Merge pull request #309797 from MicrosoftDocs/main

Auto Publish – main to live - 2025-12-19 23:00 UTC

Author: learn-build-service-prod[bot]

articles/bastion/TOC.yml

@@ -6,6 +6,8 @@
     href: bastion-overview.md
   - name: What's new in Bastion?
     href: whats-new.md
+  - name: Bastion SKU comparison
+    href: bastion-sku-comparison.md
   - name: Cost optimization principles
     href: cost-optimization.md
 - name: Quickstarts & Tutorials
@@ -23,6 +25,8 @@
     href: quickstart-deploy-terraform.md
 - name: Concepts
   items:
+  - name: Bastion configuration settings
+    href: configuration-settings.md
   - name: Work remotely
     items:
     - name: Support for working remotely
@@ -33,8 +37,6 @@
     href: bastion-faq.md
   - name: Design architecture
     href: design-architecture.md
-  - name: Bastion configuration settings
-    href: configuration-settings.md
   - name: VM connections and features
     href: vm-about.md
   - name: Bastion and VNet peering

articles/bastion/bastion-connect-vm-scale-set.md

@@ -25,7 +25,7 @@ This section helps you connect to your virtual machine scale set.
 1. Open the [Azure portal](https://portal.azure.com) and go to **Virtual machine scale sets**. To open the scale sets instances page, click the scale set that contains the instance that you want to connect to.
 1. On the **Scale set instance** page, click the instance that you want to connect to. This opens the page for the instance.
 1. On the instance page, select **Connect** at the top of the page, then choose **Bastion** from the dropdown.
-1. On the **Bastion** page, fill in the required settings. The settings you can select depend on the virtual machine to which you're connecting, and the [Bastion SKU](configuration-settings.md#skus) tier that you're using. For more information about settings and SKUs, see [Bastion configuration settings](configuration-settings.md).
+1. On the **Bastion** page, fill in the required settings. The settings you can select depend on the virtual machine to which you're connecting, and the [Bastion SKU](bastion-sku-comparison.md) tier that you're using. For more information about settings, see [Bastion configuration settings](configuration-settings.md).
 
 1. After filling in the values on the Bastion page, select **Connect** to connect to the instance.
 

articles/bastion/bastion-create-host-powershell.md

@@ -19,7 +19,7 @@ Once you deploy Bastion to your virtual network, you can connect to your VMs via
 
 :::image type="content" source="./media/create-host/host-architecture.png" alt-text="Diagram showing Azure Bastion architecture." lightbox="./media/create-host/host-architecture.png":::
 
-In this article, you create a virtual network (if you don't already have one), deploy Azure Bastion using PowerShell, and connect to a VM. The examples show Bastion deployed using the Standard SKU tier, but you can use a different Bastion SKU, depending on the features you'd like to use. For more information, see [Bastion SKUs](configuration-settings.md#skus).
+In this article, you create a virtual network (if you don't already have one), deploy Azure Bastion using PowerShell, and connect to a VM. The examples show Bastion deployed using the Standard SKU tier, but you can use a different Bastion SKU, depending on the features you'd like to use. For more information, see [Bastion SKUs](bastion-sku-comparison.md).
 
 You can also deploy Bastion by using the following other methods:
 
@@ -116,7 +116,7 @@ This section helps you create a virtual network, subnets, and deploy Azure Basti
    -AllocationMethod Static -Sku Standard
    ```
 
-1. Create a new Azure Bastion resource in the AzureBastionSubnet using the [New-AzBastion](/powershell/module/az.network/new-azbastion) command. The following example uses the **Basic SKU**. However, you can also deploy Bastion using a different SKU by changing the -Sku value. The SKU you select determines the Bastion features and connect to VMs using more connection types. For more information, see [Bastion SKUs](configuration-settings.md#skus).
+1. Create a new Azure Bastion resource in the AzureBastionSubnet using the [New-AzBastion](/powershell/module/az.network/new-azbastion) command. The following example uses the **Basic SKU**. However, you can also deploy Bastion using a different SKU by changing the -Sku value. The SKU you select determines the Bastion features and connect to VMs using more connection types. For more information, see [Bastion SKUs](bastion-sku-comparison.md).
 
    ```azurepowershell-interactive
    New-AzBastion -ResourceGroupName "TestRG1" -Name "VNet1-bastion" `
@@ -145,7 +145,7 @@ The following required roles for your resources.
 
 ## <a name="connect"></a>Connect to a VM
 
-You can use the [Connection steps](#steps) in the following section to connect to your VM. You can also use any of the following articles to connect to a VM. Some connection types require the Bastion [Standard SKU](configuration-settings.md#skus).
+You can use the [Connection steps](#steps) in the following section to connect to your VM. You can also use any of the following articles to connect to a VM. Some connection types require the Bastion [Standard SKU](bastion-sku-comparison.md).
 
 [!INCLUDE [Links to Connect to VM articles](../../includes/bastion-vm-connect-article-list.md)]
 

articles/bastion/bastion-faq.md

@@ -91,15 +91,15 @@ For scenarios that include both Azure Bastion and Azure Firewall/Network Virtual
 
 ### <a name="all-skus"></a> What SKU should I use?
 
-Azure Bastion has multiple SKUs. You should select a SKU based on your connection and feature requirements. For a full list of SKU tiers and supported connections and features, see the [Configuration settings](configuration-settings.md#skus) article.
+Azure Bastion has multiple SKUs. You should select a SKU based on your connection and feature requirements. For a full list of SKU tiers and supported connections and features, see the [SKU Comparison](bastion-sku-comparison.md) article and the [Configuration settings](configuration-settings.md) article.
 
 ### <a name="upgradesku"></a> Can I upgrade a SKU?
 
-Yes. For steps, see [Upgrade a SKU](upgrade-sku.md). For more information about SKUs, see the [Configuration settings](configuration-settings.md#skus) article.
+Yes. For steps, see [Upgrade a SKU](upgrade-sku.md). For more information about SKUs, see the [SKU Comparison](bastion-sku-comparison.md) article.
 
 ### <a name="downgradesku"></a> Can I downgrade a SKU?
 
-No. Downgrading a SKU isn't supported. For more information about SKUs, see the [Configuration settings](configuration-settings.md#skus) article.
+No. Downgrading a SKU isn't supported. For more information about SKUs, see the [SKU Comparison](bastion-sku-comparison.md) article.
 
 ### <a name="virtual-desktop"></a>Does Bastion support connectivity to Azure Virtual Desktop?
 

articles/bastion/bastion-overview.md

@@ -35,7 +35,7 @@ Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtua
 > [!NOTE]
 > Bastion Premium SKU is now generally available, providing graphical session recording and private only deployment capabilities. 
 
-Azure Bastion offers multiple SKU tiers. The following table shows features and corresponding SKUs. For more information about SKUs, see the [Configuration settings](configuration-settings.md#skus) article.
+Azure Bastion offers multiple SKU tiers. The following table shows features and corresponding SKUs. For more information about SKUs, see the [SKU Comparison](bastion-sku-comparison.md) article.
 
 [!INCLUDE [Azure Bastion SKUs](../../includes/bastion-sku.md)]
 

articles/bastion/bastion-sku-comparison.md

@@ -0,0 +1,153 @@
+---
+title: Choose the right Azure Bastion SKU to meet your needs
+description: Learn about the different Azure Bastion SKU tiers and choose the right one for your requirements.
+author: abell
+ms.author: abell
+ms.service: azure-bastion
+ms.topic: concept-article
+ms.date: 11/24/2025
+# Customer intent: As a cloud administrator, I want to compare Azure Bastion SKU tiers and understand their features, so that I can select the appropriate tier for my organization's secure remote access requirements.
+---
+
+# Choose the right Azure Bastion SKU to meet your needs
+
+Azure Bastion offers four SKU tiers: **Developer**, **Basic**, **Standard**, and **Premium**.
+
+For detailed information about all Azure Bastion features and configuration settings, see [About Bastion configuration settings](configuration-settings.md).
+
+## Feature comparison
+
+Compare the features across all four Azure Bastion SKU tiers:
+
+| Category | Feature | Developer | Basic | Standard | Premium |
+| --- | --- | --- | --- | --- | --- |
+| **Deployment & Requirements** | Requires AzureBastionSubnet¹ | No | Yes | Yes | Yes |
+|  | Requires Public IP address¹ | No | Yes | Yes | No² |
+|  | Dedicated bastion host | No³ | Yes | Yes | Yes |
+|  | Availability zones | Yes⁴ | Yes | Yes | Yes |
+|  | Virtual network peering support | No | Yes | Yes | Yes |
+| **VM Connectivity** | Connect to VMs in same virtual network | Yes | Yes | Yes | Yes |
+|  | Connect to VMs in peered virtual networks | No | Yes | Yes | Yes |
+|  | Support for concurrent connections | No | Yes | Yes | Yes |
+|  | Connect to Linux VM using SSH | Yes | Yes | Yes | Yes |
+|  | Connect to Windows VM using RDP | Yes | Yes | Yes | Yes |
+|  | Connect to Linux VM using RDP | No | No | Yes | Yes |
+|  | Connect to Windows VM using SSH | No | No | Yes | Yes |
+| **Authentication & Security** | Access Linux VM Private Keys in Azure Key Vault | Yes | Yes | Yes | Yes |
+|  | Kerberos authentication | Yes | Yes | Yes | Yes |
+|  | Session recording | No | No | No | Yes |
+|  | Private-only deployment (no public IP) | No | No | No | Yes |
+| **Connection Methods & Protocols** | Azure portal based connections | Yes | Yes | Yes | Yes |
+|  | Connect to VMs using Azure CLI (native client) | No | No | Yes | Yes |
+|  | Specify custom inbound port | No | No | Yes | Yes |
+|  | IP-Connect feature | No | No | Yes | Yes |
+|  | Shareable link | No | No | Yes | Yes |
+|  | Upload or download files (native client) | No | No | Yes | Yes |
+| **User Experience** | VM audio output | Yes | Yes | Yes | Yes |
+|  | Copy/paste (web-based clients) | Yes | Yes | Yes | Yes |
+|  | Disable copy/paste (web-based clients) | No | No | Yes | Yes |
+| **Cost** | Hourly charge | Free | Paid | Paid | Paid |
+|  | Outbound data transfer charges | Free | Paid⁶ | Paid⁶ | Paid⁶ |
+
+¹ For dedicated deployments (Basic, Standard, Premium), the AzureBastionSubnet must be /26 or larger (/25, /24, etc.). For more information, see [Azure Bastion subnet](configuration-settings.md#subnet).  
+² Private-only deployment option doesn't require public IP address. For more information, see [Private-only deployment](private-only-deployment.md).  
+³ Bastion Developer uses a shared resource and supports one VM connection at a time.  
+⁴ Developer SKU supports availability zones in select regions. For more information, see [Reliability in Azure Bastion](../reliability/reliability-bastion.md).  
+⁵ At maximum scale (50 instances). For more information, see [Instances and host scaling](configuration-settings.md#instance).  
+⁶ First 5 GB per month is free. For more information, see [Azure Bastion pricing](https://azure.microsoft.com/pricing/details/azure-bastion/).
+
+## Performance and scalability
+
+The following table shows the capacity and scaling characteristics of each SKU tier:
+
+| Metric | Developer | Basic | Standard | Premium |
+|--------|-----------|----------|---------|---------|
+| **Deployment model** | Shared resource | Dedicated host | Dedicated host | Dedicated host |
+| **Host scaling** | No | No | Yes (2-50 instances) | Yes (2-50 instances) |
+| **Instance count** | N/A (shared) | 2 (fixed) | 2-50 (configurable) | 2-50 (configurable) |
+| **Fixed instance count** | 1 VM at a time | 2 instances | Configurable | Configurable |
+| **Concurrent VM connections** | 1 VM at a time | Multiple VMs | Multiple VMs | Multiple VMs |
+| **Max concurrent RDP sessions⁵** | 1 | 40 (2 instances × 20) | 1,000 (50 instances × 20) | 1,000 (50 instances × 20) |
+| **Max concurrent SSH sessions⁵** | 1 | 80 (2 instances × 40) | 2,000 (50 instances × 40) | 2,000 (50 instances × 40) |
+| **Per instance capacity** | N/A | 20 RDP + 40 SSH | 20 RDP + 40 SSH | 20 RDP + 40 SSH |
+
+## Regional availability
+
+Azure Bastion SKU availability varies by region:
+
+- **Developer SKU**: Available in select regions. For the current list of supported regions, see [Connect with Azure Bastion Developer](quickstart-developer.md).
+- **Basic, Standard, Premium SKUs**: Available in all Azure regions where Azure Bastion is supported.
+
+## Decision framework
+
+Select an Azure Bastion SKU based on your requirements.
+
+### Developer SKU
+
+Developer SKU is available for development and test environments at no cost. Choose Developer SKU when:
+
+- You're working in dev/test environments
+- You don't require virtual network peering or concurrent connections
+- You're operating in a [supported region](quickstart-developer.md)
+
+> [!WARNING]
+> Developer SKU isn't suitable for production workloads. It provides access to only one VM at a time and doesn't support virtual network peering.
+
+### Basic SKU
+
+Basic SKU provides dedicated deployment with fixed capacity. Choose Basic SKU when:
+
+- You need dedicated production deployment
+- Fixed capacity of two instances (40 RDP/80 SSH sessions) is sufficient
+- You don't need advanced features (native client, shareable links, IP-based connections, custom ports, file transfer)
+
+### Standard SKU
+
+Standard SKU includes advanced features and configurable scaling. Choose Standard SKU when:
+
+- You need advanced features (native client, shareable links, IP-based connections, custom ports, file transfer)
+- You require host scaling (2-50 instances)
+- You need high concurrency (up to 1,000 RDP or 2,000 SSH sessions at max scale)
+
+### Premium SKU
+
+Premium SKU includes all Standard features plus session recording and private-only deployment. Choose Premium SKU when:
+
+- You require session recording for compliance or audit requirements
+- You need private-only deployment (no public IP address)
+- Compliance requirements mandate session audit trails
+
+> [!TIP]
+> The cost difference between Standard and Premium is marginal. Premium SKU is the recommended choice for production deployments.
+
+## Upgrade considerations
+
+Azure Bastion supports upgrading from lower SKUs to higher SKUs, but downgrading isn't supported.
+
+### Upgrade paths
+
+- **Developer to Basic/Standard/Premium**: Requires creating an AzureBastionSubnet (/26 or larger) and a public IP address (Standard SKU, Static allocation). See [Upgrade from Bastion Developer](upgrade-sku.md#upgrade-from-bastion-developer).
+- **Basic and Higher**: Upgrade through the Azure portal. You can add features at the same time you upgrade. See [Upgrade from Basic or Standard SKU](upgrade-sku.md#upgrade-from-the-basic-or-standard-sku).
+
+> [!IMPORTANT]
+> Upgrades take approximately 10 minutes. Downgrading a SKU isn't supported. You must delete and recreate Azure Bastion. You can add features during the upgrade process.
+
+For step-by-step upgrade instructions, see [View or upgrade a SKU](upgrade-sku.md).
+
+## Pricing model
+
+Azure Bastion pricing combines hourly SKU charges with outbound data transfer costs. Developer SKU is free. For dedicated SKUs (Basic, Standard, Premium), you pay hourly rates plus data transfer charges (first 5 GB/month free).
+
+For detailed pricing information and cost optimization strategies, see [Azure Bastion pricing](https://azure.microsoft.com/pricing/details/azure-bastion/) and [Azure Bastion cost optimization principles](cost-optimization.md).
+
+## Next steps
+
+- [Connect with Azure Bastion Developer](quickstart-developer.md)
+- [Deploy Bastion with default settings (Standard SKU)](quickstart-host-portal.md)
+- [Deploy Bastion using specified settings (Basic SKU or higher)](tutorial-create-host-portal.md)
+- [About Bastion configuration settings](configuration-settings.md)
+- [View or upgrade a SKU](upgrade-sku.md)
+- [Configure host scaling](configure-host-scaling.md)
+- [Configure session recording](session-recording.md)
+- [Deploy private-only Bastion](private-only-deployment.md)
+- [Azure Bastion pricing](https://azure.microsoft.com/pricing/details/azure-bastion/)

articles/bastion/configuration-settings.md

@@ -1,55 +1,19 @@
 ---
-title: 'About Azure Bastion configuration settings'
+title: About Azure Bastion configuration settings
 description: Learn about the available configuration settings for Azure Bastion.
 author: abell
 ms.author: abell
 ms.service: azure-bastion
 ms.topic: concept-article
-ms.date: 03/14/2025
+ms.date: 11/24/2025
 ms.custom: references_regions, ignite-2024
 # Customer intent: "As a cloud administrator, I want to configure Azure Bastion settings, including SKU selection and network requirements, so that I can ensure secure and efficient access to virtual machines within my infrastructure."
 ---
 
-# About Bastion configuration settings
+# About Azure Bastion configuration settings
 
 The sections in this article discuss the resources and settings for Azure Bastion.
 
-## <a name="skus"></a>SKUs
-
-A SKU is also known as a Tier. Azure Bastion supports multiple SKU tiers. When you configure Bastion, you select the SKU tier. You decide the SKU tier based on the features that you want to use. The following table shows the availability of features per corresponding SKU.
-
-[!INCLUDE [Azure Bastion SKUs](../../includes/bastion-sku.md)]
-
-### Bastion Developer
-
-[!INCLUDE [Bastion Developer description](../../includes/bastion-developer-description.md)]
-
-[!INCLUDE [Bastion Developer regions](../../includes/bastion-developer-regions.md)]
-
-> [!NOTE]
-> VNet peering isn't currently supported for Bastion Developer.
-
-### <a name="premium"></a>Premium SKU
-
-The Premium SKU is a new SKU that supports Bastion features such as [Session Recording](session-recording.md) and [Private-Only Bastion](private-only-deployment.md). When you deploy Bastion, we recommend that you select the Premium SKU only if you need the features that it supports.
-
-### Specify SKU
-
-| Method | SKU Value | Links |
-| --- | --- | --- |
-| Azure portal | Tier - Developer | [Quickstart](quickstart-developer-sku.md)|
-| Azure portal | Tier - Standard| [Quickstart](quickstart-host-portal.md) |
-| Azure portal | Tier - Basic or higher | [Tutorial](tutorial-create-host-portal.md) |
-| Azure PowerShell | Tier - Basic or higher |[How-to](bastion-create-host-powershell.md) |
-| Azure CLI | Tier - Basic or higher | [How-to](create-host-cli.md) |
-
-### <a name="upgradesku"></a>Upgrade a SKU
-
-You can always upgrade a SKU to add more features. For more information, see [Upgrade a SKU](upgrade-sku.md).
-
-> [!NOTE]
-> Downgrading a SKU is not supported. To downgrade, you must delete and recreate Azure Bastion.
-
 ## <a name="subnet"></a>Azure Bastion subnet
 
 > [!IMPORTANT]
@@ -74,7 +38,7 @@ You can configure this setting using the following methods:
 
 ## <a name="public-ip"></a>Public IP address
 
-Azure Bastion deployments, except [Bastion Developer](#bastion-developer) and [Private-only](#private-only), require a Public IP address. The Public IP must have the following configuration:
+Azure Bastion deployments, except Bastion Developer and [Private-only](#private-only), require a Public IP address. The Public IP must have the following configuration:
 
 * The Public IP address SKU must be **Standard**.
 * The Public IP address assignment/allocation method must be **Static**.
@@ -147,3 +111,5 @@ When a user without Azure credentials clicks a shareable link, a webpage opens t
 ## Next steps
 
 For frequently asked questions, see the [Azure Bastion FAQ](bastion-faq.md).
+Choose the right Azure Bastion SKU for your needs by reading [Choose the right Azure Bastion SKUs to meet your needs](bastion-sku-comparison.md).
+Review the cost optimization recommendations for Azure Bastion in [Optimize Azure Bastion costs](cost-optimization.md).