Cyscale
Back to controls

Ensure an Azure Bastion Host Exists

The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. It provides this access using TLS over 443/TCP and subscribes to hardened configurations within an organization's Azure Active Directory service.

Category

Controls

Medium

Applies to

Microsoft Azure

Coverage

1 queries

Asset types

1 covered

Overview

The Azure Bastion service allows secure remote access to Azure Virtual Machines over the Internet without exposing remote access protocol ports and services directly to the Internet. It provides this access using TLS over 443/TCP and subscribes to hardened configurations within an organization's Azure Active Directory service.

Rationale

The Azure Bastion service allows organizations to access Azure Virtual Machines over the Internet more securely without assigning public IP addresses to those Virtual Machines. The Azure Bastion service provides Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to Virtual Machines using TLS within a web browser, thus preventing organizations from opening up 3389/TCP and 22/TCP to the Internet on Azure Virtual Machines. Additional benefits of the Bastion service include Multi-Factor Authentication, Conditional Access Policies, and any other hardening measures configured within Azure Active Directory using a central point of access.

Impact

The Azure Bastion service incurs additional costs and requires a specific virtual network configuration. The Standard tier offers additional configuration options compared to the Basic tier and may incur additional costs for those added features.

Default Value

By default, the Azure Bastion service is not configured.

Remediation guidance

Remediate from Azure Portal

  1. Click on Bastions
  2. Select the Subscription
  3. Select the Resource group
  4. Type a Name for the new Bastion host
  5. Select a Region
  6. Choose Standard next to Tier
  7. Use the slider to set the Instance count
  8. Select the Virtual network or Create new
  9. Select the Subnet named AzureBastionSubnet. Create a Subnet named AzureBastionSubnet using a /26 CIDR range if it doesn't already exist.
  10. Select the appropriate Public IP address option.
  11. If Create new is selected for the Public IP address option, provide a Public IP address name.
  12. If Use existing is selected for Public IP address option, select an IP address from Choose public IP address
  13. Click Next: Tags >
  14. Configure the appropriate Tags
  15. Click Next: Advanced >
  16. Select the appropriate Advanced options
  17. Click Next: Review + create >
  18. Click Create

Remediate from Azure CLI

az network bastion create --location <location> --name <name of bastion host> --public-ip-address <public IP address name or ID> --resource-group <resource group name or ID> --vnet-name <virtual network containing subnet called "AzureBastionSubnet"> --scale-units <integer> --sku Standard [--disable-copy-paste true|false] [--enable-ip-connect true|false] [--enable-tunneling true|false]

Remediate from PowerShell

Create the appropriate Virtual network settings and Public IP Address settings.

$subnetName = "AzureBastionSubnet"
$subnet = New-AzVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 
$virtualNet = New-AzVirtualNetwork -Name <virtual network name> -ResourceGroupName <rg_name> -Location <location> -AddressPrefix  -Subnet $subnet
$publicip = New-AzPublicIpAddress -ResourceGroupName <rg_name> -Name <public IP address name> -Location <location> -AllocationMethod Dynamic -Sku Standard

Create the Azure Bastion service using the information within the created variables from above.

New-AzBastion -ResourceGroupName <rg_name> -Name <bastion name> -PublicIpAddress $publicip -VirtualNetwork $virtualNet -Sku "Standard" -ScaleUnit <integer>

Service-wide remediation

Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.

Azure

Use management group or subscription Azure Policy assignments, remediation tasks where supported, landing-zone standards, and IaC modules so drift is prevented at scale.

Operational rollout

  1. Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
  2. Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
  3. Re-scan and track approved exceptions with an owner and expiry date.

Query logic

These are the stored checks tied to this control.

Azure connectors without Bastion Hosts

Connectors

Microsoft Azure

Covered asset types

Connector

Expected check: eq []

{
  connectors(where: { cloudProvider: "azure", bastionHosts_SOME: null }) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon