Azure Network Security Blog

5 MIN READ

Azure Bastion: Enterprise-grade secure access made simple

Microsoft

Mar 19, 2026

Managing secure remote access to virtual machines traditionally means juggling public IP addresses, configuring jump boxes, deploying VPN infrastructure, and managing complex firewall rules. Each layer adds cost, complexity, and potential security vulnerabilities.

Azure Bastion changes everything. It's a fully managed PaaS service that provides secure RDP/SSH connectivity to Azure VMs directly through the Azure portal, without exposing VMs to the public internet. No public IPs, no jump boxes, no VPN clients.

Azure Bastion isn't one-size-fits-all. Whether you're running a development sandbox, managing production workloads at scale, or operating in regulated industries with strict compliance requirements, there's a Bastion SKU designed for your specific needs.

Basic SKU for small production workloads with browser-based access. Ideal for small businesses, startups, or single-application environments with limited concurrent users (up to 2 instances).
Standard SKU for scalable production environments requiring VNet peering, native client and shareable links for non-portal access. Supports up to 50 scale units, perfect for growing organizations and multi-VNET architectures.
Premium SKU for regulated industries requiring session recording for compliance (HIPAA, SOX, PCI-DSS, FDA), private-only deployment for zero internet exposure. Essential for healthcare, finance, pharmaceuticals, government, and air-gapped environments.

Let's dive into real-world scenarios that showcase how Azure Bastion simplifies enterprise-grade secure access.

Real-World Scenarios:

Azure Bastion features are best understood through real-world application. In the scenarios below, we'll tackle three common enterprise challenges with remote secure access. Let's see Azure Bastion in action.

Scenario 1: Instant Vendor Access Without the Hassle

The Challenge:

It's 3 PM on Friday when your production database experiences critical performance issues. An external DBA consultant needs immediate access to investigate, but your organization faces a familiar dilemma. The traditional provisioning process requires creating a temporary Azure AD account, configuring VPN access and credentials, coordinating with the security team for approvals, and ensuring timely revocation after the engagement concludes. Even with expedited processes, this takes 2-3 hours—and there's always the risk of lingering permissions if revocation is overlooked. By the time access is provisioned, it's often too late to resolve the issue before the weekend, leaving your production environment vulnerable and your team working overtime.

The Solution:

Shareable Links: Generate a secure URL for instant VM access: no Azure credentials, no VPN, no account creation is required.

Implementation:

Step 1: Enable Shareable Links

Navigate to Bastion → Configuration → Toggle Shareable Link to Enabled → Click Apply

Step 2: Generate Link

Go to Bastion → Select Shareable Links → Add → Choose VM→ Apply →Copy generated URL

Step 3: Share & Monitor

Share URL securely with vendor → Vendor connects via browser using VM credentials
Monitor active sessions in Bastion → Shareable Links

Real World Impact: A global financial services firm now grants emergency vendor access in under 5 minutes instead of 2-3 hours, with zero IT overhead for account provisioning or VPN setup. Links can be revoked after the set duration, eliminating lingering access risks. Every vendor session is logged, providing complete audit trails that satisfy SOX and PCI-DSS compliance requirements without additional administrative effort.

Scenario 2: Comprehensive Compliance with Session Recording

The Challenge:

Your healthcare organization operates under HIPAA regulations, which mandate comprehensive audit trails of all administrative access to systems containing Protected Health Information (PHI). Traditional text logs capture what was accessed, but not what actions were performed—and they're difficult to analyze during audits. You need indisputable video evidence of administrative activities with secure 7-year retention.

The Solution:

Graphical Session Recording: Azure Bastion Premium's Session Recording feature automatically captures every RDP and SSH session as a video recording, stored securely in Azure Storage with immutable retention policies.

Implementation:

Step 1: Prepare Storage Account

Create a dedicated storage account with blob versioning, lifecycle management (7 years for HIPAA), soft delete (90 days), and RBAC restricted to security/compliance team.
Also make sure there is a dedicated container created for Bastion Sessions and CORS policy configured on the storage account to allow your bastion.

Step 2: Enable Session Recording

Navigate to Bastion → Configuration → Toggle Session Recording to Enabled → Apply
Add/Update the SAS URL of the storage account in the Session Recordings blade of Bastion for the recordings to be stored in the specified storage account.

Step 3: Connect as Usual

Administrators connect through Azure portal normally: VM → Connect → Bastion → Enter credentials → Connect
Every session is automatically recorded—no extra steps for users.

Step 4: Review Recordings

Security teams access recordings from the Session Recordings blade on Azure Bastion which will retrieve data from the configured Storage Account.

Real World Impact: A healthcare provider with 50+ hospitals now maintains 100% HIPAA-compliant audit trails of all administrative access to PHI systems through automated video recordings. The organization reduced audit preparation time by 75%, as compliance teams can quickly review specific sessions instead of analyzing thousands of text log entries. Session recordings have enabled post-incident investigations to identify unauthorized configuration changes and provide indisputable video evidence for security reviews and regulatory audits.

Scenario 3: Zero Internet Exposure with Private-Only Deployment

The Challenge:

A global pharmaceutical company developing cancer treatments operates under FDA regulations requiring zero internet exposure for drug development systems. Their security mandate: no public IP addresses on production infrastructure, complete air-gapped connectivity to protect intellectual property, and administrative access from corporate network only. Traditional Azure Bastion requires a public IP address—violating their zero-trust security policy.

The Solution:

Private-Only Bastion: Azure Bastion Premium's private-only deployment eliminates the public IP address entirely. All connectivity flows through your org’s configured Express Route, S2S or P2S connectivity for complete air-gapped operations.

Implementation:

Select Azure Bastion Premium SKU and Deploy Private-Only Bastion
Configure Private Connectivity from On Prem using your orgs preferred way of connectivity
Connect from Corporate Network using Private IP address of the Bastion Deployment

Real-World Impact

A pharmaceutical company with 20+ research facilities deploys private-only Bastion for FDA-regulated drug development systems. The company now achieves complete air-gapped operations with zero internet endpoints while maintaining centralized access management for 200+ researchers across global facilities. Research teams connect securely via ExpressRoute with all administrative sessions network-isolated, FDA compliance audits confirm 100% of connections originate from corporate private networks, and the organization eliminated $2M in annual costs by decommissioning internet-isolated jump boxes.

Conclusion:

Azure Bastion transforms the traditional trade-off between security and operational efficiency into a unified solution. Whether you're granting emergency access or preparing for your next HIPAA audit, Azure Bastion delivers what enterprises need: secure temporary access as and when needed, complete audit trails with zero administrator overhead, and comprehensive compliance without compromising productivity, bringing a fundamental shift in how organizations approach secure remote access in the cloud.