bastion-connect-vm-linux-rdp.md

title	Connect to a Linux VM using RDP
titleSuffix	Azure Bastion
description	Learn how to use Azure Bastion to connect to a Linux VM using RDP via the Azure portal or a specified IP address.
author	cherylmc
ms.service	azure-bastion
ms.topic	how-to
ms.date	03/12/2026
ms.author	cherylmc
ms.custom	linux-related-content

Create an RDP connection to a Linux VM using Azure Bastion

This article describes how to create a secure RDP connection to your Linux virtual machines using Azure Bastion. You can connect through the Azure portal (browser-based) or via a specified IP address. When you use Azure Bastion, your virtual machines don't require a client, agent, or additional software (other than xrdp on the Linux VM). Azure Bastion securely connects to all virtual machines in the virtual network without exposing RDP/SSH ports to the public internet. For more information, see What is Azure Bastion?

To connect to a Linux virtual machine using SSH, see Create an SSH connection to a Linux VM. For native client connections using Azure CLI (SSH and tunnel), see Connect to a VM using a native client.

The following diagram shows the dedicated deployment architecture using an RDP connection.

:::image type="content" source="./media/connect-vm-rdp-windows/host-architecture-rdp.png" alt-text="Diagram that shows the Azure Bastion architecture." lightbox="./media/connect-vm-rdp-windows/host-architecture-rdp.png":::

Prerequisites

Before you begin, verify that you meet the following criteria:

• An Azure Bastion host deployed in the virtual network where the virtual machine is located, or in a peered virtual network. To set up a Bastion host, see Create a bastion host. The SKU you need depends on your connection method:

  Connection method	Minimum SKU	Additional configuration
  Azure portal (browser)	Standard	None
  Azure portal with custom ports	Standard	None
  IP-based connection	Standard	IP-based connection enabled

• xrdp required: To use RDP with a Linux VM, you must have xrdp installed and configured on the Linux VM. To learn how to do this, see Use xrdp with Linux.

• Azure Bastion uses RDP port 3389 by default. Custom ports require the Standard SKU or higher. To upgrade, see Upgrade a SKU.

• A Linux virtual machine in the virtual network (or reachable from the virtual network for IP-based connections).

• Required roles:

  • Reader role on the virtual machine.
  • Reader role on the NIC with the private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Reader role on the virtual network of the target virtual machine (if the Bastion deployment is in a peered virtual network).

• Ports: You must have the following ports open on your VM:

  • Inbound port: RDP (3389) or
  • Inbound port: Custom value (you then need to specify this custom port when you connect to the VM via Azure Bastion).

See the Azure Bastion FAQ for additional requirements.

Authentication methods

The following authentication method is available for RDP connections to Linux VMs through Azure Bastion.

Authentication method	Supported connection methods	Minimum SKU
Username and password	Azure portal, IP address (portal)	Standard

Note

Microsoft Entra ID and Kerberos authentication aren't supported for RDP connections to Linux VMs.

Connect to a virtual machine using RDP

Select a connection method to see the corresponding steps.

Azure portal

Use the Azure portal to create a browser-based RDP connection to your Linux virtual machine. This method connects directly through your browser. No native RDP client or additional software is required on your local computer. The Standard SKU or higher is required.

1. In the Azure portal, go to the virtual machine that you want to connect to. On the Overview page, select Connect, then select Bastion from the dropdown to open the Bastion page.

2. On the Bastion page, expand the Connection Settings section and select RDP. If you plan to use an inbound port different from the standard RDP port (3389), enter the Port.

3. Enter the Username and Password, and then select Connect. The RDP connection to this virtual machine via Bastion opens directly in the browser (over HTML5) using port 443 and the Bastion service.

Note

For troubleshooting tips, see Troubleshooting.

IP address (portal)

Use the Azure portal to create a browser-based RDP connection to your Linux virtual machine using a specified IP address. This method connects through your browser and doesn't require a native RDP client or additional software on your local computer. The Standard SKU or higher is required, and you must enable IP-based connection.

Enable IP-based connection

Before you can connect using an IP address, you must enable IP-based connection on your Bastion deployment.

1. In the Azure portal, go to your Bastion deployment.

2. On the Configuration page, for Tier, verify the SKU is set to the Standard SKU or higher. If the SKU is set to the Basic SKU, select a higher SKU from the dropdown.

3. Select IP based connection.

4. Select Apply to apply the changes. It takes a few minutes for the Bastion configuration to complete.

5. You specify the IP address of the target virtual machine directly on the Bastion Connect page, rather than selecting a virtual machine from the Azure portal.

Connect using an IP address

1. To connect to a virtual machine using a specified IP address, make the connection from Bastion, not directly from the virtual machine page. On your Bastion resource, select Connect to open the Connect page.

2. On the Bastion Connect page, for IP address, enter the IP address of the target virtual machine.

   :::image type="content" source="./media/connect-ip-address/ip-address.png" alt-text="Screenshot of the Connect using Azure Bastion page." lightbox="./media/connect-ip-address/ip-address.png":::

3. Adjust your connection settings to the desired Protocol (RDP) and Port.

4. Enter your credentials in Username and Password.

5. Select Connect to connect to your virtual machine.

---

Limitations

• xrdp requirement: RDP to a Linux VM requires xrdp to be installed and configured on the target VM. Without xrdp, an RDP connection can't be established.
• Authentication: Only username and password authentication is supported for RDP connections to Linux VMs. Microsoft Entra ID and Kerberos authentication aren't supported.
• Native client: The az network bastion rdp command isn't supported for Linux VMs. To connect to a Linux VM using a native client, use az network bastion ssh or az network bastion tunnel instead. For more information, see Connect to a VM using Bastion and the Windows native client or Connect to a VM using Bastion and a Linux native client.
• IP-based connections: IP-based connection doesn't work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the Internet and force tunneling, or the default route advertisement, results in traffic blackholing.
• IP-based connections: UDR isn't supported on the Bastion subnet, including with IP-based connections.

Next steps

• Connect to a Linux VM using SSH
• What is Azure Bastion?
• Connect to a VM using Bastion and a Windows native client
• Connect to a VM using Bastion and a Linux native client
• Transfer files to your virtual machine using a native client.
• Configure a shareable link for users without Azure portal access.
• Azure Bastion FAQ