Merge pull request #274999 from MicrosoftDocs/release-preview-bastion

Release preview bastion

Author: huypub

articles/bastion/TOC.yml

@@ -25,6 +25,8 @@
     href: work-remotely-support.md
   - name: Bastion FAQ
     href: bastion-faq.md
+  - name: Design architecture
+    href: design-architecture.md
   - name: Bastion configuration settings
     href: configuration-settings.md
   - name: VM connections and features
@@ -49,6 +51,8 @@
       href: create-host-cli.md
     - name: Developer SKU
       href: quickstart-developer-sku.md
+  - name: Deploy private-only Bastion
+    href: private-only-deployment.md
   - name: Configure Bastion settings
     items:
     - name: View or upgrade SKU
@@ -65,6 +69,8 @@
       href: shareable-link.md
     - name: Configure Kerberos authentication
       href: kerberos-authentication-portal.md
+    - name: Configure session recording
+      href: session-recording.md
   - name: Connect to a virtual machine
     items:
     - name: Windows VM

articles/bastion/bastion-connect-vm-rdp-windows.md

@@ -5,7 +5,7 @@ description: Learn how to use Azure Bastion to connect to Windows VM using RDP.
 author: cherylmc
 ms.service: bastion
 ms.topic: how-to
-ms.date: 08/03/2023
+ms.date: 04/05/2024
 ms.author: cherylmc
 
 ---
@@ -23,7 +23,7 @@ Before you begin, verify that you've met the following criteria:
 * A VNet with the Bastion host already installed.
 
   * Make sure that you have set up an Azure Bastion host for the virtual network in which the VM is located. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in the virtual network.
-  * To set up an Azure Bastion host, see [Create a bastion host](tutorial-create-host-portal.md#createhost). If you plan to configure custom port values, be sure to select the Standard SKU when configuring Bastion.
+  * To set up an Azure Bastion host, see [Create a bastion host](tutorial-create-host-portal.md#createhost). If you plan to configure custom port values, be sure to select the Standard SKU or higher when configuring Bastion.
 
 * A Windows virtual machine in the virtual network.
 
@@ -42,7 +42,7 @@ To connect to the Windows VM, you must have the following ports open on your Win
 * Inbound port: Custom value (you'll then need to specify this custom port when you connect to the VM via Azure Bastion)
 
 > [!NOTE]
-> If you want to specify a custom port value, Azure Bastion must be configured using the Standard SKU. The Basic SKU does not allow you to specify custom ports.
+> If you want to specify a custom port value, Azure Bastion must be configured using the Standard SKU or higher. The Basic SKU does not allow you to specify custom ports.
 
 ### Rights on target VM
 

articles/bastion/bastion-connect-vm-ssh-windows.md

@@ -5,7 +5,7 @@ description: Learn how to use Azure Bastion to connect to Windows VM using SSH.
 author: cherylmc
 ms.service: bastion
 ms.topic: how-to
-ms.date: 10/13/2023
+ms.date: 04/05/2024
 ms.author: cherylmc
 ---
 
@@ -16,7 +16,7 @@ This article shows you how to securely and seamlessly create an SSH connection t
 Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH. For more information, see the [What is Azure Bastion?](bastion-overview.md).
 
 > [!NOTE]
-> If you want to create an SSH connection to a Windows VM, Azure Bastion must be configured using the Standard SKU.
+> If you want to create an SSH connection to a Windows VM, Azure Bastion must be configured using the Standard SKU or higher.
 >
 
 When connecting to a Windows virtual machine using SSH, you can use both username/password and SSH keys for authentication.
@@ -30,7 +30,7 @@ Make sure that you have set up an Azure Bastion host for the virtual network in
 To SSH to a Windows virtual machine, you must also ensure that:
 * Your Windows virtual machine is running Windows Server 2019 or later.
 * You have OpenSSH Server installed and running on your Windows virtual machine. To learn how to do this, see [Install OpenSSH](/windows-server/administration/openssh/openssh_install_firstuse).
-* Azure Bastion has been configured to use the Standard SKU.
+* Azure Bastion has been configured to use the Standard SKU or higher.
 
 ### Required roles
 
@@ -60,7 +60,7 @@ Currently, Azure Bastion only supports connecting to Windows VMs via SSH using *
 
    :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connect.png" alt-text="Screenshot shows the overview for a virtual machine in Azure portal with Connect selected." lightbox="./media/bastion-connect-vm-ssh-windows/connect.png":::
 
-1. On the **Bastion** connection page, click the **Connection Settings** arrow to expand all the available settings. Notice that if you're using the Bastion **Standard** SKU, you have more available settings.
+1. On the **Bastion** connection page, click the **Connection Settings** arrow to expand all the available settings. Notice that if you're using the Bastion **Standard** SKU or higher, you have more available settings.
 
    :::image type="content" source="./media/bastion-connect-vm-ssh-windows/connection-settings.png" alt-text="Screenshot shows connection settings.":::
 
@@ -80,7 +80,7 @@ Use the following steps to authenticate using username and password.
 1. To authenticate using a username and password, configure the following settings:
 
    * **Protocol**: Select SSH.
-   * **Port**: Input the port number. Custom port connections are available for the Standard SKU only.
+   * **Port**: Input the port number. Custom port connections are available for the Standard SKU or higher.
    * **Authentication type**: Select **Password** from the dropdown.
    * **Username**: Enter the username.
    * **Password**: Enter the **Password**.
@@ -98,7 +98,7 @@ Use the following steps to authenticate using an SSH private key from a local fi
 1. To authenticate using a private key from a local file, configure the following settings:
 
    * **Protocol**: Select SSH.
-   * **Port**: Input the port number. Custom port connections are available for the Standard SKU only.
+   * **Port**: Input the port number. Custom port connections are available for the Standard SKU or higher.
    * **Authentication type**: Select **SSH Private Key from Local File** from the dropdown.
    * **Local File**: Select the local file.
    * **SSH Passphrase**: Enter the SSH passphrase if necessary.
@@ -116,7 +116,7 @@ Use the following steps to authenticate using a password from Azure Key Vault.
 1. To authenticate using a password from Azure Key Vault, configure the following settings:
 
    * **Protocol**: Select SSH.
-   * **Port**: Input the port number. Custom port connections are available for the Standard SKU only.
+   * **Port**: Input the port number. Custom port connections are available for the Standard SKU or higher.
    * **Authentication type**: Select **Password from Azure Key Vault** from the dropdown.
    * **Username**: Enter the username.
    * **Subscription**: Select the subscription.
@@ -144,7 +144,7 @@ Use the following steps to authenticate using a private key stored in Azure Key
 1. To authenticate using a private key stored in Azure Key Vault, configure the following settings:
 
    * **Protocol**: Select SSH.
-   * **Port**: Input the port number. Custom port connections are available for the Standard SKU only.
+   * **Port**: Input the port number. Custom port connections are available for the Standard SKU or higher.
    * **Authentication type**: Select **SSH Private Key from Azure Key Vault** from the dropdown.
    * **Username**: Enter the username.
    * **Subscription**: Select the subscription.

articles/bastion/bastion-create-host-powershell.md

@@ -5,21 +5,23 @@ description: Learn how to deploy Azure Bastion using PowerShell.
 author: cherylmc
 ms.service: bastion
 ms.topic: how-to
-ms.date: 10/05/2023
+ms.date: 04/05/2024
 ms.author: cherylmc
 ms.custom: devx-track-azurepowershell
 # Customer intent: As someone with a networking background, I want to deploy Bastion and connect to a VM.
 ---
 
 # Deploy Bastion using Azure PowerShell
 
-This article shows you how to deploy Azure Bastion with the Standard SKU using PowerShell. Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on your VM and maintain yourself. An Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)
+This article shows you how to deploy Azure Bastion using PowerShell. Azure Bastion is a PaaS service that's maintained for you, not a bastion host that you install on your VM and maintain yourself. An Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)
 
 Once you deploy Bastion to your virtual network, you can connect to your VMs via private IP address. This seamless RDP/SSH experience is available to all the VMs in the same virtual network. If your VM has a public IP address that you don't need for anything else, you can remove it.
 
 :::image type="content" source="./media/create-host/host-architecture.png" alt-text="Diagram showing Azure Bastion architecture." lightbox="./media/create-host/host-architecture.png":::
 
-In this article, you create a virtual network (if you don't already have one), deploy Azure Bastion using PowerShell, and connect to a VM. You can also deploy Bastion by using the following other methods:
+In this article, you create a virtual network (if you don't already have one), deploy Azure Bastion using PowerShell, and connect to a VM. The examples show Bastion deployed using the Standard SKU tier, but you can use a different Bastion SKU, depending on the features you'd like to use. For more information, see [Bastion SKUs](configuration-settings.md#skus).
+
+You can also deploy Bastion by using the following other methods:
 
 * [Azure portal](./tutorial-create-host-portal.md)
 * [Azure CLI](create-host-cli.md)
@@ -42,7 +44,7 @@ Verify that you have an Azure subscription. If you don't already have an Azure s
 
 You can use the following example values when creating this configuration, or you can substitute your own.
 
-** Example VNet and VM values:**
+**Example VNet and VM values:**
 
 |**Name** | **Value** |
 | --- | --- |
@@ -60,7 +62,7 @@ You can use the following example values when creating this configuration, or yo
 | Name | VNet1-bastion |
 | Subnet Name | FrontEnd |
 | Subnet Name | AzureBastionSubnet|
-| AzureBastionSubnet addresses | A subnet within your VNet address space with a subnet mask /26 or larger.<br> For example, 10.1.1.0/26.  |
+| AzureBastionSubnet addresses | A subnet within your virtual network address space with a subnet mask /26 or larger.<br> For example, 10.1.1.0/26.  |
 | Tier/SKU | Standard |
 | Public IP address |  Create new |
 | Public IP address name | VNet1-ip  |
@@ -75,7 +77,7 @@ This section helps you create a virtual network, subnets, and deploy Azure Basti
 > [!INCLUDE [Pricing](../../includes/bastion-pricing.md)]
 >
 
-1. Create a resource group, a virtual network, and a front end subnet to which you'll deploy the VMs that you'll connect to via Bastion. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the `Connect-AzAccount` command.
+1. Create a resource group, a virtual network, and a front end subnet to which you deploy the VMs that you'll connect to via Bastion. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the `Connect-AzAccount` command.
 
    ```azurepowershell-interactive
    New-AzResourceGroup -Name TestRG1 -Location EastUS ` 
@@ -114,7 +116,7 @@ This section helps you create a virtual network, subnets, and deploy Azure Basti
    -AllocationMethod Static -Sku Standard
    ```
 
-1. Create a new Azure Bastion resource in the AzureBastionSubnet using the [New-AzBastion](/powershell/module/az.network/new-azbastion) command. The following example uses the **Basic SKU**. However, you can also deploy Bastion using the Standard SKU by changing the -Sku value to "Standard". The Standard SKU lets you configure more Bastion features and connect to VMs using more connection types. You can also deploy Bastion automatically using the [Developer SKU](quickstart-developer-sku.md). For more information, see [Bastion SKUs](configuration-settings.md#skus).
+1. Create a new Azure Bastion resource in the AzureBastionSubnet using the [New-AzBastion](/powershell/module/az.network/new-azbastion) command. The following example uses the **Basic SKU**. However, you can also deploy Bastion using a different SKU by changing the -Sku value. The SKU you select determines the Bastion features and connect to VMs using more connection types. For more information, see [Bastion SKUs](configuration-settings.md#skus).
 
    ```azurepowershell-interactive
    New-AzBastion -ResourceGroupName "TestRG1" -Name "VNet1-bastion" `
@@ -162,4 +164,4 @@ Azure Bastion doesn't use the public IP address to connect to the client VM. If
 ## Next steps
 
 * To use Network Security Groups with the Azure Bastion subnet, see [Work with NSGs](bastion-nsg.md).
-* To understand VNet peering, see [VNet peering and Azure Bastion](vnet-peering.md).
+* To understand VNet peering, see [Virtual Network peering and Azure Bastion](vnet-peering.md).

articles/bastion/bastion-nsg.md

@@ -4,7 +4,7 @@ description: Learn about using network security groups with Azure Bastion.
 author: cherylmc
 ms.service: bastion
 ms.topic: conceptual
-ms.date: 06/23/2023
+ms.date: 04/05/2024
 ms.author: cherylmc
 ---
 # Working with NSG access and Azure Bastion
@@ -56,7 +56,7 @@ Azure Bastion is deployed specifically to ***AzureBastionSubnet***.
 ### Target VM Subnet
 This is the subnet that contains the target virtual machine that you want to RDP/SSH to.
 
-   * **Ingress Traffic from Azure Bastion:** Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389/22 respectively, or custom port values if you are using the custom port feature as a part of Standard SKU) need to be opened on the target VM side over private IP. As a best practice, you can add the Azure Bastion Subnet IP address range in this rule to allow only Bastion to be able to open these ports on the target VMs in your target VM subnet.
+   * **Ingress Traffic from Azure Bastion:** Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389/22 respectively, or custom port values if you're using the custom port feature as a part of Standard or Premium SKU) need to be opened on the target VM side over private IP. As a best practice, you can add the Azure Bastion Subnet IP address range in this rule to allow only Bastion to be able to open these ports on the target VMs in your target VM subnet.
 
 
 ## Next steps

articles/bastion/bastion-overview.md

@@ -39,30 +39,29 @@ Azure Bastion offers multiple deployment architectures, depending on the selecte
 
 RDP and SSH are some of the fundamental means through which you can connect to your workloads running in Azure. Exposing RDP/SSH ports over the Internet isn't desired and is seen as a significant threat surface. This is often due to protocol vulnerabilities. To contain this threat surface, you can deploy bastion hosts (also known as jump-servers) at the public side of your perimeter network. Bastion host servers are designed and configured to withstand attacks. Bastion servers also provide RDP and SSH connectivity to the workloads sitting behind the bastion, as well as further inside the network.
 
-**Diagram: Bastion - Basic SKU and higher**
+The SKU you select when you deploy Bastion determines the architecture and the available features. You can upgrade to a higher SKU to support more features, but you can't downgrade a SKU after deploying. Certain architectures, such as Private-only and Developer SKU, must be configured at the time of deployment. For more information about each architecture, see [Bastion design and architecture](design-architecture.md).
 
-:::image type="content" source="./media/bastion-overview/architecture.png" alt-text="Diagram showing Azure Bastion architecture." lightbox="./media/bastion-overview/architecture.png":::
+The following diagrams show the available architectures for Azure Bastion.
+
+**Basic SKU and higher**
 
-* The Bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /26 prefix.
-* The user connects to the Azure portal using any HTML5 browser.
-* The user selects the virtual machine to connect to.
-* With a single click, the RDP/SSH session opens in the browser.
-* For some configurations, the user can connect to the virtual machine via the native operating system client.
-* No public IP is required on the Azure VM.
+:::image type="content" source="./media/bastion-overview/architecture.png" alt-text="Diagram showing Azure Bastion architecture." lightbox="./media/bastion-overview/architecture.png":::
 
-**Diagram: Bastion - Developer SKU**
+**Developer SKU**
 
 :::image type="content" source="./media/quickstart-developer-sku/bastion-shared-pool.png" alt-text="Diagram that shows the Azure Bastion developer SKU architecture." lightbox="./media/quickstart-developer-sku/bastion-shared-pool.png":::
 
-[!INCLUDE [Developer SKU](../../includes/bastion-developer-sku-description.md)]
+**Private-only deployment (Preview)**
+
+:::image type="content" source="./media/private-only-deployment/private-only-architecture.png" alt-text="Diagram showing Azure Bastion private-only architecture." lightbox="./media/private-only-deployment/private-only-architecture.png":::
 
 ## Availability zones
 
 [!INCLUDE [Availability Zones description and supported regions](../../includes/bastion-availability-zones-description.md)]
 
 ## <a name="host-scaling"></a>Host scaling
 
-Azure Bastion supports manual host scaling. You can configure the number of host **instances** (scale units) in order to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for the Azure Bastion Standard SKU only.
+Azure Bastion supports manual host scaling. You can configure the number of host **instances** (scale units) in order to manage the number of concurrent RDP/SSH connections that Azure Bastion can support. Increasing the number of host instances lets Azure Bastion manage more concurrent sessions. Decreasing the number of instances decreases the number of concurrent supported sessions. Azure Bastion supports up to 50 host instances. This feature is available for Standard SKU and higher.
 
 For more information, see the [Configuration settings](configuration-settings.md#instance) article.
 

articles/bastion/bastion-vm-copy-paste.md

@@ -24,12 +24,12 @@ Before you proceed, make sure you have the following items.
 
 ## <a name="configure"></a> Configure the bastion host
 
-By default, Azure Bastion is automatically enabled to allow copy and paste for all sessions connected through the bastion resource. You don't need to configure anything extra. This applies to both the Basic and the Standard SKU tier. If you want to disable this feature, you can disable it for web-based clients on the configuration page of your Bastion resource.
+By default, Azure Bastion is automatically enabled to allow copy and paste for all sessions connected through the bastion resource. You don't need to configure anything extra. You can disable this feature for web-based clients on the configuration page of your Bastion resource if your Bastion deployment uses the Standard SKU or higher.
 
 1. To view or change your configuration, in the portal, go to your Bastion resource.
 1. Go to the **Configuration** page.
    * To enable, select the **Copy and paste** checkbox if it isn't already selected.
-   * To disable, clear the checkbox. Disable is only available with the Standard SKU. You can upgrade the SKU if necessary.
+   * To disable, clear the checkbox. Disable is only available with the Standard SKU or higher. You can upgrade the SKU if necessary.
 1. **Apply** changes. The bastion host updates.
 
 ## <a name="to"></a> Copy and paste