bastion network unstable and wont connect

Hi sysadmin,

not of a lot info provided for help but look most common causes are not bastion itself but network path or client side issues. Is that the vm is actually reachable inside the vnet. From another vm in the same subnet try rdp or ssh. If that fails, the issue is not bastion. Look nsg rules on the vm subnet and the AzureBastionSubnet. Bastion requires outbound access to 443 and specific service tags like GatewayManager and AzureCloud, is no deny rule is blocking ephemeral ports.

Is that AzureBastionSubnet is at least /26 and has no user defined routes forcing traffic through a firewall without proper return path. If u use a custom route table, confirm 0.0.0.0/0 is not blackholing traffic.

Look at vm cpu and memory, high load can cause session drops that look like unstable network. Test from another browser and network, bastion is html5 over websocket and is very sensitive to proxies, ssl inspection and packet loss. If corporate proxy is doing tls inspection, try bypassing it or whitelist *.azure.com and wss endpoints.

rgds,

Alex

Hi @ sysadmin,

Welcome to Microsoft Q&A Platform.

When attempting to connect to a target VM using Azure Bastion, you may see a black screen in the Azure portal. This typically occurs due to either:

In many cases, a Network Security Group (NSG) applied to the AzureBastionSubnet or the target VM subnet is blocking RDP or SSH traffic within the virtual network.

Please make sure to check the below steps to resolve your issue.

Allow WebSockets Traffic Ensure that WebSockets traffic is allowed on your client internet firewall.

Run VM Diagnostics Run resource diagnostics on the VM to verify:

• If the VM is running
• Network Level Authentication (NLA) status

Check Network Security Groups (NSGs)

Verify that NSG rules allow the required protocols (RDP for Windows, SSH for Linux).

If an NSG is applied to the AzureBastionSubnet, ensure it contains the correct rules to support Bastion.

Use Network Watcher – Connection Troubleshoot
Use Azure Network Watcher’s Connection Troubleshoot feature from the Bastion instance to validate direct TCP connectivity to the VM.

Redeploy the VM (If Needed) If diagnostics do not identify any issues, redeploying the VM can sometimes resolve underlying connectivity problems.

Verify RDP Service on the VM : Run the following command on the VM

netstat -aon

Confirm that the VM is listening on port 3389.

If it is listening, temporarily disable the OS firewall and test connectivity.

• Also, test RDP connectivity from another VM within the same VNet to isolate the issue When attempting to connect to a target VM using Azure Bastion, you may see a black screen in the Azure portal.

This usually occurs due to either:

A network connectivity issue between your web browser and Azure Bastion (for example, your client-side internet firewall may be blocking WebSockets traffic), or

Follow the Doc for Troubleshoot Azure Bastion issues.

If the solution is not helpful, please share the required details so we can connect on a Teams call and troubleshoot the issue together.

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.