Merge pull request #311639 from AbdullahBell/bastion-upgrade-sku-overhaul

JillGrant615 · web-flow · commit 63acef290e98 · 2026-03-10T21:47:54.000-06:00
Improve clarity and reduce redundancy in Bastion upgrade SKU article
diff --git a/articles/bastion/bastion-sku-comparison.md b/articles/bastion/bastion-sku-comparison.md
@@ -128,8 +128,8 @@ Azure Bastion supports upgrading from lower SKUs to higher SKUs, but downgrading
 
 ### Upgrade paths
 
-- **Developer to Basic/Standard/Premium**: Requires creating an AzureBastionSubnet (/26 or larger) and a public IP address (Standard SKU, Static allocation). See [Upgrade from Bastion Developer](upgrade-sku.md#upgrade-from-bastion-developer).
-- **Basic and Higher**: Upgrade through the Azure portal. You can add features at the same time you upgrade. See [Upgrade from Basic or Standard SKU](upgrade-sku.md#upgrade-from-the-basic-or-standard-sku).
+- **Developer to Basic/Standard/Premium**: Requires creating an AzureBastionSubnet (/26 or larger) and a public IP address (Standard SKU, Static allocation). See [Upgrade from Developer SKU](upgrade-sku.md#upgrade-from-developer-sku).
+- **Basic and Higher**: Upgrade through the Azure portal. You can add features at the same time you upgrade. See [Upgrade from Basic or Standard SKU](upgrade-sku.md#upgrade-from-basic-or-standard-sku).
 
 > [!IMPORTANT]
 > Upgrades take approximately 10 minutes. Downgrading a SKU isn't supported. You must delete and recreate Azure Bastion. You can add features during the upgrade process.
diff --git a/articles/bastion/troubleshoot.md b/articles/bastion/troubleshoot.md
@@ -5,7 +5,7 @@ services: bastion
 author: abell
 ms.service: azure-bastion
 ms.topic: troubleshooting
-ms.date: 02/04/2026
+ms.date: 02/10/2026
 ms.author: abell
 # Customer intent: As a network administrator, I want to troubleshoot connectivity issues in Azure Bastion so that I can ensure seamless access to my virtual machines and efficiently manage network security settings.
 ---
@@ -27,6 +27,17 @@ This section describes common deployment and configuration issues and their reso
 |Moving virtual network to another resource group|You want to move your virtual network to a different resource group.|Moving a virtual network with Bastion isn't directly supported. You must first delete Bastion from the virtual network, then move the virtual network to the new resource group. Once the virtual network is in the new resource group, you can deploy Bastion to the virtual network.|
 |Force-tunneling Internet traffic|You're advertising a default route (0.0.0.0/0) over ExpressRoute or VPN.|Force-tunneling with Azure Bastion isn't supported if you're advertising a default route over ExpressRoute or VPN. Azure Bastion needs to communicate with certain internal endpoints. Ensure the host virtual network isn't linked to a private DNS zone with these exact names: management.azure.com, blob.core.windows.NET, core.windows.NET, vaultcore.windows.NET, vault.azure.NET, or azure.com. You can use private DNS zones ending with these names (for example: privatelink.blob.core.windows.NET). Azure Bastion isn't supported with Azure Private DNS Zones in national clouds.|
 
+## SKU upgrade issues
+
+This section describes common issues when upgrading your Azure Bastion SKU and their resolutions. For upgrade instructions, see [View or upgrade an Azure Bastion SKU](upgrade-sku.md).
+
+|Issue  |Description  |Resolution  |
+|---------|---------|---------|
+|Upgrade fails to start|When you try to upgrade your Bastion SKU, the operation fails immediately.|Verify you have Contributor or Owner role on the resource group containing your Bastion host.|
+|Upgrade fails with subnet error|Upgrade from Developer SKU fails with a subnet-related error.|Create a subnet named **AzureBastionSubnet** with a /26 or larger prefix before upgrading. The Developer SKU uses shared infrastructure, while Basic, Standard, and Premium require a dedicated subnet.|
+|Upgrade times out|The upgrade operation takes longer than expected or times out.|The upgrade process typically takes approximately 10 minutes. Wait a few minutes and check the Bastion host status in the portal. If the status shows updating, wait for completion. If the status shows failed, try the upgrade again.|
+|Features not available after upgrade|After upgrading, expected features aren't available.|Features must be explicitly enabled after upgrading. Go to your Bastion host, select **Configuration**, and enable the desired features available for your new SKU tier.|
+
 ## DNS and Private Link issues
 
 This section describes common DNS and Private Link issues and their resolutions.
diff --git a/articles/bastion/upgrade-sku.md b/articles/bastion/upgrade-sku.md
@@ -1,57 +1,211 @@
 ---
-title: Upgrade or view a SKU - portal
+title: View or upgrade an Azure Bastion SKU
 titleSuffix: Azure Bastion
-description: Learn how to view a SKU and upgrade SKU tiers.
+description: Learn how to view your current Azure Bastion SKU and upgrade to a higher tier using the Azure portal or Azure CLI.
 author: abell
 ms.service: azure-bastion
 ms.topic: how-to
-ms.date: 03/31/2025
+ms.date: 02/10/2026
 ms.author: abell
 
 # Customer intent: As an Azure administrator, I want to view and upgrade my Bastion SKU so that I can enhance the features and capabilities of my secure remote access setup.
 ---
 
-# View or upgrade a SKU
+# View or upgrade an Azure Bastion SKU
 
-This article helps you view and upgrade your Bastion SKU. Once you upgrade, you can't revert back to a lower SKU without deleting and reconfiguring Bastion. For more information about features and SKUs, see [Configuration settings](configuration-settings.md).
+This article helps you view your current Azure Bastion SKU and upgrade to a higher tier. You can upgrade using the Azure portal or Azure CLI.
+
+> [!IMPORTANT]
+> Once you upgrade, you can't revert to a lower SKU without deleting and reconfiguring Azure Bastion. Plan your upgrade carefully and consider starting with the tier that meets your long-term requirements.
+
+To compare SKU features and determine which tier is right for you, see [Choose the right Azure Bastion SKU](bastion-sku-comparison.md).
 
 [!INCLUDE [Pricing](~/reusable-content/ce-skilling/azure/includes/bastion-pricing.md)]
 
-## View a SKU
+## Prerequisites
+
+Before upgrading your Azure Bastion SKU, verify the following requirements:
+
+- **Azure CLI**: If using Azure CLI, install the [bastion extension](/cli/azure/network/bastion). The extension installs automatically the first time you run an `az network bastion` command. Requires Azure CLI version 2.62.0 or higher.
+- **Permissions**: You need Contributor or Owner role on the resource group containing your Bastion host.
+- **Subnet requirements** (Developer SKU upgrade only): A subnet named **AzureBastionSubnet** with a prefix of /26 or larger (/25, /24, etc.) must exist in your virtual network or be created before upgrading.
+- **Public IP** (Developer SKU upgrade only): A Standard SKU public IP address with static allocation is required unless you're deploying Premium SKU with private-only configuration.
+
+## Pre-upgrade considerations
+
+### What happens during an upgrade
 
-To view the SKU for your bastion host, use the following steps.
+- **Duration**: The upgrade process takes approximately 10 minutes to complete.
+- **Active sessions**: Existing connections might be briefly interrupted during the upgrade. Plan the upgrade during a maintenance window when possible.
+
+### Cost implications
+
+Upgrading to a higher SKU increases your hourly costs. Review the [Azure Bastion pricing page](https://azure.microsoft.com/pricing/details/azure-bastion/) to understand the cost difference between tiers before upgrading.
+
+## View your current SKU
+
+# [Portal](#tab/portal)
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
-1. In the Azure portal, go to your bastion host.
-1. In the left pane, select **Configuration** to open the Configuration page. Click through the different Tier options. Notice that the SKU affects the available features you can select for your bastion host.
+1. Go to your Bastion host.
+1. In the left pane, select **Configuration**. Your current SKU is displayed in the **Tier** dropdown. You can also see which features are available for each tier by selecting different options.
+
+# [Azure CLI](#tab/cli)
+
+Run the following command to view your current Bastion SKU:
+
+```azurecli
+az network bastion show --name <bastion-name> --resource-group <resource-group-name> --query sku.name --output tsv
+```
+
+> [!IMPORTANT]
+> When using `az network bastion update`, you must include the `--location` parameter matching the region of your existing Bastion host. If omitted, the CLI may default to a different region, resulting in an `InvalidResourceLocation` error.
+
+---
+
+## Upgrade from Developer SKU
+
+The Developer SKU uses shared infrastructure. When you upgrade to Basic, Standard, or Premium, Azure Bastion switches to dedicated infrastructure, which requires a dedicated subnet and public IP address.
+
+# [Portal](#tab/portal)
+
+1. **Create the AzureBastionSubnet** (if it doesn't exist):
+   1. Go to your virtual network in the Azure portal.
+   1. Select **Subnets** > **+ Subnet**.
+   1. Enter **AzureBastionSubnet** as the name (this exact name is required).
+   1. Enter a subnet address range of /26 or larger.
+   1. Select **Save**.
+
+1. **Upgrade the Bastion host**:
+   1. Go to your Bastion host.
+   1. Select **Configuration** in the left pane.
+   1. For **Tier**, select your target SKU (Basic, Standard, or Premium).
+   1. For **Public IP address**, select an existing Standard SKU public IP or create a new one.
+   1. The **Subnet** field automatically populates with your AzureBastionSubnet.
+   1. (Optional) Enable any additional features you want to configure.
+   1. Select **Apply**.
+
+The upgrade takes approximately 10 minutes to complete.
+
+# [Azure CLI](#tab/cli)
+
+1. **Create the AzureBastionSubnet** (if it doesn't exist):
 
-## Upgrade from Bastion Developer
+   ```azurecli
+   az network vnet subnet create \
+       --resource-group <resource-group-name> \
+       --vnet-name <vnet-name> \
+       --name AzureBastionSubnet \
+       --address-prefixes <subnet-prefix>/26
+   ```
 
-When you upgrade from Bastion Developer to a dedicated deployment SKU, you need to create a public IP address and an Azure Bastion subnet.
+1. **Create a public IP address** (if you don't have one):
 
-Use the following steps to upgrade to a higher SKU.
+   ```azurecli
+   az network public-ip create \
+       --resource-group <resource-group-name> \
+       --name <public-ip-name> \
+       --sku Standard \
+       --allocation-method Static
+   ```
 
-1. In the Azure portal, go to your virtual network and add a new subnet. The subnet must be named **AzureBastionSubnet** and must be /26 or larger (/25, /24 etc.). This subnet will be used exclusively by Azure Bastion.
-1. Next, go to the portal page for your **Bastion** host.
-1. On the **Configuration** page, for **Tier**, select the SKU that you want to upgrade to. Notice that the available features change, depending on the SKU you select.
-1. Create a new public IP address value unless you have already created one for your bastion host, in which case, select the value.
-1. Because you already created the AzureBastionSubnet, the **Subnet** field will automatically populate.
-1. You can add features at the same time you upgrade the SKU. You don't need to upgrade the SKU and then go back to add the features as a separate step.
-1. Select **Apply** to apply changes. The bastion host updates. This procedure takes about 10 minutes to complete.
+1. **Upgrade the Bastion host**:
 
-## Upgrade from the Basic or Standard SKU
+   The `az network bastion update` command can't add the IP configuration required for dedicated infrastructure. Delete the Developer SKU Bastion host and create a new one with the target SKU:
 
-Use the following steps to upgrade to a higher SKU.
+   ```azurecli
+   az network bastion delete \
+       --name <bastion-name> \
+       --resource-group <resource-group-name>
+   ```
 
-1. In the Azure portal, go to your Bastion host.
+   ```azurecli
+   az network bastion create \
+       --name <bastion-name> \
+       --resource-group <resource-group-name> \
+       --vnet-name <vnet-name> \
+       --public-ip-address <public-ip-name> \
+       --sku <Basic|Standard|Premium> \
+       --location <location>
+   ```
 
-1. On the **Configuration** page, for **Tier**, select a higher SKU.
+---
+
+## Upgrade from Basic or Standard SKU
+
+Basic, Standard, and Premium SKUs all use the same dedicated infrastructure, so upgrading between these tiers requires only a configuration change.
+
+# [Portal](#tab/portal)
+
+1. Go to your Bastion host in the Azure portal.
+1. Select **Configuration** in the left pane.
+1. For **Tier**, select the higher SKU you want to upgrade to.
+1. (Optional) Enable any additional features available with the new SKU.
+1. Select **Apply**.
+
+The upgrade takes approximately 10 minutes to complete.
+
+# [Azure CLI](#tab/cli)
+
+Run the following command to upgrade your Bastion SKU:
+
+```azurecli
+az network bastion update \
+    --name <bastion-name> \
+    --resource-group <resource-group-name> \
+    --location <location> \
+    --sku name=<Standard|Premium>
+```
+
+To enable features during the upgrade, add the appropriate parameters. For example, to enable native client support and IP-based connection:
+
+```azurecli
+az network bastion update \
+    --name <bastion-name> \
+    --resource-group <resource-group-name> \
+    --location <location> \
+    --sku name=Standard \
+    --enable-tunneling true \
+    --enable-ip-connect true
+```
+
+---
+
+## Verify the upgrade
+
+After the upgrade completes, verify that your Bastion host is functioning correctly:
+
+# [Portal](#tab/portal)
+
+1. Go to your Bastion host and select **Configuration**.
+1. Verify the **Tier** shows your new SKU.
+1. Check that your desired features are enabled.
+1. Test a connection to a VM to confirm connectivity.
+
+# [Azure CLI](#tab/cli)
+
+1. Verify the SKU was updated:
+
+   ```azurecli
+   az network bastion show \
+       --name <bastion-name> \
+       --resource-group <resource-group-name> \
+       --query "{Name:name, SKU:sku.name, ProvisioningState:provisioningState}" \
+       --output table
+   ```
+
+1. Confirm the provisioning state shows **Succeeded**.
+
+---
 
-1. You can add features at the same time you upgrade the SKU. You don't need to upgrade the SKU and then go back to add the features as a separate step.
+## Troubleshooting
 
-1. Select **Apply** to apply changes. The bastion host updates. This procedure takes about 10 minutes to complete.
+If you encounter issues during or after the upgrade, see [Troubleshoot Azure Bastion](troubleshoot.md#sku-upgrade-issues).
 
 ## Next steps
 
-* See [Configuration settings](configuration-settings.md).
-* Read the [Bastion FAQ](bastion-faq.md).
+- [Choose the right Azure Bastion SKU](bastion-sku-comparison.md)
+- [Configure host scaling](configure-host-scaling.md)
+- [Configure session recording](session-recording.md) (Premium SKU)
+- [Deploy private-only Bastion](private-only-deployment.md) (Premium SKU)
+- [About Bastion configuration settings](configuration-settings.md)
