Skip to content

Fix Azure Virtual Network Bastion Errors

DodaTech Updated 2026-06-26 2 min read

When working with Azure Virtual Network, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with bastion and shows the exact fix.

A Common Mistake

Exposing VMs to the internet via public IP addresses instead of using Azure Bastion for secure RDP/SSH access.

The incorrect command:

az vm create --name my-vm --resource-group my-rg --vnet-name my-vnet --subnet my-subnet --public-ip-address my-pip --image Ubuntu2204

Error output:

VM created with public IP.
Port 22 is exposed to the internet:
nmap -p 22 <public-ip>
22/tcp open ssh
Attackers probe the SSH port. Brute force attempts appear in auth logs. Management access is not secure.

The Correct Approach

The right way to configure bastion in Azure Virtual Network:

az vm create --name my-vm --resource-group my-rg --vnet-name my-vnet --subnet my-subnet --public-ip-address "" --image Ubuntu2204
az network bastion create --name my-bastion --resource-group my-rg --vnet-name my-vnet --public-ip-address bastion-pip
az network bastion ssh --name my-bastion --resource-group my-rg --target-resource-id /subscriptions/sub/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm --auth-type password --username azureuser

Successful result:

Bastion deployed.
Connecting to my-vm via Bastion...
SSH session established via Azure portal or CLI.
No public IP. No open SSH port. Access is through the Bastion host only. Auth via Azure AD or password.

How to Prevent This

Use Bastion for secure VM access. Bastion provides RDP/SSH through the Azure portal without public IPs. Bastion supports Azure AD authentication. Costs: ~$0.70/hour + data transfer. Deploy Bastion in each VNet requiring management access. Bastion supports multi-VNet peering.

FAQ

Why does my bastion configuration fail in Azure Virtual Network?

Configuration failures in Azure often stem from missing role assignments, incorrect resource IDs, region availability issues, or ARM template parameter errors. Always use az --help to verify command syntax and parameter names. Check Azure Activity Log for detailed error traces.

How do I debug bastion issues in Azure?

Use az monitor activity-log list to audit operations. For resource issues, use az resource show. For networking, use Network Watcher diagnostics. For role issues, check az role assignment list. Enable diagnostic settings for detailed logging. Use az rest to call Azure REST APIs directly for debugging.

What are the best practices for bastion in Azure?

Use infrastructure-as-code (ARM, Terraform, Bicep) for all configurations. Tag resources for cost tracking and management. Use Azure Policy for governance. Enable diagnostic logs and monitoring. Follow Least Privilege for RBAC. Test in a non-production environment first. Review Azure Advisor recommendations regularly.


Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro