You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/bastion/bastion-nsg.md
+5-13Lines changed: 5 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,7 +6,7 @@ author: charwen
6
6
7
7
ms.service: bastion
8
8
ms.topic: conceptual
9
-
ms.date: 02/03/2020
9
+
ms.date: 04/20/2020
10
10
ms.author: charwen
11
11
---
12
12
# Working with NSG access and Azure Bastion
@@ -27,9 +27,9 @@ In this diagram:
27
27
28
28
This section shows you the network traffic between the user and Azure Bastion, and through to target VMs in your virtual network:
29
29
30
-
### AzureBastionSubnet
30
+
### <aname="apply"></a>AzureBastionSubnet
31
31
32
-
Azure Bastion is deployed specifically to the AzureBastionSubnet.
32
+
Azure Bastion is deployed specifically to ***AzureBastionSubnet***.
33
33
34
34
***Ingress Traffic:**
35
35
@@ -41,19 +41,11 @@ Azure Bastion is deployed specifically to the AzureBastionSubnet.
41
41
***Egress Traffic to target VMs:** Azure Bastion will reach the target VMs over private IP. The NSGs need to allow egress traffic to other target VM subnets for port 3389 and 22.
42
42
***Egress Traffic to other public endpoints in Azure:** Azure Bastion needs to be able to connect to various public endpoints within Azure (for example, for storing diagnostics logs and metering logs). For this reason, Azure Bastion needs outbound to 443 to **AzureCloud** service tag.
43
43
44
-
***Target VM Subnet:** This is the subnet that contains the target virtual machine that you want to RDP/SSH to.
44
+
### Target VM Subnet
45
+
This is the subnet that contains the target virtual machine that you want to RDP/SSH to.
45
46
46
47
***Ingress Traffic from Azure Bastion:** Azure Bastion will reach to the target VM over private IP. RDP/SSH ports (ports 3389/22 respectively) need to be opened on the target VM side over private IP. As a best practice, you can add the Azure Bastion Subnet IP address range in this rule to allow only Bastion to be able to open these ports on the target VMs in your target VM subnet.
47
48
48
-
## <aname="apply"></a>Apply NSGs to AzureBastionSubnet
49
-
50
-
If you create and apply an NSG to ***AzureBastionSubnet***, make sure you have added the following rules in your NSG. If you do not add these rules, the NSG creation/update will fail:
51
-
52
-
***Control plane connectivity:** Inbound on 443 from GatewayManager
53
-
***Diagnostics logging and others:** Outbound on 443 to AzureCloud. Regional tags within this service tag are not supported yet.
54
-
***Target VM:** Outbound for 3389 and 22 to VirtualNetwork
55
-
56
-
An NSG rule example is available for reference in this [quickstart template](https://github.com/Azure/azure-quickstart-templates/tree/master/101-azure-bastion-nsg).
0 commit comments