docs: Replace Bastion deployment with NSG note and remove public IP

asudbring · asudbring · commit ec6051ff8c57 · 2026-02-26T20:36:30.000-06:00
diff --git a/articles/application-gateway/tutorial-protect-application-gateway-ddos.md b/articles/application-gateway/tutorial-protect-application-gateway-ddos.md
@@ -5,7 +5,7 @@ description: Learn how to set up an application gateway and protect it with Azur
 services: application-gateway
 author: duongau
 ms.author: duau
-ms.date: 07/11/2025
+ms.date: 02/26/2026
 ms.topic: quickstart
 ms.service: azure-application-gateway
 ms.custom: sfi-image-nochange
@@ -27,7 +27,6 @@ In this tutorial, you learn how to:
 > * Create a DDoS protection plan
 > * Create an application gateway
 > * Associate a DDoS Protection plan to the virtual network
-> * Deploy Azure Bastion
 > * Add VMs to the backend of the application gateway
 > * Test the application gateway
 
@@ -178,35 +177,6 @@ Azure DDoS Network Protection is enabled at the virtual network where the resour
 
 6. Select **Save**.
 
-## Deploy Azure Bastion
-
-Azure Bastion uses your browser to connect to VMs in your virtual network over remote desktop protocol (RDP) by using their private IP addresses. The VMs don't need public IP addresses, client software, or special configuration. For more information about Azure Bastion, see [Azure Bastion](/azure/bastion/bastion-overview).
-
->[!NOTE]
->[!INCLUDE [Pricing](~/reusable-content/ce-skilling/azure/includes/bastion-pricing.md)]
-
-1. In the search box at the top of the portal, enter **Bastion**. Select **Bastions** in the search results.
-
-1. Select **+ Create**.
-
-1. In the **Basics** tab of **Create a Bastion**, enter, or select the following information:
-
-    | Setting | Value |
-    |---|---|
-    | **Project details** |  |
-    | Subscription | Select your subscription. |
-    | Resource group | Select **myResourceGroupAG**. |
-    | **Instance details** |  |
-    | Name | Enter **myBastionHost**. |
-    | Region | Select **Central US**. |
-    | Tier | Select **Developer**. |
-    | **Configure virtual networks** |  |
-    | Virtual network | Select **myVNet**. |
-
-1. Select **Review + create**.
-
-1. Select **Create**.
-
 ## Add backend targets
 
 In this example, you'll use virtual machines as the target backend. You can either use existing virtual machines or create new ones. You'll create two virtual machines as backend servers for the application gateway.
@@ -229,6 +199,10 @@ To do this, you'll:
     - **Username**: Type a name for the administrator user name.
     - **Password**: Type a password.
     - **Public inbound ports**: None.
+
+> [!NOTE]
+> The default rules of the network security group block all inbound access from the internet, including RDP. To connect to the virtual machine, use Azure Bastion. For more information, see [Quickstart: Deploy Azure Bastion with default settings](../bastion/quickstart-host-portal.md).
+
 4. Accept the other defaults and then select **Next: Disks**.  
 5. Accept the **Disks** tab defaults and then select **Next: Networking**.
 6. On the **Networking** tab, verify that **myVNet** is selected for the **Virtual network** and the **Subnet** is set to **myBackendSubnet**. Set **Public IP** to **None**. Accept the other defaults and then select **Next: Management**.<br>Application Gateway can communicate with instances outside of the virtual network that it is in, but you need to ensure there's IP connectivity.
