Task 544785: Replace jump server with Azure Bastion in deploy-cli.md

Changes:
- Replaced Jump-SN subnet with AzureBastionSubnet (10.0.3.0/26)
- Removed Srv-Jump VM (Windows Server jump server)
- Changed Srv-Work VM from Windows Server 2016 to Ubuntu 22.04 LTS
- Updated VM authentication to use SSH keys with azure-generated keys
- Added cloud-init configuration to install Nginx on Srv-Work
- Added Azure CLI commands to deploy Azure Bastion (Basic SKU)
- Updated testing section to use Bastion SSH instead of RDP jump server
- Changed PowerShell commands to bash/curl commands for Linux testing
- Updated ms.date to 01/22/2026

Related to parent work item #545010 (Sprint 2 Bastion updates)

Author: asudbring

articles/firewall/deploy-cli.md

@@ -5,7 +5,7 @@ services: firewall
 author: duongau
 ms.service: azure-firewall
 ms.custom: devx-track-azurecli
-ms.date: 10/31/2022
+ms.date: 01/22/2026
 ms.author: duau
 ms.topic: how-to
 #Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
@@ -27,7 +27,7 @@ For this article, you create a simplified single VNet with three subnets for eas
 
 * **AzureFirewallSubnet** - the firewall is in this subnet.
 * **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
-* **Jump-SN** - The "jump" server is in this subnet. The jump server has a public IP address that you can connect to using Remote Desktop. From there, you can then connect to (using another Remote Desktop) the workload server.
+* **AzureBastionSubnet** - Azure Bastion is in this subnet, providing secure access to the workload server.
 
 :::image type="content" source="media/tutorial-firewall-rules-portal/Tutorial_network.png" alt-text="Diagram of network infrastructure." lightbox="media/tutorial-firewall-rules-portal/Tutorial_network.png":::
 
@@ -81,32 +81,13 @@ az network vnet subnet create \
   --vnet-name Test-FW-VN   \
   --address-prefix 10.0.2.0/24
 az network vnet subnet create \
-  --name Jump-SN \
+  --name AzureBastionSubnet \
   --resource-group Test-FW-RG \
   --vnet-name Test-FW-VN   \
-  --address-prefix 10.0.3.0/24
+  --address-prefix 10.0.3.0/26
 ```
 
-### Create virtual machines
-
-Now create the jump and workload virtual machines, and place them in the appropriate subnets.
-When prompted, type a password for the virtual machine.
-
-Create the Srv-Jump virtual machine.
-
-```azurecli-interactive
-az vm create \
-    --resource-group Test-FW-RG \
-    --name Srv-Jump \
-    --location eastus \
-    --image win2016datacenter \
-    --vnet-name Test-FW-VN \
-    --subnet Jump-SN \
-    --admin-username azureadmin
-az vm open-port --port 3389 --resource-group Test-FW-RG --name Srv-Jump
-```
-
-
+### Create a virtual machine
 
 Create a NIC for Srv-Work with specific DNS server IP addresses and no public IP address to test with.
 
@@ -120,17 +101,29 @@ az network nic create \
    --dns-servers <replace with External DNS ip #1> <replace with External DNS ip #2>
 ```
 
-Now create the workload virtual machine.
-When prompted, type a password for the virtual machine.
+Now create the workload virtual machine. The following command creates an Ubuntu Server 22.04 LTS VM with SSH key authentication and installs Nginx. When prompted, save the generated private key to a `.pem` file for use when connecting through Azure Bastion.
 
 ```azurecli-interactive
 az vm create \
     --resource-group Test-FW-RG \
     --name Srv-Work \
     --location eastus \
-    --image win2016datacenter \
+    --image Ubuntu2204 \
     --nics Srv-Work-NIC \
-    --admin-username azureadmin
+    --admin-username azureuser \
+    --generate-ssh-keys \
+    --custom-data cloud-init.txt
+```
+
+Create a `cloud-init.txt` file with the following content to install Nginx:
+
+```yaml
+#cloud-config
+package_upgrade: true
+packages:
+  - nginx
+runcmd:
+  - echo '<h1>'$(hostname)'</h1>' | sudo tee /var/www/html/index.html
 ```
 
 [!INCLUDE [ephemeral-ip-note.md](~/reusable-content/ce-skilling/azure/includes/ephemeral-ip-note.md)]
@@ -167,6 +160,28 @@ fwprivaddr="$(az network firewall ip-config list -g Test-FW-RG -f Test-FW01 --qu
 
 Note the private IP address. You'll use it later when you create the default route.
 
+## Deploy Azure Bastion
+
+Deploy Azure Bastion to securely connect to the Srv-Work virtual machine without requiring public IP addresses or a jump server.
+
+```azurecli-interactive
+az network public-ip create \
+    --resource-group Test-FW-RG \
+    --name bastion-pip \
+    --sku Standard \
+    --location eastus
+az network bastion create \
+    --name Test-Bastion \
+    --public-ip-address bastion-pip \
+    --resource-group Test-FW-RG \
+    --vnet-name Test-FW-VN \
+    --location eastus \
+    --sku Basic
+```
+
+> [!NOTE]
+> Azure Bastion deployment can take approximately 10 minutes to complete.
+
 ## Create a default route
 
 Create a route table, with BGP route propagation disabled
@@ -251,28 +266,27 @@ Now, test the firewall to confirm that it works as expected.
    -n Srv-Work
    ```
 
-1. Connect a remote desktop to **Srv-Jump** virtual machine, and sign in. From there, open a remote desktop connection to the **Srv-Work** private IP address and sign in.
+1. In the Azure portal, navigate to the **Srv-Work** virtual machine and select **Connect** > **Connect via Bastion**.
 
-3. On **SRV-Work**, open a PowerShell window and run the following commands:
+1. Provide the username **azureuser** and upload the private key `.pem` file that was generated when you created the VM. Select **Connect** to open an SSH session.
 
-   ```
+1. In the SSH session, run the following commands to test DNS resolution:
+
+   ```bash
    nslookup www.google.com
    nslookup www.microsoft.com
    ```
 
    Both commands should return answers, showing that your DNS queries are getting through the firewall.
 
-1. Run the following commands:
-
-   ```
-   Invoke-WebRequest -Uri https://www.microsoft.com
-   Invoke-WebRequest -Uri https://www.microsoft.com
+1. Run the following commands to test web access:
 
-   Invoke-WebRequest -Uri <Replace with external website>
-   Invoke-WebRequest -Uri <Replace with external website>
+   ```bash
+   curl https://www.microsoft.com
+   curl https://www.google.com
    ```
 
-   The `www.microsoft.com` requests should succeed, and the other `External Website` requests should fail. This demonstrates that your firewall rules are operating as expected.
+   The `www.microsoft.com` request should succeed and return HTML content, while the `www.google.com` request should fail or time out. This demonstrates that your firewall rules are operating as expected.
 
 So now you've verified that the firewall rules are working: