แก้ไข

แชร์ผ่าน


Quickstart: Deploy Azure Bastion - Developer SKU

In this quickstart, you learn how to deploy Azure Bastion using the Developer SKU. After Bastion is deployed, you can connect to virtual machines (VM) in the virtual network via Bastion using the private IP address of the VM. The VMs you connect to don't need a public IP address, client software, agent, or a special configuration. For more information about Azure Bastion, see What is Azure Bastion?

The following diagram shows the architecture for Azure Bastion and the Developer SKU.

Diagram that shows the Azure Bastion developer SKU architecture.

The Developer SKU is currently available in the following regions:

  • Central US EUAP
  • East US 2 EUAP
  • West Central US
  • North Central US
  • West US
  • North Europe

Note

VNet peering isn't currently supported for the Developer SKU.

About the Developer SKU

The Bastion Developer SKU is a free, lightweight SKU. This SKU is ideal for Dev/Test users who want to securely connect to their VMs, but don't need additional Bastion features or host scaling. With the Developer SKU, you can connect to one Azure VM at a time directly through the virtual machine connect page.

When you deploy Bastion using the Developer SKU, the deployment requirements are different than when you deploy using other SKUs. Typically when you create a bastion host, a host is deployed to the AzureBastionSubnet in your virtual network. The Bastion host is dedicated for your use. When you use the Developer SKU, a bastion host isn't deployed to your virtual network and you don't need an AzureBastionSubnet. However, the Developer SKU bastion host isn't a dedicated resource. Instead, it's part of a shared pool.

Because the Developer SKU bastion resource isn't dedicated, the features for the Developer SKU are limited. See the Bastion configuration settings SKU section for features listed by SKU. You can always upgrade the Developer SKU to a higher SKU if you need to support more features. See Upgrade a SKU.

Prerequisites

  • Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate your MSDN subscriber benefits or sign up for a free account.

  • A VM in a VNet.

    When you deploy Bastion using default values, the values are pulled from the virtual network in which your VM resides. Make sure the VM resides in a resource group that's in a region where the Developer SKU is supported.

    • If you don't already have a VM in a virtual network, create one using Quickstart: Create a Windows VM, or Quickstart: Create a Linux VM.
    • If you need example values, see the Example values section.
    • If you already have a virtual network, make sure it's selected on the Networking tab when you create your VM.
    • If you don't have a virtual network, you can create one at the same time you create your VM.
    • If you have a virtual network, make sure you have the rights to write to it.
  • Required VM roles:

    • Reader role on the virtual machine.
    • Reader role on the NIC with private IP of the virtual machine.
  • Required VM ports inbound ports:

    • 3389 for Windows VMs
    • 22 for Linux VMs

Note

The use of Azure Bastion with Azure Private DNS zones is supported. However, there are restrictions. For more information, see the Azure Bastion FAQ.

Example values

You can use the following example values when creating this configuration as an exercise, or you can substitute your own.

Basic VNet and VM values:

Name Value
Virtual machine TestVM
Resource group TestRG1
Region West US
Virtual network VNet1
Address space 10.1.0.0/16
Subnets FrontEnd: 10.1.0.0/24

Deploy Bastion and connect to VM

These steps help you deploy Bastion using the developer SKU and automatically connect to your VM via the portal. To connect to a VM, your NSG rules must allow traffic to ports 22 and 3389 from the private IP address 168.63.129.16.

  1. Sign in to the Azure portal.

  2. In the portal, go to the VM to which you want to connect. The values from the virtual network in which this VM resides are used to create the Bastion deployment. The VM must be located in a region that supports the Developer SKU.

  3. On the page for your VM, in the Operations section on the left menu, select Bastion.

  4. On the Bastion page, select the Authentication Type you want to use, input the required credential values, and click Connect.

    Screenshot of the Bastion page showing Deploy Bastion.

  5. Bastion deploys using the Developer SKU.

  6. The connection to this virtual machine via Bastion will open directly in the Azure portal (over HTML5) using port 443 and the Bastion service. Select Allow when asked for permissions to the clipboard. This lets you use the remote clipboard arrows on the left of the screen.

    • When you connect, the desktop of the VM might look different than the example screenshot.

    • Using keyboard shortcut keys while connected to a VM might not result in the same behavior as shortcut keys on a local computer. For example, when connected to a Windows VM from a Windows client, CTRL+ALT+END is the keyboard shortcut for CTRL+ALT+Delete on a local computer. To do this from a Mac while connected to a Windows VM, the keyboard shortcut is Fn+CTRL+ALT+Backspace.

      Screenshot showing a Bastion RDP connection selected.

  7. When you disconnect from the VM, Bastion remains deployed to the virtual network. You can reconnect to the VM from the virtual machine page in the Azure portal by selecting Bastion -> Connect.

To enable audio output

You can enable remote audio output for your VM. Some VMs automatically enable this setting, whereas others require you to enable audio settings manually. The settings are changed on the VM itself. Your Bastion deployment doesn't need any special configuration settings to enable remote audio output.

Note

Audio output uses bandwidth on your internet connection.

To enable remote audio output on a Windows VM:

  1. After you're connected to the VM, an audio button appears on the lower-right corner of the toolbar. Right-click the audio button, and then select Sounds.
  2. A pop-up message asks if you want to enable the Windows Audio Service. Select Yes. You can configure more audio options in Sound preferences.
  3. To verify sound output, hover over the audio button on the toolbar.

Remove VM public IP address

When you connect to a VM by using Azure Bastion, you don't need a public IP address for your VM. If you aren't using the public IP address for anything else, you can dissociate it from your VM:

  1. Go to your virtual machine. On the Overview page, click the Public IP address to open the Public IP address page.

  2. On the Public IP address page, go to Overview. You can view the resource that this IP address is Associated to. Select Dissociate at the top of the pane.

    Screenshot of details for a virtual machine's public IP address.

  3. Select Yes to dissociate the IP address from the VM network interface. After you dissociate the public IP address from the network interface, verify that it's no longer listed under Associated to.

  4. After you dissociate the IP address, you can delete the public IP address resource. On the Public IP address pane for the VM, select Delete.

    Screenshot of the button for deleting a public IP address resource.

  5. Select Yes to delete the public IP address.

Clean up resources

When you're done using the virtual network and the virtual machines, delete the resource group and all of the resources it contains:

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

In this quickstart, you deployed Bastion using the Developer SKU, and then connected to a virtual machine securely via Bastion. Next, you can configure more features and work with VM connections.