A lot of people have been waiting for this: VNet peering and Azure Bastion (Preview) ☁
By: Date: 13/11/2020 Categories: azure Tags: ,

Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional Bastion host. For more information about VNet peering, see About virtual network peering.

Azure Bastion works with the following types of peering:

  • Virtual network peering: Connect virtual networks within the same Azure region.
  • Global virtual network peering: Connecting virtual networks across Azure regions.

Architecture

When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.

Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet, as well as peered VNets. This means you can consolidate Bastion deployment to single VNet and still reach VMs deployed in a peered VNet, centralizing the overall deployment.

Design and Architecture diagram

This figure shows the architecture of an Azure Bastion deployment in a hub-and-spoke model. In this diagram you can see the following configuration:

  • The Bastion host is deployed in the centralized Hub virtual network.
  • Centralized Network Security Group (NSG) is deployed.
  • A public IP is not required on the Azure VM.

Steps:

  1. Connect to the Azure portal using any HTML5 browser.
  2. Select the virtual machine to connect to.
  3. Azure Bastion is seamlessly detected across the peered VNet.
  4. With a single click, the RDP/SSH session opens in the browser. For RDP and SSH concurrent session limits, see RDP and SSH sessions.ConnectFor more information about connecting to a VM via Azure Bastion, see:

FAQ

Can I still deploy multiple Bastion hosts across peered virtual networks?

Yes. By default, a user sees the Bastion host that is deployed in the same virtual network in which VM resides. However, in the Connect menu, a user can see multiple Bastion hosts detected across peered networks. They can select the Bastion host that they prefer to use to connect to the VM deployed in the virtual network.

If my peered VNets are deployed in different subscriptions, will connectivity via Bastion work?

Yes, connectivity via Bastion will continue to work for peered VNets across different subscription for a single Tenant. Subscriptions across two different Tenants are not supported. To see Bastion in the Connect drop down menu, the user must select the subs they have access to in Subscription > global subscription.

Global subscriptions filter

I have access to the peered VNet, but I can’t see the VM deployed there.

Make sure the user has read access to both the VM, and the peered VNet. Additionally, check under IAM that the user has read access to following resources:

  • Reader role on the virtual machine.
  • Reader role on the NIC with private IP of the virtual machine.
  • Reader role on the Azure Bastion resource.
  • Reader Role on the Virtual Network (Not needed if there is no peered virtual network).
PermissionsDescriptionPermission type
Microsoft.Network/bastionHosts/readGets a Bastion HostAction
Microsoft.Network/virtualNetworks/BastionHosts/actionGets Bastion Host references in a Virtual Network.Action
Microsoft.Network/virtualNetworks/bastionHosts/default/actionGets Bastion Host references in a Virtual Network.Action
Microsoft.Network/networkInterfaces/readGets a network interface definition.Action
Microsoft.Network/networkInterfaces/ipconfigurations/readGets a network interface IP configuration definition.Action
Microsoft.Network/virtualNetworks/readGet the virtual network definitionAction
Microsoft.Network/virtualNetworks/subnets/virtualMachines/readGets references to all the virtual machines in a virtual network subnetAction
Microsoft.Network/virtualNetworks/virtualMachines/readGets references to all the virtual machines in a virtual networkAction
https://docs.microsoft.com/en-us/azure/bastion/vnet-peering