Add Bastion Developer for secure VM access

Co-authored-by: Copilot <[email protected]>

Author: asudbring

articles/application-gateway/tutorial-protect-application-gateway-ddos.md

@@ -5,7 +5,7 @@ description: Learn how to set up an application gateway and protect it with Azur
 services: application-gateway
 author: duongau
 ms.author: duau
-ms.date: 09/20/2023
+ms.date: 07/11/2025
 ms.topic: quickstart
 ms.service: azure-application-gateway
 ms.custom: sfi-image-nochange
@@ -27,6 +27,7 @@ In this tutorial, you learn how to:
 > * Create a DDoS protection plan
 > * Create an application gateway
 > * Associate a DDoS Protection plan to the virtual network
+> * Deploy Azure Bastion
 > * Add VMs to the backend of the application gateway
 > * Test the application gateway
 
@@ -177,6 +178,35 @@ Azure DDoS Network Protection is enabled at the virtual network where the resour
 
 6. Select **Save**.
 
+## Deploy Azure Bastion
+
+Azure Bastion uses your browser to connect to VMs in your virtual network over remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see [Azure Bastion](/azure/bastion/bastion-overview).
+
+>[!NOTE]
+>[!INCLUDE [Pricing](~/reusable-content/ce-skilling/azure/includes/bastion-pricing.md)]
+
+1. In the search box at the top of the portal, enter **Bastion**. Select **Bastions** in the search results.
+
+1. Select **+ Create**.
+
+1. In the **Basics** tab of **Create a Bastion**, enter, or select the following information:
+
+    | Setting | Value |
+    |---|---|
+    | **Project details** |  |
+    | Subscription | Select your subscription. |
+    | Resource group | Select **myResourceGroupAG**. |
+    | **Instance details** |  |
+    | Name | Enter **myBastionHost**. |
+    | Region | Select **Central US**. |
+    | Tier | Select **Developer**. |
+    | **Configure virtual networks** |  |
+    | Virtual network | Select **myVNet**. |
+
+1. Select **Review + create**.
+
+1. Select **Create**.
+
 ## Add backend targets
 
 In this example, you'll use virtual machines as the target backend. You can either use existing virtual machines or create new ones. You'll create two virtual machines as backend servers for the application gateway.
@@ -201,7 +231,7 @@ To do this, you'll:
     - **Public inbound ports**: None.
 4. Accept the other defaults and then select **Next: Disks**.  
 5. Accept the **Disks** tab defaults and then select **Next: Networking**.
-6. On the **Networking** tab, verify that **myVNet** is selected for the **Virtual network** and the **Subnet** is set to **myBackendSubnet**. Accept the other defaults and then select **Next: Management**.<br>Application Gateway can communicate with instances outside of the virtual network that it is in, but you need to ensure there's IP connectivity.
+6. On the **Networking** tab, verify that **myVNet** is selected for the **Virtual network** and the **Subnet** is set to **myBackendSubnet**. Set **Public IP** to **None**. Accept the other defaults and then select **Next: Management**.<br>Application Gateway can communicate with instances outside of the virtual network that it is in, but you need to ensure there's IP connectivity.
 7. On the **Management** tab, set **Boot diagnostics** to **Disable**. Accept the other defaults and then select **Review + create**.
 8. On the **Review + create** tab, review the settings, correct any validation errors, and then select **Create**.
 9. Wait for the virtual machine creation to complete before continuing.