Azure Bastion let you connect via RDP and SSH to any VM in Microsoft Azure using the private IP addresses and avoiding any public exposure.


You can find many blog posts in interne and to install bastion, you can follow these the simple steps in the article below:

Azure Bastion has these main requirements:

  1. You must have a VNet
  2. In the VNet you must have a subnet named AzureBastionSubnet
  3. No route tables or delegations in the Bastion subnet
  4. You must use a subnet of at least /27 CIDR.

The only main restriction I see is the using of a subnet with a specific name because, in a complex and well-organized network scenario, all the address spaces are cataloged and organized, and the creation of a new subnet may require some changes on it.

The using of a new VNet and peering is not an applicable option because the VNet hosting the VM requires a subnet named AzureBastionSubnet anyway.

After some tests, below the applicable options.

New VNet

Of course, this is the more straightforward and the fastest. All articles mention that you create a new VNet with a subnet AzureBastionSubnet and you install your VMs in that VNet + Azure Bastion.

This method is easy, and it is a good option in case of a new VNet, but there is an important aspect to consider here, Azure Bastion requires a /27 subnet, which is an important amount of IP addresses (32).

I don’t really like the idea of using 32 IPs for that, especially because it can be reserved for many other critical scopes, but if you have small, medium company this is very applicable.

Creation of a new subnet in an existing VNet

I don’t like this idea but you can actually do that using this option, and I will explain to you why I don’t like it. You can change the address space of your VNet and add more space in your network, after that you can add the new subnet named AzureBastionSubnet.

As I mentioned before, this is not easily applicable in a well-organized network infrastructure because the addresses spaces have been already assigned to regions and departments and this method will require an important effort for the network team.

If you don’t have this problem, then I would say that maybe you still need to organize your network strategy and I would recommend you to do that asap.

Dedicate an address space to Azure Bastion

This is, in my opinion, the best option for using Azure Bastion.

We dedicate a specific IP schema for Azure Bastion, for example, the 192.168.*.*, and we use these IP schemas for that only.

As you can see below, you can add the new addresses space to you VNet

And you can create the AzureBastionSubnet subnet

This is the best way to use Azure Bastion because you dedicate a specific IP range to that and you touch your network design at all.

Previous articleHACKAZURE – How To – Global scan of all public IP addresses on Azure
Next articleAdvanced Security automation in Microsoft Azure
I have +25 years of hands-on experience in Cloud Technologies and Cybersecurity, supporting and driving global companies to adopt technologies in the most secure and profitable way. My cores expertises are Security and Cloud Governance, and I strongly believe in the conjunction of both to achieve the top result. In my career, I had the opportunity to lead global cloud infrastructures, providing guidance and leadership in Security and Cloud Governance. Security is my first passion, but I have deep experience in many other areas like Cloud Governance and Integration. I define myself as a very versatile person. In my past, I had the opportunity to work in many different areas, supporting different company roles, from technical roles to Sales, Pre-Sales and High Stakeholders. I see myself as a hands-on geek manager. I love to get my hands dirty and also be able to lead and create important things and initiatives. Mt passion for technology is also the reason for my activities in the IT community. I love sharing my experience and motivating people on engaging the technology with the right motivation and passion. I do conferences around the world, sharing my passion. I have been Microsoft MVP since 2006, Certified Ethical Hacker (CEH) and with a Master in Cybersecurity.

LEAVE A REPLY

Please enter your comment!
Please enter your name here