Skip to content

Commit 20b2fc8

Browse files
aarontsangaarontsang
committed
bastion-nsg: move Target VM subnet before PowerShell script, expand Next steps
1 parent 529fe12 commit 20b2fc8

1 file changed

Lines changed: 12 additions & 9 deletions

File tree

articles/bastion/bastion-nsg.md

Lines changed: 12 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,12 @@ Azure Bastion is deployed specifically to ***AzureBastionSubnet***.
6868

6969
:::image type="content" source="./media/bastion-nsg/outbound.png" alt-text="Screenshot shows outbound security rules for Azure Bastion connectivity." lightbox="./media/bastion-nsg/outbound.png":::
7070

71+
### Target VM subnet
72+
73+
This is the subnet that contains the target virtual machine that you want to connect to.
74+
75+
* **Ingress from AzureBastionSubnet (ports 3389, 22):** Open RDP/SSH ports (3389 and 22 respectively, or custom values if you use the custom port feature with Standard or Premium SKU) inbound on the target VM subnet over private IP. Without this rule, Bastion can't reach your VMs even when it's correctly configured. As a best practice, scope the source to the AzureBastionSubnet IP address range so that only Bastion can open these ports -- not the broader internet.
76+
7177
### PowerShell script to create NSG rules
7278
```
7379
# Connect to Azure Account
@@ -183,14 +189,11 @@ foreach ($rule in $rules) {
183189
}
184190
```
185191

186-
### Target VM subnet
187-
188-
This is the subnet that contains the target virtual machine that you want to connect to.
189-
190-
* **Ingress from AzureBastionSubnet (ports 3389, 22):** Open RDP/SSH ports (3389 and 22 respectively, or custom values if you use the custom port feature with Standard or Premium SKU) inbound on the target VM subnet over private IP. Without this rule, Bastion can't reach your VMs even when it's correctly configured. As a best practice, scope the source to the AzureBastionSubnet IP address range so that only Bastion can open these ports -- not the broader internet.
191-
192-
193192
## Next steps
194193

195-
* For a broader set of security recommendations for your Bastion deployment, see [Secure your Azure Bastion deployment](secure-bastion.md).
196-
* For more information about Azure Bastion, see the [FAQ](bastion-faq.md).
194+
* [Secure your Azure Bastion deployment](secure-bastion.md) - Apply security hardening recommendations to reduce your Bastion attack surface.
195+
* [Azure Bastion architecture and design](design-architecture.md) - Understand network topology, trust boundaries, and how Bastion fits within your hub-spoke or flat VNet model.
196+
* [Private-only Azure Bastion deployment](private-only-deployment.md) - Remove the public-facing IP entirely for stricter network security posture.
197+
* [Monitor Azure Bastion](monitor-bastion.md) - Enable diagnostic logging and set up alerts to maintain audit visibility for compliance.
198+
* [Azure Bastion with VNet peering](vnet-peering.md) - Understand NSG rule implications when Bastion and target VMs are in different peered virtual networks.
199+
* [Azure Bastion FAQ](bastion-faq.md)

0 commit comments

Comments
 (0)