| title | description | services | author | ms.service | ms.topic | ms.date | ms.author | ms.custom |
|---|---|---|---|---|---|---|---|---|
include file |
include file |
bastion |
cherylmc |
bastion |
include |
11/05/2020 |
cherylmc |
include file |
[!INCLUDE Azure Bastion region availability]
No. When you connect to a VM using Azure Bastion, you don't need a public IP on the Azure virtual machine that you are connecting to. The Bastion service will open the RDP/SSH session/connection to your virtual machine over the private IP of your virtual machine, within your virtual network.
At this time, IPv6 is not supported. Azure Bastion supports IPv4 only.
No. You don't need an RDP or SSH client to access the RDP/SSH to your Azure virtual machine in your Azure portal. Use the Azure portal to let you get RDP/SSH access to your virtual machine directly in the browser.
No. You don't need to install an agent or any software on your browser or your Azure virtual machine. The Bastion service is agentless and doesn't require any additional software for RDP/SSH.
Both RDP and SSH are a usage-based protocol. High usage of sessions will cause the bastion host to support a lower total number of sessions. The numbers below assume normal day-to-day workflows.
[!INCLUDE limits]
At this time, only text copy/paste is supported. Features, such as file copy, are not supported. Feel free to share your feedback about new features on the Azure Bastion Feedback page.
This feature doesn't work with AADJ VM extension-joined machines using Azure AD users. For more information, see Windows Azure VMs and Azure AD.
Use the Microsoft Edge browser or Google Chrome on Windows. For Apple Mac, use Google Chrome browser. Microsoft Edge Chromium is also supported on both Windows and Mac, respectively.
Azure Bastion doesn't move or store customer data out of the region it is deployed in.
In order to make a connection, the following roles are required:
- Reader role on the virtual machine
- Reader role on the NIC with private IP of the virtual machine
- Reader role on the Azure Bastion resource
For more information, see the pricing page.
No, access to Windows Server VMs by Azure Bastion does not require an RDS CAL when used solely for administrative purposes.
Azure Bastion currently supports en-us-qwerty keyboard layout inside the VM. Support for other locales for keyboard layout is work in progress.
No. UDR is not supported on an Azure Bastion subnet.
For scenarios that include both Azure Bastion and Azure Firewall/Network Virtual Appliance (NVA) in the same virtual network, you don’t need to force traffic from an Azure Bastion subnet to Azure Firewall because the communication between Azure Bastion and your VMs is private. For more information, see Accessing VMs behind Azure Firewall with Bastion.
A session should be initiated only from the Azure portal. Sign in to the Azure portal and begin your session again. If you go to the URL directly from another browser session or tab, this error is expected. It helps ensure that your session is more secure and that the session can be accessed only through the Azure portal.
Review any error messages and raise a support request in the Azure portal as needed. Deployment failures may result from Azure subscription limits, quotas, and constraints. Specifically, customers may encounter a limit on the number of public IP addresses allowed per subscription that causes the Azure Bastion deployment to fail.
Azure Bastion is deployed within VNets or peered VNets, and is associated to an Azure region. You are responsible for deploying Azure Bastion to a Disaster Recovery (DR) site VNet. In the event of an Azure region failure, perform a failover operation for your VMs to the DR region. Then, use the Azure Bastion host that's deployed in the DR region to connect to the VMs that are now deployed there.