Edit

Share via

Virtual network peering and Azure Bastion

  • Article

Azure Bastion and Virtual Network peering can be used together. When Virtual Network peering is configured, you don't have to deploy Azure Bastion in each peered VNet (virtual network). This means if you have an Azure Bastion host configured in one virtual network, it can be used to connect to virtual machines (VMs) deployed in a peered virtual network without deploying an additional bastion host. For more information about virtual network peering, see About virtual network peering.

Azure Bastion works with the following types of peering:

  • Virtual network peering: Connect virtual networks within the same Azure region.
  • Global virtual network peering: Connecting virtual networks across Azure regions.

Note

Deploying Azure Bastion within a Virtual WAN hub is not supported. You can deploy Azure Bastion in a spoke VNet and use the IP-based connection feature to connect to virtual machines deployed across a different VNet via the Virtual WAN hub.

Architecture

When virtual network peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.

Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your virtual machines in the same virtual network and peered virtual networks. This means you can consolidate Bastion deployment to a single virtual network and still reach virtual machines deployed in a peered virtual network, centralizing the overall deployment.

Design and Architecture diagram

The diagram shows the architecture of an Azure Bastion deployment in a hub-and-spoke model. In the diagram, you can see the following configuration:

  • The bastion host is deployed in the centralized hub virtual network.
  • Centralized Network Security Group (NSG) is deployed.
  • A public IP isn't required on the Azure VM.

Deployment overview

  1. Verify that you have configured virtual networks, and virtual machines within the virtual networks.
  2. Configure virtual network peering.
  3. Configure Bastion in one of the VNets.
  4. Verify permissions.
  5. Connect to a virtual machine via Azure Bastion. In order to connect via Azure Bastion, you must have the correct permissions for the subscription you're signed into.

To verify permissions

Verify the following permissions when working with this architecture:

  • Ensure you have read access to both the target VM and the peered virtual network.
  • Check your permissions in YourSubscription | IAM and verify that you have read access to the following resources:
    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
    • Reader role on the Azure Bastion resource.
    • Reader role on the virtual networks of the target virtual machines.

Bastion VNet peering FAQ

For frequently asked questions, see the Bastion virtual network peering FAQ.

Next steps

Read the Bastion FAQ.