Fix Azure Virtual Network Bastion Errors
When working with Azure Virtual Network, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with bastion and shows the exact fix.
A Common Mistake
Exposing VMs to the internet via public IP addresses instead of using Azure Bastion for secure RDP/SSH access.
The incorrect command:
az vm create --name my-vm --resource-group my-rg --vnet-name my-vnet --subnet my-subnet --public-ip-address my-pip --image Ubuntu2204
Error output:
VM created with public IP.
Port 22 is exposed to the internet:
nmap -p 22 <public-ip>
22/tcp open ssh
Attackers probe the SSH port. Brute force attempts appear in auth logs. Management access is not secure.
The Correct Approach
The right way to configure bastion in Azure Virtual Network:
az vm create --name my-vm --resource-group my-rg --vnet-name my-vnet --subnet my-subnet --public-ip-address "" --image Ubuntu2204
az network bastion create --name my-bastion --resource-group my-rg --vnet-name my-vnet --public-ip-address bastion-pip
az network bastion ssh --name my-bastion --resource-group my-rg --target-resource-id /subscriptions/sub/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm --auth-type password --username azureuser
Successful result:
Bastion deployed.
Connecting to my-vm via Bastion...
SSH session established via Azure portal or CLI.
No public IP. No open SSH port. Access is through the Bastion host only. Auth via Azure AD or password.
How to Prevent This
Use Bastion for secure VM access. Bastion provides RDP/SSH through the Azure portal without public IPs. Bastion supports Azure AD authentication. Costs: ~$0.70/hour + data transfer. Deploy Bastion in each VNet requiring management access. Bastion supports multi-VNet peering.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro