| title | Quickstart: Deploy Azure Bastion from the Azure portal |
|---|---|
| titleSuffix | Azure Bastion |
| description | Learn how to deploy Azure Bastion from the Azure portal using default settings, custom configuration, or the free Developer SKU. |
| author | cherylmc |
| ms.service | azure-bastion |
| ms.topic | quickstart |
| ms.date | 01/20/2026 |
| ms.author | cherylmc |
| ms.custom | references_regions |
In this quickstart, you learn how to deploy Azure Bastion to your virtual network from the Azure portal. You can deploy Bastion with default settings for a quick setup, configure custom settings to specify the SKU and scaling options, or use the free Developer SKU for basic connectivity. After you deploy Bastion, you can use SSH or RDP to connect to virtual machines (VMs) in the virtual network via Bastion by using the private IP addresses of the VMs. The VMs that you connect to don't need a public IP address, client software, an agent, or a special configuration. For more information about Bastion, see What is Azure Bastion?
The steps in this article help you:
- Deploy Bastion to your virtual network by using the Azure portal.
- Connect to your VM via the portal by using SSH or RDP connectivity and the VM's private IP address.
- Remove your VM's public IP address if you don't need it for anything else.
Important
[!INCLUDE Pricing]
To complete this quickstart, you need these resources:
-
An Azure subscription. If you don't already have one, you can activate your MSDN subscriber benefits or sign up for a free account.
-
A virtual network to which you'll deploy Bastion.
-
A virtual machine in the virtual network. This VM isn't part of the Bastion configuration and doesn't become a bastion host. You connect to this VM later in the exercise. If you don't have a VM, create one by using Quickstart: Create a Windows VM or Quickstart: Create a Linux VM.
-
Required VM roles:
- Reader role on the virtual machine
- Reader role on the network adapter (NIC) with the private IP of the virtual machine
-
Required VM inbound ports:
- For Windows VMs: RDP (3389)
- For Linux VMs: SSH (22)
-
For Developer SKU only: The VM must be in a region that supports Bastion Developer.
[!INCLUDE DNS private zone]
To deploy Bastion, sign in to the Azure portal and go to your VM or virtual network.
Select the tab for the deployment method you want to use:
- Default settings: Quick one-click deployment with Standard SKU.
- Custom settings: Full control over SKU, scaling, availability zones, and other features.
- Developer SKU (free): No-cost option with basic features for dev/test. Uses shared pool architecture. Limited to select regions.
Note
Dedicated deployments (Default and Custom settings) take approximately 10 minutes to complete. Developer SKU deploys in seconds.
When you deploy Bastion using the Deploy Bastion option, Bastion deploys automatically with the Standard SKU and default settings based on your virtual network. You can configure additional settings or upgrade the SKU after deployment completes.
The following diagram shows the dedicated deployment architecture used by the Default settings options.
:::image type="content" source="./media/create-host/host-architecture.png" alt-text="Diagram that shows the Azure Bastion architecture." lightbox="./media/create-host/host-architecture.png":::
Default values:
To deploy Bastion with default settings:
- Go to your virtual network (or VM). In the left pane, select Connect > Bastion.
- In the Bastion pane, select Deploy Bastion.
- Bastion deploys automatically with default settings. The deployment process takes about 10 minutes to complete.
When you deploy Bastion using the Configure manually option, you can specify the SKU, availability zones, instance count (host scaling), and other settings. For more information about SKUs and features, see Bastion SKU comparison.
The following diagram shows the dedicated deployment architecture used by the Custom settings options.
:::image type="content" source="./media/create-host/host-architecture.png" alt-text="Diagram that shows the Azure Bastion architecture." lightbox="./media/create-host/host-architecture.png":::
To deploy Bastion with custom settings:
-
Go to your virtual network (or VM). In the left pane, select Connect > Bastion.
-
In the Bastion pane, select Configure manually.
-
On the Create a Bastion pane, configure the Instance details:
Setting Value Name Specify the name for your Bastion resource. For example, VNet1-bastion. Region Select the region where your virtual network resides. Availability zone Select the zone(s) from the dropdown, if desired. Only certain regions support availability zones. For more information, see What are availability zones? Tier Select the SKU. For information about the features available for each SKU, see Bastion SKU comparison. Instance count Configure host scaling in scale unit increments. For more information, see Instances and host scaling and Azure Bastion pricing. -
Configure the Virtual networks settings. Select your virtual network from the dropdown list.
-
Configure Subnet. If you already have an AzureBastionSubnet, it's automatically selected. If not, create one:
-
Select Edit subnet.
-
In the Edit subnet pane, configure the following values, and then select Save:
Setting Value Subnet purpose Select Azure Bastion from the dropdown. IPv4 address range Enter the IPv4 address range (for example, 10.1.1.0/26). Starting address Enter the starting IP address of the subnet (for example, 10.1.1.0). Size Select /26 or larger.
-
-
Configure the Public IPv4 address settings:
- To create a new public IP address, select Create new and enter a name (for example, VNet1-ip).
- To use an existing public IP address, select Use existing and select your IP address from the dropdown.
-
Select the Advanced tab to configure additional settings, if desired. For more information about these settings, see Azure Bastion configuration settings.
-
Select Review + Create, then select Create.
Azure Bastion Developer provides secure, browser-based connectivity to a virtual machine at no extra cost. When you connect, Bastion Developer automatically deploys to your virtual network using a shared pool architecture:
:::image type="content" source="./media/quickstart-developer/bastion-shared-pool.png" alt-text="Diagram that shows the Azure Bastion Developer shared pool architecture." lightbox="./media/quickstart-developer/bastion-shared-pool.png":::
[!INCLUDE Bastion developer]
To deploy Bastion Developer:
- Confirm that your virtual network is in a region that supports Bastion Developer.
- Go to your virtual network. In the left pane, select Connect > Bastion.
- In the Bastion pane, select your Authentication Type, enter your credentials, and select Connect.
When you select Connect, Bastion Developer automatically deploys to your virtual network. The connection opens directly in the Azure portal. When you disconnect, the Bastion Developer resource remains deployed for future connections.
For more information about Bastion Developer, including the list of supported regions, see Bastion SKU comparison regional availability.
[!INCLUDE Remove a public IP address from a VM]
When you finish using the virtual network and the virtual machines, delete the resource group and all of the resources that it contains:
-
Enter the name of your resource group in the Search box at the top of the portal, and then select it from the search results.
-
Select Delete resource group.
-
Enter your resource group for TYPE THE RESOURCE GROUP NAME, and then select Delete.
In this quickstart, you deployed Bastion to your virtual network. Next, you can connect to a virtual machine securely via Bastion, configure more features, and work with VM connections.
- Connect to a Windows VM: RDP | SSH
- Connect to a Linux VM: SSH | RDP
- Connect from a native client: Windows | Linux/SSH
- Connect to a scale set
- VM connections and features
- Azure Bastion configuration settings
- Bastion SKU comparison
- IP-based connections