to this public IP address.
+* You can choose to use a public IP address that you already created, as long as it meets the criteria required by Azure Bastion and is not already in use.
+
+### Configuration methods
+
+You can configure this setting using the following methods:
+
+| Method | Value | Links |
+| --- | --- |--- |
+| Azure portal | Public IP address |[Azure portal](https://portal.azure.com)|
+| Azure PowerShell | -PublicIpAddress| [cmdlet](/powershell/module/az.network/new-azbastion#parameters)  |
+| Azure CLI | --public-ip create |[command](/cli/azure/network/public-ip)
+|
+
+## Next steps
+
+For frequently asked questions, see the [Azure Bastion FAQ](bastion-faq.md).

articles/bastion/configure-host-scaling.md

@@ -0,0 +1,33 @@
+---
+title: 'Add scale units for host scaling'
+titleSuffix: Azure Bastion
+description: Learn how to add additional instances (scale units) to Azure Bastion.
+services: bastion
+author: cherylmc
+
+ms.service: bastion
+ms.topic: how-to
+ms.date: 07/12/2021
+ms.author: cherylmc
+# Customer intent: As someone with a networking background, I want to configure host scaling.
+
+---
+
+# Configure host scaling (Preview)
+
+This article helps you add additional scale units (instances) to Azure Bastion in order to accommodate additional concurrent client connections. During Preview, this setting can be configured in the Azure portal only. For more information about host scaling, see [Configuration settings](configuration-settings.md#instance). 
+
+## Configuration steps
+
+1. In the Azure portal, navigate to your Bastion host.
+1. Host scaling instance count requires Standard tier. On the **Configuration** page, for **Tier**, verify the tier is **Standard**. If the tier is Basic, select **Standard** from the dropdown. 
+
+   :::image type="content" source="./media/configure-host-scaling/select-sku.png" alt-text="Screenshot of Select Tier." lightbox="./media/configure-host-scaling/select-sku.png":::
+1. To configure scaling, adjust the instance count. Each instance is a scale unit.
+
+   :::image type="content" source="./media/configure-host-scaling/instance-count.png" alt-text="Screenshot of Instance count slider." lightbox="./media/configure-host-scaling/instance-count.png":::
+1. Click **Apply** to apply changes.
+
+## Next steps
+
+* Read the [Bastion FAQ](bastion-faq.md) for additional information.