You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/bastion/connect-ip-address.md
+21-20Lines changed: 21 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,47 +13,36 @@ ms.author: abell
13
13
14
14
# About Azure Bastion IP-based connection
15
15
16
-
IP-based connection lets you connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion using a specified private IP address. Unlike standard Bastion connections that use the Azure Resource Manager resource ID of a target VM, IP-based connections target a VM by its private IP address. This makes it possible to connect to machines that aren't registered as Azure resources, such as on-premises servers or VMs running in other cloud environments.
16
+
IP-based connection lets you connect to your on-premises, non-Azure, and Azure virtual machines via Azure Bastion using a specified private IP address. Unlike standard Bastion connections that use the Azure Resource Manager resource ID of a target virtual machine, IP-based connections target a virtual machine by its private IP address. This makes it possible to connect to machines that aren't registered as Azure resources, such as on-premises servers or VMs running in other cloud environments.
17
17
18
18
IP-based connections work over Azure ExpressRoute private peering or VPN site-to-site connections, extending Azure Bastion's secure connectivity beyond Azure-hosted workloads. For more information about Azure Bastion, see [What is Azure Bastion?](bastion-overview.md)
19
19
20
20
## Architecture
21
21
22
-
The following diagram shows the IP-based connection architecture. Azure Bastion, deployed in its virtual network, connects to a target VM using the VM's private IP address over an ExpressRoute circuit or VPN site-to-site connection. The connection doesn't require the target VM to have a public IP address or to be an Azure resource.
22
+
The following diagram shows the IP-based connection architecture. Azure Bastion, deployed in its virtual network, connects to a target virtual machine using the virtual machine's private IP address over an ExpressRoute circuit or VPN site-to-site connection. The connection doesn't require the target virtual machine to have a public IP address or to be an Azure resource.
23
23
24
24
:::image type="content" source="./media/connect-ip-address/architecture.png" alt-text="Diagram that shows the Azure Bastion IP-based connection architecture." lightbox="./media/connect-ip-address/architecture.png":::
25
25
26
26
When you initiate an IP-based connection:
27
27
28
-
1. You specify the private IP address of the target VM directly on the Bastion **Connect** page, rather than selecting a VM from the Azure portal.
29
-
1. Azure Bastion routes the RDP or SSH traffic through the ExpressRoute or VPN connection to reach the target VM at the specified IP address.
30
-
1. The connection is secured through the Bastion host, so the target VM doesn't need to be exposed to the public internet.
28
+
1. You specify the private IP address of the target virtual machine directly on the Bastion **Connect** page, rather than selecting a virtual machine from the Azure portal.
29
+
1. Azure Bastion routes the RDP or SSH traffic through the ExpressRoute or VPN connection to reach the target virtual machine at the specified IP address.
30
+
1. The connection is secured through the Bastion host, so the target virtual machine doesn't need to be exposed to the public internet.
31
31
32
32
## Supported scenarios
33
33
34
34
IP-based connection supports the following scenarios:
35
35
36
-
***On-premises virtual machines:** Connect to VMs running in your on-premises datacenter through an ExpressRoute private peering or VPN site-to-site connection.
37
-
***Non-Azure virtual machines:**Connect to VMs hosted in other cloud environments that are reachable from the Azure virtual network through ExpressRoute or VPN.
38
-
***Azure virtual machines:** Connect to Azure VMs by specifying a private IP address instead of selecting the VM resource in the portal. This is useful when the target VM is in a peered or connected virtual network.
36
+
***On-premises virtual machines:** Connect to virtual machines running in your on-premises datacenter through an [ExpressRoute private peering](../expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering.md) or [VPN site-to-site connection](../vpn-gateway/add-remove-site-to-site-connections.md).
37
+
***Non-Azure virtual machines:**Connect to virtual machines hosted in other cloud environments that are reachable from the Azure virtual network through ExpressRoute or VPN.
38
+
***Azure virtual machines:** Connect to Azure virtual machines by specifying a private IP address instead of selecting the virtual machine resource in the portal. This is useful when the target virtual machine is in a peered or connected virtual network.
39
39
40
40
## SKU requirements
41
41
42
42
IP-based connection requires the **Standard** SKU tier or higher for Azure Bastion. The Basic and Developer SKUs don't support this feature. You must also enable the **IP-based connection** setting on the Bastion **Configuration** page.
43
43
44
44
For information about SKU capabilities, see [Choose the right Azure Bastion SKU](bastion-sku-comparison.md). To upgrade your Bastion deployment, see [Upgrade a SKU](upgrade-sku.md).
45
45
46
-
## Supported connection methods
47
-
48
-
The following table summarizes the connection methods available with IP-based connection:
49
-
50
-
| Connection method | Protocol | Details |
51
-
|---|---|---|
52
-
| Azure portal (browser) | RDP, SSH | Provides browser-based RDP or SSH sessions from the Bastion **Connect** page by targeting a private IP address. For step-by-step guidance, see [Connect to a Windows VM using RDP](bastion-connect-vm-rdp-windows.md). |
53
-
| Native client (Azure CLI) | RDP | Provides RDP connectivity from a Windows client using `az network bastion rdp` with the `--target-ip-address` parameter. For connection steps, see [Connect from a Windows native client](connect-vm-native-client-windows.md). |
54
-
| Native client (Azure CLI) | SSH | Provides SSH connectivity from Windows or Linux clients using `az network bastion ssh` with the `--target-ip-address` parameter. For connection steps, see [Connect from a Windows native client](connect-vm-native-client-windows.md) or [Connect from a Linux native client](connect-vm-native-client-linux.md). |
55
-
| Native client (Azure CLI) | Tunnel | Creates an IP-based TCP tunnel using `az network bastion tunnel` with the `--target-ip-address` parameter. For configuration steps, see [Configure Bastion native client support](native-client.md). |
56
-
57
46
58
47
### Enable IP-based connection
59
48
@@ -67,13 +56,25 @@ Before you can connect using a private IP address, you must enable IP-based conn
67
56
68
57
1. Select **Apply** to apply the changes. It takes a few minutes for the Bastion configuration to complete.
69
58
59
+
60
+
## Supported connection methods
61
+
62
+
The following table summarizes the connection methods available with IP-based connection:
63
+
64
+
| Connection method | Protocol | Details |
65
+
|---|---|---|
66
+
| Azure portal (browser) | RDP, SSH | Provides browser-based RDP or SSH sessions from the Bastion **Connect** page by targeting a private IP address. For step-by-step guidance, see [Connect to a Windows VM using RDP](bastion-connect-vm-rdp-windows.md). |
67
+
| Native client (Azure CLI) | RDP | Provides RDP connectivity from a Windows client using `az network bastion rdp` with the `--target-ip-address` parameter. For connection steps, see [Connect from a Windows native client](connect-vm-native-client-windows.md). |
68
+
| Native client (Azure CLI) | SSH | Provides SSH connectivity from Windows or Linux clients using `az network bastion ssh` with the `--target-ip-address` parameter. For connection steps, see [Connect from a Windows native client](connect-vm-native-client-windows.md) or [Connect from a Linux native client](connect-vm-native-client-linux.md). |
69
+
| Native client (Azure CLI) | Tunnel | Creates an IP-based TCP tunnel using `az network bastion tunnel` with the `--target-ip-address` parameter. For configuration steps, see [Configure Bastion native client support](native-client.md). |
70
+
70
71
## Limitations
71
72
72
73
***Force tunneling:** IP-based connection doesn't work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the internet. Force tunneling or default route advertisement results in traffic being dropped.
73
74
74
75
***Microsoft Entra ID authentication:** Microsoft Entra authentication isn't supported for RDP connections via IP address. Microsoft Entra authentication is supported for SSH connections via native client. For more information, see [Microsoft Entra ID authentication](bastion-entra-id-authentication.md).
75
76
76
-
***Custom ports and protocols:** Custom ports and protocols aren't currently supported when connecting to a VM via native client with IP-based connections.
77
+
***Custom ports and protocols:** Custom ports and protocols aren't currently supported when connecting to a virtual machine via native client with IP-based connections.
77
78
78
79
***UDR:** User-defined routes (UDR) aren't supported on the Bastion subnet, including with IP-based connections.
0 commit comments