Skip to content

Commit 7620c19

Browse files
authored
Merge pull request #50701 from lootle1/MR109
Technical Review 1055072: Introduction to Azure Bastion
2 parents 99ba09e + 38f097a commit 7620c19

12 files changed

+200
-201
lines changed
Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
### YamlMime:ModuleUnit
2-
uid: learn.intro-to-azure-bastion.1-introduction
3-
title: Introduction
4-
metadata:
5-
unitType: introduction
6-
title: Introduction to Azure Bastion
7-
description: Provide secure and seamless connectivity to your virtual machines directly in the Azure portal
8-
ms.date: 12/05/2023
9-
author: cherylmc
10-
ms.author: cherylmc
11-
ms.topic: unit
12-
durationInMinutes: 4
13-
content: |
14-
[!include[](includes/1-introduction.md)]
15-
1+
### YamlMime:ModuleUnit
2+
uid: learn.intro-to-azure-bastion.1-introduction
3+
title: Introduction
4+
metadata:
5+
unitType: introduction
6+
title: Introduction to Azure Bastion
7+
description: Provide secure and seamless connectivity to your virtual machines directly in the Azure portal
8+
ms.date: 05/29/2025
9+
author: cherylmc
10+
ms.author: cherylmc
11+
ms.topic: unit
12+
durationInMinutes: 4
13+
content: |
14+
[!include[](includes/1-introduction.md)]
15+
Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
### YamlMime:ModuleUnit
2-
uid: learn.intro-to-azure-bastion.2-what-is-azure-bastion
3-
title: What is Azure Bastion?
4-
metadata:
5-
unitType: learning-content
6-
title: What is Azure Bastion?
7-
description: What is Azure Bastion?
8-
ms.date: 12/05/2023
9-
author: cherylmc
10-
ms.author: cherylmc
11-
ms.topic: unit
12-
durationInMinutes: 5
13-
content: |
14-
[!include[](includes/2-what-is-azure-bastion.md)]
15-
1+
### YamlMime:ModuleUnit
2+
uid: learn.intro-to-azure-bastion.2-what-is-azure-bastion
3+
title: What is Azure Bastion?
4+
metadata:
5+
unitType: learning-content
6+
title: What is Azure Bastion?
7+
description: What is Azure Bastion?
8+
ms.date: 05/29/2025
9+
author: cherylmc
10+
ms.author: cherylmc
11+
ms.topic: unit
12+
durationInMinutes: 5
13+
content: |
14+
[!include[](includes/2-what-is-azure-bastion.md)]
15+
Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
### YamlMime:ModuleUnit
2-
uid: learn.intro-to-azure-bastion.3-how-azure-bastion-works
3-
title: How Azure Bastion works
4-
metadata:
5-
unitType: learning-content
6-
title: How Azure Bastion works
7-
description: How Azure Bastion works
8-
ms.date: 12/05/2023
9-
author: cherylmc
10-
ms.author: cherylmc
11-
ms.topic: unit
12-
durationInMinutes: 5
13-
content: |
14-
[!include[](includes/3-how-azure-bastion-works.md)]
15-
1+
### YamlMime:ModuleUnit
2+
uid: learn.intro-to-azure-bastion.3-how-azure-bastion-works
3+
title: How Azure Bastion works
4+
metadata:
5+
unitType: learning-content
6+
title: How Azure Bastion works
7+
description: How Azure Bastion works
8+
ms.date: 05/29/2025
9+
author: cherylmc
10+
ms.author: cherylmc
11+
ms.topic: unit
12+
durationInMinutes: 5
13+
content: |
14+
[!include[](includes/3-how-azure-bastion-works.md)]
15+
Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
### YamlMime:ModuleUnit
2-
uid: learn.intro-to-azure-bastion.4-when-to-use-azure-bastion
3-
title: When to use Azure Bastion
4-
metadata:
5-
unitType: learning-content
6-
title: When to use Azure Bastion
7-
description: When to use Azure Bastion
8-
ms.date: 12/05/2023
9-
author: cherylmc
10-
ms.author: cherylmc
11-
ms.topic: unit
12-
durationInMinutes: 5
13-
content: |
14-
[!include[](includes/4-when-to-use-azure-bastion.md)]
15-
1+
### YamlMime:ModuleUnit
2+
uid: learn.intro-to-azure-bastion.4-when-to-use-azure-bastion
3+
title: When to use Azure Bastion
4+
metadata:
5+
unitType: learning-content
6+
title: When to use Azure Bastion
7+
description: When to use Azure Bastion
8+
ms.date: 05/29/2025
9+
author: cherylmc
10+
ms.author: cherylmc
11+
ms.topic: unit
12+
durationInMinutes: 5
13+
content: |
14+
[!include[](includes/4-when-to-use-azure-bastion.md)]
15+
Lines changed: 72 additions & 72 deletions
Original file line numberDiff line numberDiff line change
@@ -1,72 +1,72 @@
1-
### YamlMime:ModuleUnit
2-
uid: learn.intro-to-azure-bastion.5-knowledge-check
3-
title: Module assessment
4-
metadata:
5-
unitType: knowledge_check
6-
title: Module assessment
7-
description: Knowledge check
8-
ms.date: 12/05/2023
9-
author: cherylmc
10-
ms.author: cherylmc
11-
ms.topic: unit
12-
durationInMinutes: 4
13-
content: |
14-
[!include[](includes/5-knowledge-check.md)]
15-
quiz:
16-
questions:
17-
- content: "Which protocols do administrators typically use to remotely manage Azure VMs? Choose the best answer."
18-
choices:
19-
- content: "RDP"
20-
isCorrect: false
21-
explanation: "Incorrect. Although administrators do use RDP, they also use other protocols."
22-
- content: "SSH"
23-
isCorrect: false
24-
explanation: "Incorrect. Although administrators do use SSH, they also use other protocols."
25-
- content: "Both RDP and SSH"
26-
isCorrect: true
27-
explanation: "Correct. Administrators typically use both RDP and SSH to remotely administer Azure VMs."
28-
- content: "When an administrator connects to Azure Bastion to open a remote connection to a hosted VM, which of the following connections occurs?"
29-
choices:
30-
- content: "Azure Bastion opens an RDP/SSH connection to the Azure VM using a private IP on the VM."
31-
isCorrect: true
32-
explanation: "Correct. Azure Bastion uses only private IP connections to the target VMs."
33-
- content: "Azure Bastion opens an HTML5 connection to the Azure VM using a private IP on the VM."
34-
isCorrect: false
35-
explanation: "Incorrect. Azure Bastion uses RDP/SSH connections to the target VM."
36-
- content: "Azure Bastion opens an RDP/SSH connection to the Azure VM using a public IP on the VM."
37-
isCorrect: false
38-
explanation: "Incorrect. Azure Bastion uses only private IPs on the configured virtual network. The VMs don't need a public IP."
39-
- content: "When an administrator plans to deploy Azure Bastion, how and in which virtual network must they deploy it?"
40-
choices:
41-
- content: "They must deploy Azure Bastion in a different virtual network from the one that contains the VMs."
42-
isCorrect: false
43-
explanation: "Incorrect. Azure Bastion must be in the same virtual network as the managed VMs."
44-
- content: "They must deploy Azure Bastion in the same virtual network as the one that contains the VMs, and in the same subnet."
45-
isCorrect: false
46-
explanation: "Incorrect. Although Azure Bastion should be deployed in the same virtual network, it must be in a different subnet."
47-
- content: "They must deploy Azure Bastion in the same virtual network as the one that contains the VMs, and in a different subnet."
48-
isCorrect: true
49-
explanation: "Correct. Azure Bastion must be deployed in the same virtual network (or peered virtual network) as the VMs, but in its own subnet."
50-
- content: "Your boss is concerned that by implementing Azure Bastion, you need to maintain it with patches and updates. Is your boss correct?"
51-
choices:
52-
- content: "No, your boss is wrong. Azure Bastion is a fully managed PaaS service that you don't need to patch or update."
53-
isCorrect: true
54-
explanation: "Correct. Azure Bastion is a fully managed PaaS service that requires no customer patching or updating."
55-
- content: "Yes, your boss is partially correct. You must patch and update Azure Bastion, although not at regular intervals."
56-
isCorrect: false
57-
explanation: "Incorrect. Azure Bastion is a fully managed PaaS service and requires no customer patching or updating."
58-
- content: "Yes, your boss is correct. You must periodically patch and update Azure Bastion."
59-
isCorrect: false
60-
explanation: "Incorrect. Azure Bastion is a fully managed PaaS service and requires no customer patching or updating."
61-
- content: "When you deploy Azure Bastion, which of the following require a public IP?"
62-
choices:
63-
- content: "The Azure Bastion host in each virtual network requires a public IP."
64-
isCorrect: true
65-
explanation: "Correct. Only the Azure Bastion host in each virtual network requires a public IP."
66-
- content: "The Azure Bastion host in each subnet in each virtual network requires a public IP."
67-
isCorrect: false
68-
explanation: "Incorrect. Although Azure Bastion requires a public IP, you don't need to deploy it in each subnet, but rather in each virtual network."
69-
- content: "The VMs you want to connect to require a public IP."
70-
isCorrect: false
71-
explanation: "Incorrect. Your VMs have only private IPs."
72-
1+
### YamlMime:ModuleUnit
2+
uid: learn.intro-to-azure-bastion.5-knowledge-check
3+
title: Module assessment
4+
metadata:
5+
unitType: knowledge_check
6+
title: Module assessment
7+
description: Knowledge check
8+
ms.date: 05/29/2025
9+
author: cherylmc
10+
ms.author: cherylmc
11+
ms.topic: unit
12+
durationInMinutes: 4
13+
content: |
14+
[!include[](includes/5-knowledge-check.md)]
15+
quiz:
16+
questions:
17+
- content: "Which protocols do administrators typically use to remotely manage Azure VMs? Choose the best answer."
18+
choices:
19+
- content: "RDP"
20+
isCorrect: false
21+
explanation: "Incorrect. Although administrators do use RDP, they also use other protocols."
22+
- content: "SSH"
23+
isCorrect: false
24+
explanation: "Incorrect. Although administrators do use SSH, they also use other protocols."
25+
- content: "Both RDP and SSH"
26+
isCorrect: true
27+
explanation: "Correct. Administrators typically use both RDP and SSH to remotely administer Azure VMs."
28+
- content: "When an administrator connects to Azure Bastion to open a remote connection to a hosted VM, which of the following connections occurs?"
29+
choices:
30+
- content: "Azure Bastion opens an RDP/SSH connection to the Azure VM using a private IP on the VM."
31+
isCorrect: true
32+
explanation: "Correct. Azure Bastion uses only private IP connections to the target VMs."
33+
- content: "Azure Bastion opens an HTML5 connection to the Azure VM using a private IP on the VM."
34+
isCorrect: false
35+
explanation: "Incorrect. Azure Bastion uses RDP/SSH connections to the target VM."
36+
- content: "Azure Bastion opens an RDP/SSH connection to the Azure VM using a public IP on the VM."
37+
isCorrect: false
38+
explanation: "Incorrect. Azure Bastion uses only private IPs on the configured virtual network. The VMs don't need a public IP."
39+
- content: "When an administrator plans to deploy Azure Bastion, how and in which virtual network must they deploy it?"
40+
choices:
41+
- content: "They must deploy Azure Bastion in a different virtual network from the one that contains the VMs."
42+
isCorrect: false
43+
explanation: "Incorrect. Azure Bastion must be in the same virtual network as the managed VMs."
44+
- content: "They must deploy Azure Bastion in the same virtual network as the one that contains the VMs and in the same subnet."
45+
isCorrect: false
46+
explanation: "Incorrect. Although Azure Bastion should be deployed in the same virtual network, it must be in a different subnet."
47+
- content: "They must deploy Azure Bastion in the same virtual network as the one that contains the VMs and in a different subnet."
48+
isCorrect: true
49+
explanation: "Correct. Azure Bastion must be deployed in the same virtual network (or peered virtual network) as the VMs but in its own subnet."
50+
- content: "Your boss is concerned that by implementing Azure Bastion, you need to maintain it with patches and updates. Is your boss correct?"
51+
choices:
52+
- content: "No, your boss is wrong. Azure Bastion is a fully managed PaaS service that you don't need to patch or update."
53+
isCorrect: true
54+
explanation: "Correct. Azure Bastion is a fully managed PaaS service that requires no customer patching or updating."
55+
- content: "Yes, your boss is partially correct. You must patch and update Azure Bastion, although not at regular intervals."
56+
isCorrect: false
57+
explanation: "Incorrect. Azure Bastion is a fully managed PaaS service and requires no customer patching or updating."
58+
- content: "Yes, your boss is correct. You must periodically patch and update Azure Bastion."
59+
isCorrect: false
60+
explanation: "Incorrect. Azure Bastion is a fully managed PaaS service and requires no customer patching or updating."
61+
- content: "When you deploy Azure Bastion, which of the following require a public IP?"
62+
choices:
63+
- content: "The Azure Bastion host in each virtual network requires a public IP."
64+
isCorrect: true
65+
explanation: "Correct. Only the Azure Bastion host in each virtual network requires a public IP."
66+
- content: "The Azure Bastion host in each subnet in each virtual network requires a public IP."
67+
isCorrect: false
68+
explanation: "Incorrect. Although Azure Bastion requires a public IP, you don't need to deploy it in each subnet, but rather in each virtual network."
69+
- content: "The VMs you want to connect to require a public IP."
70+
isCorrect: false
71+
explanation: "Incorrect. Your VMs have only private IPs."
72+
Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,15 @@
1-
### YamlMime:ModuleUnit
2-
uid: learn.intro-to-azure-bastion.6-summary
3-
title: Summary
4-
metadata:
5-
unitType: summary
6-
title: Summary
7-
description: Summary
8-
ms.date: 12/05/2023
9-
author: cherylmc
10-
ms.author: cherylmc
11-
ms.topic: unit
12-
durationInMinutes: 3
13-
content: |
14-
[!include[](includes/6-summary.md)]
15-
1+
### YamlMime:ModuleUnit
2+
uid: learn.intro-to-azure-bastion.6-summary
3+
title: Summary
4+
metadata:
5+
unitType: summary
6+
title: Summary
7+
description: Summary
8+
ms.date: 05/29/2025
9+
author: cherylmc
10+
ms.author: cherylmc
11+
ms.topic: unit
12+
durationInMinutes: 3
13+
content: |
14+
[!include[](includes/6-summary.md)]
15+

learn-pr/azure/intro-to-azure-bastion/includes/1-introduction.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ Server administrators understand that it's efficient to remotely administer and
66

77
Suppose you have a line-of-business (LOB) app that supports your organization's research department. In the past, this app ran on a couple of Windows Server computers in your head office datacenter. Whenever you needed to administer the app, you connected using Remote Desktop Protocol (RDP) over TCP port **3389**. You also used Secure Shell (SSH), over port **22**, to administer the VMs. Because the app was hosted on a computing resource in a private datacenter, you had some concerns about access from malicious hackers over the internet. However, the app now runs on VMs hosted in Azure.
88

9-
To connect to the VMs, you must now expose a public IP address on each VM for your RDP/SSH connections. However, potential protocol vulnerabilities make this type of connection undesirable. As a solution, you could use a jump box VM to act as an intermediary between your management console and the target VMs. Or, you could consider implementing Azure Bastion.
9+
To connect to the VMs, you must now expose a public IP address on each VM for your RDP/SSH connections. However, potential protocol vulnerabilities make this type of connection undesirable. As a solution, you could use a jump box VM to act as an intermediary between your management console and the target VMs. Alternatively, you could consider implementing Azure Bastion.
1010

1111
:::image type="content" source="../media/remote-admin.png" alt-text="A remote administrator connecting with RDP or SSH through the internet to Azure VMs. The VMs are accessible through a public IP address using port 3389 or port 22.":::
1212

learn-pr/azure/intro-to-azure-bastion/includes/2-what-is-azure-bastion.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ It's vital to be able to securely administer and manage remote hosted VMs. To be
44

55
Secure remote management is the ability to connect to a remote resource without exposing that resource to security risks. This type of connection can sometimes be challenging, especially if the resource is being accessed across the internet.
66

7-
When administrators connect to remote VMs, they typically use either RDP or SSH to achieve their administrative goals. The problem is, to connect to a hosted VM, you must connect to its public IP address. However, exposing the IP ports used by RDP and SSH (**3389** and **22**) to the internet is highly undesirable, because it presents significant security risks.
7+
When administrators connect to remote VMs, they typically use either RDP or SSH to achieve their administrative goals. The problem is that to connect to a hosted VM, you must connect to its public IP address. However, exposing the IP ports used by RDP and SSH (**3389** and **22**) to the internet is highly undesirable because it presents significant security risks.
88

99
## Azure Bastion definition
1010

@@ -25,15 +25,15 @@ The following table describes the features that are available after you deploy A
2525
|No hassle of managing Network Security Groups (NSGs)| You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. This removes the hassle of managing NSGs each time you need to securely connect to your virtual machines.|
2626
|No need to manage a separate bastion host on a VM |Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.|
2727
|Protection against port scanning|Your VMs are protected against port scanning by rogue and malicious users because you don't need to expose the VMs to the internet.|
28-
|Hardening in one place only|Azure Bastion sits at the perimeter of your virtual network, so you dont need to worry about hardening each of the VMs in your virtual network.|
28+
|Hardening in one place only|Azure Bastion sits at the perimeter of your virtual network, so you don't need to worry about hardening each of the VMs in your virtual network.|
2929
|Protection against zero-day exploits |The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.|
3030

3131
## How to avoid exposing remote management ports
3232

3333
By implementing Azure Bastion, you can manage the Azure VMs within a configured Azure virtual network by using either RDP or SSH, without needing to expose those management ports to the public internet. By using Azure Bastion, you can:
3434

3535
- Connect easily to your Azure VMs. Connect your RDP and SSH sessions directly in the Azure portal.
36-
- Avoid exposing management ports to the internet. Sign in to your Azure VMs and avoid public internet exposure by using SSH and RDP with private IP addresses only.
36+
- Avoid exposing management ports to the internet. Sign in to your Azure VMs, and avoid public internet exposure by using SSH and RDP with private IP addresses only.
3737
- Avoid extensive reconfiguration of your existing network infrastructure. Integrate and traverse existing firewalls and security perimeters by using a modern HTML5-based web client over TLS on port **443**.
3838
- Simplify sign in. Use your SSH keys for authentication when signing in to your Azure VMs.
3939

learn-pr/azure/intro-to-azure-bastion/includes/3-how-azure-bastion-works.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ The following diagram depicts the architecture of a typical Azure Bastion deploy
1616
:::image type="content" source="../media/bastion-architecture.png" alt-text="The architecture of Azure Bastion, as described in the preceding text.":::
1717

1818
> [!NOTE]
19-
> The protected VMs and the Azure Bastion host are connected to the same virtual network, although in different subnets.
19+
> The protected VMs and the Azure Bastion host are connected to the same virtual network, although in different subnets.
2020
2121
The typical connection process in Azure Bastion is as follows:
2222

learn-pr/azure/intro-to-azure-bastion/includes/4-when-to-use-azure-bastion.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@ To determine whether a jump box or Azure Bastion is the better option to remotel
3434
| **Ease of management** | Azure Bastion is a fully managed PaaS service. It's not a VM like a jump box, which requires regular updates. You don't need a client or agent to use Azure Bastion, nor do you need to apply patches and updates to it. You also don't need to install or maintain any other software on management consoles.|
3535
| **Integration** | You can integrate Azure Bastion with other native security services in Azure, such as Azure Firewall. Jump servers don't have this option. |
3636

37-
3837
> [!NOTE]
3938
> You deploy Azure Bastion per virtual network (or peered virtual network) rather than per subscription, account, or VM.
4039

0 commit comments

Comments
 (0)