![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 15%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello Josie Lewis
We went around Bastion and used a virtual network connection.
Firstly,
- Dedicated subnet requirement The virtual network must contain a subnet named exactly
AzureBastionSubnet. The subnet name is not configurable and must be created explicitly before deployment. Additionally, the subnet must be at least /26 in size. Smaller subnets are not supported and will cause deployment failures. Microsoft docs: Azure Bastion Deployment and configuration issues - No NSG or route table on AzureBastionSubnet The
AzureBastionSubnetmust not have a Network Security Group (NSG) or a user‑defined route (UDR) associated with it. Azure Bastion manages its own connectivity and attaching NSGs or routes to this subnet is not supported. - Azure Bastion requires a Standard Public IP address. If the subscription has reached the Public IP quota limit, Bastion deployment will fail. Microsoft explicitly lists subscription limits and quotas as a common cause of Bastion deployment failures.
- Forced tunneling is not supported Azure Bastion does not support forced tunneling scenarios (for example, advertising
0.0.0.0/0via VPN or ExpressRoute). Bastion requires direct connectivity to Azure control plane endpoints, and forced routing can prevent successful deployment. - Same region requirement The Bastion host must be deployed in the same virtual network and region as the target virtual machine. Region mismatches can result in deployment or visibility issues.
- Try via CLI for clearer errors
How to deploy Bastion with Azure CLIaz group create --name TestRG1 --location eastus az network vnet create --resource-group TestRG1 --name VNet1 --address-prefix 10.1.0.0/16 --subnet-name default --subnet-prefix 10.1.0.0/24 az network vnet subnet create --name AzureBastionSubnet --resource-group TestRG1 --vnet-name VNet1 --address-prefix 10.1.1.0/26 az network public-ip create --resource-group TestRG1 --name VNet1-ip --sku Standard --location eastus az network bastion create --name VNet1-bastion --public-ip-address VNet1-ip --resource-group TestRG1 --vnet-name VNet1 --location eastus --sku Basic
Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
If these answer your question, click "Upvote" and click "Accept Answer" which may be beneficial to other community members reading this thread.