What permissions are needed to use Bastion Host in Azure VM
What is bastion host?
A bastion host is a secure remote access solution that allows users to connect to virtual machines (VMs) in Azure without exposing the VMs to the public internet.
Azure Bastion is a fully managed service that provides secure and seamless RDP/SSH connectivity to VMs directly over TLS from the Azure portal or via native client1
When you connect via Azure Bastion, your VMs don't need a public IP address, agent, or special client software2 Azure Bastion is a fully platform-managed PaaS service that you provision inside your virtual network.
It provides secure and seamless RDP/SSH connectivity to your virtual machines directly over TLS from the Azure portal or via native client.
The bastion host is deployed in the virtual network that contains the AzureBastionSubnet subnet that has a minimum /26 prefix.
The user connects to the Azure portal using any HTML5 browser and selects the virtual machine to connect to.With a single click, the RDP/SSH session opens in the browser. Azure Bastion provides secure connectivity to all of the VMs in the virtual network in which it's provisioned4
Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH
What permissions are needed
- Read access on the virtual network where the bastion host is
- Read access on the virtual network card (NIC) of the vm being accessed
- Read access on the bastion host
- Either Virtual Machine Operator or Virtual Machine Admistrator on the Virtual Machine where the user will be RDP into.
- Read access on the vnet of the VM machine being RDP into