Skip to main content
Version: 1.0.0

Task 05: Azure Bastion

Runbook Azure

DOCUMENT CATEGORY: Runbook
SCOPE: Azure Bastion deployment
PURPOSE: Provide secure remote access to management VMs
MASTER REFERENCE: Microsoft Learn - Azure Bastion

Status: Active

Overview

This task deploys Azure Bastion into the AzureBastionSubnet created in Task 01. Bastion provides secure, browser-based RDP and SSH access to management VMs without requiring public IP addresses on target resources.

Task Classification

Execution Target: Azure-Only (control-plane API operation) Tab Profile: 3 tabs — Azure Portal · Azure CLI / PowerShell · Standalone Script

Terraform Reference

Module: azurelocal-toolkit File: bastion.tf Mode: Management

Components Created

ResourceName PatternPurpose
Public IPpip-bastion-{env}-{region}-01Bastion public IP
Azure Bastionbas-azrl-{env}-{region}-01Secure RDP/SSH proxy

Bastion Configuration

SettingValueSource
SKUStandardazure_infrastructure.bastion.sku
SubnetAzureBastionSubnetnetwork.azure_vnets.management.subnets.bastion.name
FeaturesFile transfer, shareable linksStandard SKU features

Prerequisites

  • Task 01: Virtual Network completed — AzureBastionSubnet exists with /26 or larger
  • Task 06: NSG — Bastion NSG applied (can be done concurrently)
  • No existing Bastion deployment in same VNet

Variables from variables.yml

VariableConfig PathExample (IIC)
Subscription IDazure.subscriptions.<name>.id(per environment)
Resource Groupazure_infrastructure.bastion.resource_grouprg-azrlmgmt-azl-eus-01
Bastion Nameazure_infrastructure.bastion.namebas-azrl-azl-eus-01
Public IP Nameazure_infrastructure.bastion.public_ippip-bastion-azl-eus-01
SKUazure_infrastructure.bastion.skuStandard
Bastion Subnetnetwork.azure_vnets.management.subnets.bastion.nameAzureBastionSubnet

Single Subscription Model

Landing Zone Placement

FieldValueConfig Path
SubscriptionCustomer subscriptionazure.subscriptions.<name>.id
Resource Grouprg-azrlmgmt-{env}-{region}-01azure_infrastructure.bastion.resource_group
Bastion Namebas-azrl-{env}-{region}-01azure_infrastructure.bastion.name
Public IP Namepip-bastion-{env}-{region}-01azure_infrastructure.bastion.public_ip

Execution Options

Azure Portal

When to use: Learning Azure Local, single deployment, prefer visual interface

Procedure

  1. Create Public IP:
  • Search for Public IP addresses+ Create | Field | Value | Source | |-------|-------|--------| | Name | pip-bastion-{env}-{region}-01 | azure_infrastructure.bastion.public_ip | | SKU | Standard | Required for Bastion | | Assignment | Static | Required for Bastion | | Availability Zone | Zone-redundant | Best practice |
  1. Create Azure Bastion:
  • Search for Bastions+ Create | Field | Value | Source | |-------|-------|--------| | Name | bas-azrl-{env}-{region}-01 | azure_infrastructure.bastion.name | | Region | Your region | azure.region | | Tier | Standard | azure_infrastructure.bastion.sku | | Virtual network | Management VNet | network.azure_vnets.management.name | | Subnet | AzureBastionSubnet (auto-selected) | network.azure_vnets.management.subnets.bastion.name | | Public IP | Select PIP from Step 1 | azure_infrastructure.bastion.public_ip |
  1. Review + create: Verify → Click Create → Wait for deployment (~5 minutes)

Validation

  • Bastion provisioning state: Succeeded
  • Public IP assigned
  • Can connect to VM via Bastion from Azure Portal

Validation

  • Azure Bastion provisioning state: Succeeded
  • Public IP assigned and DNS name generated
  • Can connect to a management VM via Portal → Connect → Bastion
  • File transfer works (Standard SKU)

CAF/WAF Landing Zone Model

In the CAF/WAF model, Azure Bastion is deployed in the Connectivity subscription within the Hub VNet, or optionally in the Management subscription if a spoke Bastion is required.

Landing Zone Placement

FieldValueConfig Path
SubscriptionConnectivity subscriptionazure.subscriptions.connectivity.id
Resource Grouprg-azrlconn-{env}-{region}-01azure_infrastructure.bastion.resource_group
Bastion Namebas-azrl-{env}-{region}-01azure_infrastructure.bastion.name
VNetHub VNetnetwork.azure_vnets.management.name

Execution Options

Azure Portal

Follow the same procedure as Single Subscription → Azure Portal, targeting the Connectivity subscription and Hub VNet.

Validation

  • Bastion in Connectivity subscription
  • Can reach spoke VMs via VNet peering

Validation

  • Bastion deployed in Connectivity subscription
  • Bastion can reach spoke VMs through peered VNets

Troubleshooting

IssueRoot CauseRemediation
Bastion deployment failsAzureBastionSubnet too smallEnsure /26 or larger
Cannot connect to VMNSG blocking Bastion trafficApply Bastion NSG rules (Task 06)
Bastion DNS not resolvingPropagation delayWait 5 minutes and retry
File transfer unavailableBasic SKU deployedUpgrade to Standard SKU
Session disconnects frequentlyNetwork instabilityCheck Bastion subnet NSG rules

Alternatives

The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.

MethodDescription
Azure CLIPowerShell-based Azure CLI scripts for Azure resource operations
BashLinux/macOS compatible shell scripts for pipeline environments
PreviousUpNext
Task 04: P2S VPN ConnectionManual Deployment IndexTask 06: Network Security Groups

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-03 by Hybrid Cloud Solutions
  • Version: 4.0.0
  • Tags: azure-local, bastion, remote-access, security
  • Keywords: Azure Bastion, RDP, SSH, browser access, jump host, secure access
  • Author: Hybrid Cloud Solutions

Version Control

VersionDateAuthorChanges
1.0.02025-03-25Azure Local CloudInitial release