Microsoft.Network bastionHosts 2023-09-01

Bicep resource definition

The bastionHosts resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/bastionHosts resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/bastionHosts@2023-09-01' = {
  location: 'string'
  name: 'string'
  properties: {
    disableCopyPaste: bool
    dnsName: 'string'
    enableFileCopy: bool
    enableIpConnect: bool
    enableKerberos: bool
    enableShareableLink: bool
    enableTunneling: bool
    ipConfigurations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          privateIPAllocationMethod: 'string'
          publicIPAddress: {
            id: 'string'
          }
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    networkAcls: {
      ipRules: [
        {
          addressPrefix: 'string'
        }
      ]
    }
    scaleUnits: int
    virtualNetwork: {
      id: 'string'
    }
  }
  sku: {
    name: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
  zones: [
    'string'
  ]
}

Property values

BastionHostIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Represents the ip configuration associated with the resource. BastionHostIPConfigurationPropertiesFormat

BastionHostIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod Private IP allocation method. 'Dynamic'
'Static'
publicIPAddress Reference of the PublicIP resource. SubResource (required)
subnet Reference of the subnet resource. SubResource (required)

BastionHostPropertiesFormat

Name Description Value
disableCopyPaste Enable/Disable Copy/Paste feature of the Bastion Host resource. bool
dnsName FQDN for the endpoint on which bastion host is accessible. string
enableFileCopy Enable/Disable File Copy feature of the Bastion Host resource. bool
enableIpConnect Enable/Disable IP Connect feature of the Bastion Host resource. bool
enableKerberos Enable/Disable Kerberos feature of the Bastion Host resource. bool
enableShareableLink Enable/Disable Shareable Link of the Bastion Host resource. bool
enableTunneling Enable/Disable Tunneling feature of the Bastion Host resource. bool
ipConfigurations IP configuration of the Bastion Host resource. BastionHostIPConfiguration[]
networkAcls BastionHostPropertiesFormatNetworkAcls
scaleUnits The scale units for the Bastion Host resource. int

Constraints:
Min value = 2
Max value = 50
virtualNetwork Reference to an existing virtual network required for Developer Bastion Host only. SubResource

BastionHostPropertiesFormatNetworkAcls

Name Description Value
ipRules Sets the IP ACL rules for Developer Bastion Host. IPRule[]

IPRule

Name Description Value
addressPrefix Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string

Microsoft.Network/bastionHosts

Name Description Value
location Resource location. string
name The resource name string (required)
properties Represents the bastion host resource. BastionHostPropertiesFormat
sku The sku of this Bastion Host. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates
zones A list of availability zones denoting where the resource needs to come from. string[]

ResourceTags

Name Description Value

Sku

Name Description Value
name The name of this Bastion Host. 'Basic'
'Developer'
'Standard'

SubResource

Name Description Value
id Resource ID. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
AKS Cluster with a NAT Gateway and an Application Gateway This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Bastion as a Service This template provisions Azure Bastion in a Virtual Network
Azure Bastion as a Service with NSG This template provisions Azure Bastion in a Virtual Network
Azure Machine Learning end-to-end secure setup This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy) This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create a cross-region load balancer This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Create a Private AKS Cluster This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a standard internal load balancer This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80
Create a standard load-balancer This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.
Deploy a Bastion host in a hub Virtual Network This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet
Deploy Secure Azure AI Studio with a managed virtual network This template creates a secure Azure AI Studio environment with robust network and identity security restrictions.
Public Load Balancer chained to a Gateway Load Balancer This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool.
SharePoint Subscription / 2019 / 2016 fully configured Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
Testing environment for Azure Firewall Premium This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

ARM template resource definition

The bastionHosts resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/bastionHosts resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/bastionHosts",
  "apiVersion": "2023-09-01",
  "name": "string",
  "location": "string",
  "properties": {
    "disableCopyPaste": "bool",
    "dnsName": "string",
    "enableFileCopy": "bool",
    "enableIpConnect": "bool",
    "enableKerberos": "bool",
    "enableShareableLink": "bool",
    "enableTunneling": "bool",
    "ipConfigurations": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "privateIPAllocationMethod": "string",
          "publicIPAddress": {
            "id": "string"
          },
          "subnet": {
            "id": "string"
          }
        }
      }
    ],
    "networkAcls": {
      "ipRules": [
        {
          "addressPrefix": "string"
        }
      ]
    },
    "scaleUnits": "int",
    "virtualNetwork": {
      "id": "string"
    }
  },
  "sku": {
    "name": "string"
  },
  "tags": {
    "{customized property}": "string"
  },
  "zones": [ "string" ]
}

Property values

BastionHostIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Represents the ip configuration associated with the resource. BastionHostIPConfigurationPropertiesFormat

BastionHostIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod Private IP allocation method. 'Dynamic'
'Static'
publicIPAddress Reference of the PublicIP resource. SubResource (required)
subnet Reference of the subnet resource. SubResource (required)

BastionHostPropertiesFormat

Name Description Value
disableCopyPaste Enable/Disable Copy/Paste feature of the Bastion Host resource. bool
dnsName FQDN for the endpoint on which bastion host is accessible. string
enableFileCopy Enable/Disable File Copy feature of the Bastion Host resource. bool
enableIpConnect Enable/Disable IP Connect feature of the Bastion Host resource. bool
enableKerberos Enable/Disable Kerberos feature of the Bastion Host resource. bool
enableShareableLink Enable/Disable Shareable Link of the Bastion Host resource. bool
enableTunneling Enable/Disable Tunneling feature of the Bastion Host resource. bool
ipConfigurations IP configuration of the Bastion Host resource. BastionHostIPConfiguration[]
networkAcls BastionHostPropertiesFormatNetworkAcls
scaleUnits The scale units for the Bastion Host resource. int

Constraints:
Min value = 2
Max value = 50
virtualNetwork Reference to an existing virtual network required for Developer Bastion Host only. SubResource

BastionHostPropertiesFormatNetworkAcls

Name Description Value
ipRules Sets the IP ACL rules for Developer Bastion Host. IPRule[]

IPRule

Name Description Value
addressPrefix Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string

Microsoft.Network/bastionHosts

Name Description Value
apiVersion The api version '2023-09-01'
location Resource location. string
name The resource name string (required)
properties Represents the bastion host resource. BastionHostPropertiesFormat
sku The sku of this Bastion Host. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/bastionHosts'
zones A list of availability zones denoting where the resource needs to come from. string[]

ResourceTags

Name Description Value

Sku

Name Description Value
name The name of this Bastion Host. 'Basic'
'Developer'
'Standard'

SubResource

Name Description Value
id Resource ID. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
AKS Cluster with a NAT Gateway and an Application Gateway

Deploy to Azure
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections.
AKS cluster with the Application Gateway Ingress Controller

Deploy to Azure
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault
Azure Bastion as a Service

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Azure Bastion as a Service with NSG

Deploy to Azure
This template provisions Azure Bastion in a Virtual Network
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create a cross-region load balancer

Deploy to Azure
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region.
Create a Private AKS Cluster

Deploy to Azure
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine.
Create a Private AKS Cluster with a Public DNS Zone

Deploy to Azure
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone.
Create a standard internal load balancer

Deploy to Azure
This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80
Create a standard load-balancer

Deploy to Azure
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone.
Deploy a Bastion host in a hub Virtual Network

Deploy to Azure
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet
Deploy Darktrace Autoscaling vSensors

Deploy to Azure
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors
Deploy Secure Azure AI Studio with a managed virtual network

Deploy to Azure
This template creates a secure Azure AI Studio environment with robust network and identity security restrictions.
Example Parameterized Deployment With Linked Templates

Deploy to Azure
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user.
Public Load Balancer chained to a Gateway Load Balancer

Deploy to Azure
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool.
SharePoint Subscription / 2019 / 2016 fully configured

Deploy to Azure
Create a DC, a SQL Server 2022, and from 1 to 5 server(s) hosting a SharePoint Subscription / 2019 / 2016 farm with an extensive configuration, including trusted authentication, user profiles with personal sites, an OAuth trust (using a certificate), a dedicated IIS site for hosting high-trust add-ins, etc... The latest version of key softwares (including Fiddler, vscode, np++, 7zip, ULS Viewer) is installed. SharePoint machines have additional fine-tuning to make them immediately usable (remote administration tools, custom policies for Edge and Chrome, shortcuts, etc...).
Standard Load Balancer with Backend Pool by IP Addresses

Deploy to Azure
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document.
Testing environment for Azure Firewall Premium

Deploy to Azure
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

Terraform (AzAPI provider) resource definition

The bastionHosts resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/bastionHosts resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/bastionHosts@2023-09-01"
  name = "string"
  location = "string"
  body = jsonencode({
    properties = {
      disableCopyPaste = bool
      dnsName = "string"
      enableFileCopy = bool
      enableIpConnect = bool
      enableKerberos = bool
      enableShareableLink = bool
      enableTunneling = bool
      ipConfigurations = [
        {
          id = "string"
          name = "string"
          properties = {
            privateIPAllocationMethod = "string"
            publicIPAddress = {
              id = "string"
            }
            subnet = {
              id = "string"
            }
          }
        }
      ]
      networkAcls = {
        ipRules = [
          {
            addressPrefix = "string"
          }
        ]
      }
      scaleUnits = int
      virtualNetwork = {
        id = "string"
      }
    }
  })
  sku = {
    name = "string"
  }
  tags = {
    {customized property} = "string"
  }
  zones = [
    "string"
  ]
}

Property values

BastionHostIPConfiguration

Name Description Value
id Resource ID. string
name Name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Represents the ip configuration associated with the resource. BastionHostIPConfigurationPropertiesFormat

BastionHostIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod Private IP allocation method. 'Dynamic'
'Static'
publicIPAddress Reference of the PublicIP resource. SubResource (required)
subnet Reference of the subnet resource. SubResource (required)

BastionHostPropertiesFormat

Name Description Value
disableCopyPaste Enable/Disable Copy/Paste feature of the Bastion Host resource. bool
dnsName FQDN for the endpoint on which bastion host is accessible. string
enableFileCopy Enable/Disable File Copy feature of the Bastion Host resource. bool
enableIpConnect Enable/Disable IP Connect feature of the Bastion Host resource. bool
enableKerberos Enable/Disable Kerberos feature of the Bastion Host resource. bool
enableShareableLink Enable/Disable Shareable Link of the Bastion Host resource. bool
enableTunneling Enable/Disable Tunneling feature of the Bastion Host resource. bool
ipConfigurations IP configuration of the Bastion Host resource. BastionHostIPConfiguration[]
networkAcls BastionHostPropertiesFormatNetworkAcls
scaleUnits The scale units for the Bastion Host resource. int

Constraints:
Min value = 2
Max value = 50
virtualNetwork Reference to an existing virtual network required for Developer Bastion Host only. SubResource

BastionHostPropertiesFormatNetworkAcls

Name Description Value
ipRules Sets the IP ACL rules for Developer Bastion Host. IPRule[]

IPRule

Name Description Value
addressPrefix Specifies the IP or IP range in CIDR format. Only IPV4 address is allowed. string

Microsoft.Network/bastionHosts

Name Description Value
location Resource location. string
name The resource name string (required)
properties Represents the bastion host resource. BastionHostPropertiesFormat
sku The sku of this Bastion Host. Sku
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/bastionHosts@2023-09-01"
zones A list of availability zones denoting where the resource needs to come from. string[]

ResourceTags

Name Description Value

Sku

Name Description Value
name The name of this Bastion Host. 'Basic'
'Developer'
'Standard'

SubResource

Name Description Value
id Resource ID. string