Azure Bastion now supports VNET peerring (Preview)

Posted on 11/29/2020

Azure Bastion is a platform service that allows you to connect securely to a VM in a VNET without the need to open ports to the internet or to deploy and manage any jump hosts yourself.

Recently Microsoft introduces a new feature that really improves the offering - VNET peering for Azure Bastion. It supports currently virtual network peering and global virtual network peerings. Multi-Tenant peerings are not supported as of now.

This update makes the service extremely useful, especially when used in a Hub & Spoke network. Before we had to deploy one bastion service per virtual network, which made Bastion quite expensive in those cases. Now we can deploy one centralized Bastion service in a shared service or hub network, which can then reach any peered network (of course NSGs apply).

Bastion Architecture

It is currently still in preview so consider this before using it in production.

Closing thoughts

The new Azure Bastion VNET Peering update will change how we will use Azure Bastion. One thing to keep in mind though is the limit of currently 25 RDP or 50 SSH sessions. This might become a bottleneck if Bastion is used heavily.