Introduction Azure Bastion provides secure RDP/SSH connectivity to VMs without public IPs. When Bastion connections fail, administrators lose their primary management channel to VMs, especially in environments where direct RDP/SSH is blocked.
Symptoms - Azure Portal Bastion connection shows "Connection Failed" or hangs - Error: "Target machine is not reachable through Bastion" - Bastion session disconnects immediately after connecting - Bastion resource shows "Unavailable" in the portal
Common Causes - NSG on target VM subnet blocking Bastion traffic - Missing AzureBastionSubnet in the VNet (required for Bastion Standard) - Target VM does not have RDP (3389) or SSH (22) port open - Bastion resource and target VM in different regions - Target VM firewall (Windows Firewall, iptables) blocking Bastion source IPs
Step-by-Step Fix 1. **Verify Bastion subnet exists and is correctly configured**: ```bash az network vnet subnet show --vnet-name myvnet --name AzureBastionSubnet --resource-group myrg ``` Must be named "AzureBastionSubnet" exactly and be at least /27.
- 1.Check NSG rules on target VM subnet:
- 2.```bash
- 3.az network nsg rule list --nsg-name mynsg --resource-group myrg \
- 4.--query "[?destinationPortRange=='3389' || destinationPortRange=='22']"
- 5.
` - 6.Check Bastion resource status:
- 7.```bash
- 8.az network bastion show --name mybastion --resource-group myrg --query provisioningState
- 9.
` - 10.Should return "Succeeded". If "Failed", redeploy.
- 11.Test network connectivity from Bastion subnet to target:
- 12.```bash
- 13.Test-NetConnection -ComputerName <target-vm-ip> -Port 3389 # Windows
- 14.nc -zv <target-vm-ip> 22 # Linux
- 15.
`