Azure Bastion: Subnet Configuration Notes
1. The "Purpose-Driven" Automation
Azure’s UI uses a 'Purpose' selector to automate strict networking rules. Selecting 'Azure Bastion' from the Purpose dropdown transitions the setup from manual to managed configuration.
2. Automatic Subnet Sizing
When the 'Azure Bastion' purpose is selected, Azure automatically suggests a compliant subnet range based on your VNet address space.
Important Note: If your Virtual Network uses a /24 address space (e.g., 10.0.0.0/24), choosing the Bastion purpose will automatically default the subnet range to a /26 (e.g., 10.0.0.0/26). This ensures the subnet satisfies the minimum requirement of 64 total addresses required for the Bastion platform to scale and manage its instances.
3. Strict Requirements Checklist
| Configuration Item | Strict Requirement |
| Subnet Name | Locked to AzureBastionSubnet |
| Minimum Mask | /26 (Provides 64 IPs, 59 usable) |
| Subnet Purpose | Azure Bastion (Dropdown selection) |
| Default Behavior | Automatically carves /26 from a /24 VNet |
4. Professional Workflow
- Create the VNet first to establish the overall address space.
- Navigate to Subnets and add a new entry.
- Select 'Azure Bastion' from the 'Subnet Purpose' dropdown immediately.
- Verify that the name is locked and the size has defaulted to /26.
- Save the subnet and proceed to deploy the Bastion resource.
Azure Bastion Must Have a Public IP
Even though Azure Bastion is used to keep your virtual machines private and secure from the public internet, Bastion itself is a fully managed gateway wrapper. To allow you to connect to your VMs securely through the Azure Portal via your web browser, the Bastion host instance must have a public-facing entry point.