We use cookies on this website.

By clicking "Accept," you agree to the storage of cookies on your device to improve your browsing experience, analyze site usage, and contribute to our marketing efforts. See our privacy policy for more information.

Cybersecurity
Cloud & infrastructure

Azure Bastion: Secure RDP/SSH access without exposing your VMs (and without blowing your budget)

€140/month to stop exposing your Azure VMs: when Azure Bastion is really worth it, when it’s a waste of money, and cheaper alternatives.

Azure Bastion: Secure RDP/SSH access without exposing your VMs (and without blowing your budget)

140/month to avoid exposing your VMs to the Internet with a €4 public IP, that's Azure Bastion. The pitch: one-click security without network expertise. The reality: a service that can be indispensable for your production or a total waste if you're protecting 2 dev VMs used 3 hours a week. We take a look at when Bastion is really worth the money, when it'll ruin you for nothing, and at the cheaper alternatives that nobody explains.

Azure Bastion is Microsoft's PaaS service that eliminates the need to expose your Azure virtual machines via public IP addresses for RDP (Remote Desktop) and SSH (Secure Shell) connections. Instead of leaving port 3389 or 22 open to the internet—a favorite target for scanning bots and brute-force attacks—Bastion acts as a managed jump host that establishes TLS-encrypted sessions from the Azure portal or your native client.

The marketing pitch: "Enhanced security without the complexity, one-click login." The reality: a service that costs ~€140/month for the Basic SKU to protect VMs you use for 2 hours a week, with frustrating limitations and cheaper but riskier alternatives. Between the classic self-hosted bastion (complex, time-consuming), direct public IP (dangerous), and Azure Bastion (simple but expensive), the choice is never clear-cut.

This article dissects Azure Bastion beyond the marketing hype: technical operation, actual pricing with hidden pitfalls, objective comparison with alternatives (public IP, jump box, VPN), use cases where Bastion is essential vs. situations where it is a waste of money. Because securing access to your VMs should not require a master's degree in network architecture or drain your cloud budget.

What is Azure Bastion and how does it work technically?

The classic RDP/SSH security problem

Traditional scenario: you create a Windows/Linux VM on Azure for a dev, test or production environment. To connect to it via RDP (Windows) or SSH (Linux), you have two options:

Option A - Exposed public IP: attach a public IP address to the VM and authorize port 3389 (RDP) or 22 (SSH) in the Network Security Group (NSG). Result: your VM can be scanned from anywhere on the Internet. Automated bots detect the IP within hours and launch dictionary attacks. Even with complex passwords or source IP restrictions, the attack surface is maximized.

Option B - Manual jump box: deploy a dedicated VM (the bastion/jump host) in a specific subnet, configure NSGs, manage security updates, maintain high availability. Improved security but heavy operational burden: OS patching, sizing, monitoring, 24/7 VM costs.

Azure Bastion architecture

Azure Bastion eliminates these compromises with a fully-managed PaaS architecture:

Deployment in AzureBastionSubnet Bastion is provisioned in a dedicated subnet named AzureBastionSubnet(minimum /26 or 64 IPs) within your VNet. This subnet contains Bastion instances (optimized VMs managed by Microsoft).

Connection via TLS proxy: when you initiate an RDP/SSH connection from the Azure portal, traffic passes via HTTPS (port 443) to the Bastion service. Bastion then establishes an RDP/SSH session to the target VM via its private IP. Your VM never needs a public IP. The flow is end-to-end encrypted using TLS 1.2+.

Agent- and client-free: no need to install an agent on target VMs or specific software on your workstation. RDP/SSH runs directly in the browser (HTML5) for portal connections, or via your native local RDP/SSH client (with the minimum Standard SKU).

Permissions and RBAC: Bastion respects Azure RBAC permissions. A user can only connect to the VMs to which he or she is entitled. No risk of a developer accessing production VMs by mistake.

Optional zonal architecture: deployment across multiple Availability Zones for high availability. If one zone goes down, connections automatically fail over.

The 4 SKUs: Developer, Basic, Standard, Premium

Bastion Developer (GA since June 2025): free lightweight SKU. Connection to 1 VM at a time via the Azure portal only. No AzureBastionSubnet required, no Bastion resource to deploy. Direct activation from the VM's "Connect" page. Perfect for test developers who want to avoid public IPs. Limitations: no connection via native client, no scaling, only one active session per user.

Bastion Basic: Deployed in AzureBastionSubnet, fixed capacity (40 concurrent SSH connections or 20 concurrent RDP connections). Portal-only access; no native client; no scaling. Price: ~$0.19/hour, or ~€140/month, plus outbound data transfer charges.

Standard Bastion: All Basic features + connection via native RDP/SSH client (from your Windows Remote Desktop terminal/client), manual scaling up to 50 instances, file upload/download, support for IP-based connections (connecting to VMs outside the VNet via peering), Shareable Link integration. Price: ~$0.29/hour, or ~€210/month base (2 instances included) + ~€70/additional instance.

Premium Bastion: All Standard features + Session Recording (video recording of RDP/SSH sessions for auditing and compliance), Private-only Bastion (no public IP on the Bastion itself, 100% private via Private Endpoint). Price: ~$0.27/hour, or ~€200/month for the base plan plus additional instances.

Real pricing and hidden traps: beyond €140/month

2026 Rate Structure

Hourly cost SKU:

  • Developer: free (GA since June 2025)
  • Basic: ~$0.19/hour = ~€140/month (fixed capacity)
  • Standard: ~$0.29/hour = ~€210/month (2 instances included)
  • Premium: ~$0.27/hour = ~€200/month (2 instances included)

Please note: The difference between Standard and Premium is minimal, and Microsoft now recommends Premium by default for production deployments.

Additional instances (Standard/Premium): ~$0.14/hour per instance = ~€100/month per scale unit. Each instance supports 20 concurrent RDP connections or 40 concurrent SSH connections (average load).

Outbound data transfer: The first 5 GB per month is free (on all SKUs). Beyond that, it is billed at decreasing rates, just like all other outbound Azure traffic (~€0.08/GB for the first few gigabytes, with lower rates for volumes over 10 TB). Inbound traffic to Bastion is not billed. If you transfer large files via RDP (copying and pasting 50 GB of data), expect an additional €2–4.

Public IP: Basic/Standard/Premium require a Standard SKU with a public IP. Cost: ~€3.50/month. The Developer plan does not require one (nor does the Private-only version of Premium).

Realistic total monthly cost calculation

Scenario 1 - Dev/test environment:

  • 5 developers, 1 VM each, connection 2h/day
  • Solution: Bastion Developer (free)
  • Monthly cost: €0

Scenario 2 - SME production:

  • 20 VMs, 5 system administrators, 10 simultaneous connections max.
  • Solution: Bastion Standard (2 basic instances are all you need)
  • Monthly cost: ~€210 + €3.50 internet access fee + ~€10 data transfer fee = ~€223.50/month

(If the native client and IP-based connection aren't necessary, Bastion Basic at ~€140 is sufficient and brings the bill down to ~€153.50/month.)

Scenario 3 - Large company:

  • 200 multi-region VMs, 50 admins, 30 simultaneous connections pic
  • Solution: Bastion Premium with 4 instances (2 base + 2 additional)
  • Monthly cost: ~€200 + (2 x €100) + €3.50 + €50 transfer fee = ~€453.50/month

Scenario 4 - Company with mandatory recording session:

  • Financial or health compliance requiring audit of all admin sessions
  • Solution: Bastion Premium with Session Recording enabled
  • Video storage: Azure Storage at ~0.02€/Gb. 100h sessions/month = ~50 GB = 1€.
  • Monthly cost: ~€200 + €3.50 + €1 for storage + €15 for transfer = ~€219.50/month

Hidden costs rarely mentioned

Dedicated subnet /26: immobilizes 64 IP addresses in your VNet address space. In heavily-used VNets, this may force an architectural redesign.

No SKU downgrades: Bastion allows you to upgrade to a higher SKU (via the portal, in about 10 minutes), but not to downgrade. Once you’re on Standard or Premium, you can’t downgrade without deleting everything and redeploying. If you try Premium “just to see,” you’re stuck with the Premium pricing.

Continuous billing: Bastion is billed by the hour as soon as it is deployed, whether you use it or not. VM off = Bastion bill running. Forget Bastion in a test environment → 140€/month waste.

Limits on concurrent connections: Basic has a fixed capacity of 20 RDP or 40 SSH connections max. If you exceed this limit, users will be placed in a queue. There is no scaling on the Basic plan; on Standard/Premium plans, scaling is available but must be done manually (there is no auto-scaling like with VMs). An unexpected spike in traffic will result in users being blocked.

Network bandwidth: high-resolution RDP connections (multi-screen, 4K) consume 5-10 Mbps per session. 10 simultaneous sessions = 50-100 Mbps. Check that your VNet and peering support the load.

Bastion vs. Alternatives: A Straightforward Comparison

Alternative 1: Direct public IP on the VM

Cost: ~€3.50/month per VM (Standard public IP) + a few cents for data transfer = ~€4/month

Advantages:

  • ~35 times cheaper than Bastion Basic
  • Ultra-low latency (direct connection)
  • Compatible with all RDP/SSH tools without restriction

Disadvantages:

  • Risque sécurité majeur : exposition Internet directe, cible des attaques automatisées en <24h
  • Requires strict NSG with whitelisted source IP (problematic for nomad users)
  • Logs of permanent intrusion attempts (background noise)
  • Non-compliant with numerous security frameworks (ISO 27001, NIST, PCI-DSS)

Verdict: acceptable for a personal lab or disposable dev environment. Unacceptable for production or sensitive data. If your IT department discovers prod VMs with public IP + open RDP, prepare for an unpleasant conversation.

Alternative 2: Self-hosted Jump box (traditional Bastion)

Cost: B2s VM (2 vCPUs, 4 GB RAM) = ~€35/month + public IP €3.50 = ~€38.50/month

Advantages:

  • Total control: custom OS, custom logs, specific tools
  • Predictable fixed cost
  • No artificial limitations (competing connections, features)

Disadvantages:

  • Operational workload: monthly patching, monitoring, hardening, user management
  • SPOF (Single Point of Failure): if the VM goes down, no more access to other VMs
  • Complex setup: NSG, UDR, deployment scripts, high availability requires 2+ VMs
  • Security responsibility: logs, audits, compliance = your problem

Verdict: Suitable for mature IT teams with infrastructure expertise. Counterproductive for development teams or small and medium-sized businesses without a dedicated operations team. The time spent maintaining a jump box often costs more than Bastion’s €140/month.

Alternative 3: VPN Point-to-Site or Site-to-Site

Cost: VPN Gateway Basic = ~€33/month. VPN Gateway Standard (best performance) = ~135€/month

Advantages:

  • Full network access to VNet (not just RDP/SSH)
  • Excellent latency once the tunnel is established
  • Compatible with all protocols (not limited to RDP/SSH)

Disadvantages:

  • Complex initial configuration (certificates, VPN client profiles)
  • Requires installing a VPN client on each user workstation
  • Split-tunneling can expose corporate network if misconfigured
  • Costs similar to or higher than Bastion for a high-performance VPN gateway

Verdict: Relevant if you already have a VPN for other uses (access to private services, databases). Overkill if your only need is occasional RDP/SSH.

Alternative 4: Azure Just-In-Time (JIT) VM Access

Cost: included in Microsoft Defender for Cloud (formerly Azure Security Center). Plan 2: ~€13/VM/month

Principle: temporarily opens RDP/SSH ports in NSG only when requested by an authorized user, for a limited time (1-3h). Source IP locked.

Advantages:

  • Minimum exposure (ports closed 99% of the time)
  • Coût inférieur à Bastion pour <10 VMs
  • Access logs integrated into Defender

Disadvantages:

  • VM retains a public IP (reduced attack surface, but still available)
  • Defender for Cloud must be activated
  • Latency: 30-60 seconds to obtain access after request

Verdict: excellent complement or alternative for small/medium environments. Can be combined with Bastion (JIT + connection via Bastion = double security).

Use cases where Azure Bastion is the right choice

1. Strict regulatory compliance (health, finance, government)

Context: HIPAA, PCI-DSS, HDS, SecNumCloud sectors require proof of secure, auditable access to servers.

Why Bastion:

  • Bastion Premium with Session Recording records all admin sessions on video
  • Detailed logs in Azure Monitor (who connected, to which VM, when, duration)
  • No public IP exposed = immediate compliance with "no direct Internet access" requirements
  • Certifications provided (ISO 27001, SOC 2) that meet audit requirements without the need for additional documentation

This is a classic example of a cybersecurity and compliance issue where access logging makes all the difference during an audit.

ROI: Passing a compliance audit without Bastion = 5–10 person-days of preparation (manual logs, hardened jump boxes, documentation). With Bastion = virtually 0 days. The €200/month investment pays for itself in a single audit.

2. Companies without a dedicated infrastructure team

Context: tech startup, SME, autonomous dev teams. No resources to maintain a jump box.

Why Bastion:

  • Zero-ops: Microsoft manages patching, HA, scaling, security
  • Deployment in 5 minutes (vs. 2 hours for a well-configured jump box)
  • No training required: same UX as standard Azure portal

ROI: Engineer’s time = €60/hour. Maintaining a jump box = 3 hours/month (patching, monitoring) = €180. Bastion Basic at €140/month = cost savings + enhanced security. This is often a good candidate for outsourcing as part of a managed services and IT outsourcing offering.

3. Multi-region environments with VNet peering

Context: distributed infrastructure, VMs in 5 Azure regions with hub-and-spoke peering.

Why Bastion Standard:

  • IP-based connection: a single Bastion in the VNet hub accesses VMs from all peered spokes
  • No need to deploy 5 regional Bastions
  • Centralized access management

Architecture: Bastion in VNet Hub (primary region) → connection to 200 VMs spread across 5 regions via peering. Cost savings: 1 Standard Bastion (~€210) vs. 5 regional Bastions (~€1,050) = ~€840/month in savings. This is the kind of optimization that is part of a true cloud and infrastructure strategy.

4. Widespread remote work

Context: 100 employees need to access Azure VMs from home, unpredictable dynamic IPs.

Why Bastion:

  • No source IP whitelist to maintain (nightmare with dynamic residential IPs)
  • Microsoft Entra ID Authentication: Automatic MFA, Conditional Access policies
  • HTTPS/443 connection: passes all corporate and residential firewalls

VPN alternative: requires installing and configuring 100 VPN clients, managing certificates, and providing user support. Bastion = 0 client installations.

Limits, frustrations and situations where Bastion is NOT the solution

1. Cost for small environments

Problem: €140/month to protect 2 development VMs used 5 hours a week = €1,680/year for a non-existent problem.

Réalité : pour <5 VMs non-critiques, Bastion Developer gratuit ou JIT VM Access à 13€/VM/mois sont infiniment plus pertinents.

Common mistake: IT department imposes "everything must go through Bastion" without analyzing the need. Result: 3 dev environments with Bastion Basic = €420/month wasted.

2. Degraded performance for intensive graphics

Problem: RDP via Bastion aggressively compresses the video stream. CAD applications, 3D design, video editing = catastrophic experience.

User tests: A CAD engineer reported latency of 200–400 ms and pixelation during 3D rotations in SolidWorks via Bastion. When connecting directly via a public IP address: latency of 20 ms, perfectly smooth performance.

Workaround: use Bastion for administration only, deploy a dedicated GPU VM with public IP + ultra-restrictive NSG for graphics work.

3. Multiple simultaneous connections from one workstation

Limitation: connection via Azure portal = 1 session per browser. To open 5 VMs in parallel, you need 5 private browser windows or 5 different browsers.

Partial solution Switch to native client with Bastion Standard, but requires Azure CLI and commands az network bastion rdp/ssh.

User frustration: administrators used to MultiTab RDP (multiple connections in a single client) have to change their workflows.

4. IPv6 not supported

Status: Bastion still only supports IPv4. You cannot assign a public IPv6 address or connect to dual-stack VMs using IPv6 (you can target a dual-stack VM, but only via its IPv4 interface).

Impact: Organizations transitioning to IPv6-only are blocked. Microsoft refers to a "future roadmap," with no date announced.

5. No Azure Virtual Desktop (AVD) support

Official limitation: Azure Bastion does not work with AVD (formerly Windows Virtual Desktop). Documented in the FAQ.

User confusion: "Why can I connect to a Windows VM via RDP but not to an AVD that is… also Windows RDP?" Architectural difference: AVD uses its own gateway.

6. Limited file transfer

Via portal: impossible to transfer files (no drag-and-drop, no shared drives).

Via the native client: transfer is possible (Standard SKU and higher), but it is not designed for very large volumes. For 4 GB ISO files or 20 GB SQL dumps, use Azure Files/Blob Storage.

Frustration: An admin who just wants to "copy a 50 KB config file" has to use a native client and a CLI command instead of a simple Ctrl+C / Ctrl+V.

Deployment: a pragmatic guide to avoid screw-ups

Technical requirements

Correctly dimensioned VNet:

  • Subnet /26 minimum for AzureBastionSubnet = 64 IPs
  • Recommended /25 or /24 if scaling is planned (50 instances max)
  • The subnet cannot contain ANY other resources (NSG allowed, UDR prohibited, VMs prohibited)

Subnet name : must called exactly AzureBastionSubnet (significant breakage). azurebastionsubnet or Azure-Bastion-Subnet = deployment error.

Standard public IP SKUs: Basic/Standard/Premium require a Standard public IP (not Basic). Static allocation. Developer does not.

RBAC Permissions : Microsoft.Network/virtualNetworks/write, Microsoft.Network/virtualNetworks/subnets/join/action, Microsoft.Network/publicIPAddresses/*. Without these permissions, the deployment fails silently.

SKU selection strategy

Use Developer if:

  • Dev/test environment
  • Connexions occasionnelles (<10h/semaine)
  • Tight budget
  • Only one person can log on at a time

Use Basic if:

  • SME production
  • <20 VMs
  • Portal connections are all you need
  • No need for video audit

Use Standard if:

  • 20+ VMs or multi-region peering
  • Native client connection required
  • Regular file transfer
  • Scaling planned (>20 concurrent connections)

Use Premium if:

  • Compliance requiring session recording
  • Regulated sectors (finance, healthcare, defense)
  • Private-only architecture (zero public IP)

Deployment checklist

  1. Create subnet VNet > Subnets > Add > Name = AzureBastionSubnetSize /26
  2. Public IP provisioning: Standard SKU, Static, same region as VNet
  3. Deploy Bastion: Azure Portal > Create Resource > Bastion > Select SKU
  4. Wait 5–10 minutes: managed instances are being deployed
  5. Test connection: VM > Connect > Bastion > Enter credentials
  6. Configuring NSG on AzureBastionSubnet (optional but recommended) :
    • Inbound: Allow HTTPS (443) from GatewayManager tag
    • Outbound : Allow RDP (3389) and SSH (22) to VirtualNetwork tag
  7. Activate Diagnostic Logs: Bastion > Diagnostic settings > Send to Log Analytics

Post-deployment monitoring and optimization

Key metrics to monitor:

  • Active sessions: growing trend = need for scaling
  • Connection error rate: >5% = NSG or VM config problem
  • Bandwidth usage: anticipate data transfer costs

Alerts to be configured:

  • Instances >80% (near saturation)
  • Repeated authentication failures (attempted intrusion)
  • Bastion Configuration Change (Audit of Unauthorized Changes)

Cost optimization:

  • Remove Bastion from unused environments (weekend dev)
  • Use Azure Automation to deploy/remove Bastion according to a schedule (working hours only)
  • Consolidate several small regional Bastions into a single peering hub

Is Bastion worth it?

Azure Bastion is neither a cure-all nor a Microsoft scam. It is a specialized security tool that excels in specific scenarios but becomes a financial burden when misused.

Bastion is worth the investment if:

  • You have strict compliance requirements (audit, session registration)
  • Your team doesn't have the skills or time to maintain a jump box
  • You manage 20+ VMs in production with multiple administrators
  • You need to support nomadic users with dynamic IPs
  • Your CIO categorically refuses to accept exposed public IPs (and he's right).

Bastion is a waste if:

  • You have 2-3 sporadically used dev VMs → use free Developer
  • You already have a functional, high-performance VPN → no need for Bastion
  • Vous gérez <10 VMs sans contraintes réglementaires → JIT VM Access suffit
  • If you have a skilled operations team and plenty of time → a manual jump box is more cost-effective
  • You do graphics-intensive work (CAD, 3D) → unacceptable latency

Fatal mistakes to avoid:

  1. Deploy Bastion Basic to test it → forget about it → pay €1,680/year for nothing
  2. Impose Bastion everywhere "on principle" without cost/benefit analysis
  3. Choose Premium without the need for Session Recording (unnecessary extra cost)
  4. Deploy 1 Bastion per region, whereas peering only requires one

Optimal strategy:

  • Dev/Test: Bastion Developer free
  • Production <20 VMs : Bastion Basic ou JIT VM Access (selon compliance)
  • Production >20 VMs: Bastion Standard with IP-based connection
  • Regulated sectors: Bastion Premium with Session Recording
  • Special cases: combine JIT + Bastion (JIT opens temporary access, Bastion routes secure connection)

The true ROI of Bastion isn't measured in euros saved on licenses, but in risks avoided (intrusions, compromises), time saved (no jump box maintenance), and simplified compliance (painless audits).

If a single security incident costs you €50,000 in investigation, remediation, and loss of customer trust, the €1,680/year for Bastion Basic is a bargain. But if you’re securing disposable dev VMs with no sensitive data, it’s like insuring a Twingo at Ferrari rates.

Next steps:

  1. List all your exposed VMs with public IP + open RDP/SSH
  2. Categorize: critical (prod, sensitive data) vs. non-critical (dev, test)
  3. Deploy Bastion Developer free of charge on non-criticals for testing purposes
  4. Calculate the cost of a security incident (ransom, downtime, legal)
  5. Decide: Bastion Basic (140€/month) or incident risk (potentially 50k€+)

Azure Bastion is an adult solution for adult problems. If your Azure infrastructure is a hobby, you don't need it. If it's your business, €140/month for peace of mind is a no-brainer.

Our latest articles

See more
software
Development & automation

"I'm afraid to install software"

In 1996, I took my first steps in computing on an Excel spreadsheet where I filed cheat codes for my favorite video games. 🕹️Le the beginning of a passion for office tools (to each his own 😅 ). There were 3,000 machines connected to the internet! 😶 But what happened next?
July 3, 2026
fishing
Cybersecurity

Phishing 2026: Definition, Examples, and Protection for Small and Medium-Sized Businesses (Comprehensive Guide)

Spear phishing, BEC, voice deepfakes: why training alone isn’t enough, the true cost of an incident (€275,000), and the security measures that will work in 2026
June 26, 2026
backup-vs-retention
Cloud & infrastructure

Comparing backup VS retention

Backup VS retention: here's the match everyone's been waiting for!!!! 🥊 (okai not at all but I needed a catchy title..🤫)
July 3, 2026