Blog Post

Azure Network Security Blog
2 MIN READ

Private only Bastion: Connect Through Bastion Without a Public IP

aarontsang's avatar
aarontsang
Icon for Microsoft rankMicrosoft
Apr 18, 2025

Azure Bastion provides secure RDP and SSH connections to virtual machines without exposing their IP addresses. The new Premium SKU introduces session management features like graphical session recording and private only Bastion. This blog will focus on how private only Bastion ensures private connectivity to your virtual machines. 

What is different about private only Bastion? 

Historically, Azure Bastion has utilized a public IP address, allowing customers to connect via the Internet through either the Azure portal or their computers’ native client. As security becomes an increasingly critical aspect of cloud deployments, there has been a corresponding rise in demand for private endpoints. With the introduction of private only Bastion, customers can now connect to Bastion using a private endpoint, thereby eliminating the necessity of connectivity through a public IP address. To access their virtual machines (VMs), customers can employ VPNs or ExpressRoute private peering, effectively routing their traffic off the public Internet. 

Getting Started with private only Bastion 

Things to Note: 

  • Private only Bastion is only available on Premium SKU 
  • Currently, users can ONLY create net new Bastions as a private only deployment. 

 

  1. Navigate to the Azure portal 
  1. Deploy a Windows or Linux Virtual Machine.  
  1. Note: With Linux machines, users can now connect via Entra ID credentials for SSH connections using the portal. For native client, users can use Entra ID credentials for either RDP or SSH connections. To learn more, see here. 
  1. When connecting to the virtual machine, navigate to the Connect button in the Overview page, and click on Connect via Bastion 
  1. On the Bastion create page, fill in the necessary information. For help on creating a Bastion, see here. 
  1. For the IP Address option, select Private IP address.  
  1. In the Advanced tab,  
  1. Review and Submit 

 

Updated May 22, 2025
Version 2.0
No CommentsBe the first to comment