Technical Lab: Implement Azure Bastion
Questionsβ
Question 1 β Multiple Choiceβ
An operations team needs to access Windows and Linux virtual machines in Azure without exposing RDP or SSH ports to the internet. The environment has a VNet with distinct subnets for each application layer. What is the mandatory network requirement to deploy Azure Bastion in this scenario?
A. Create a subnet with any name with a minimum /27 prefix and associate a Network Security Group with inbound rules for ports 3389 and 22.
B. Create a subnet that must be called AzureBastionSubnet with a minimum /26 prefix, with no specific NSG requirement for basic functionality.
C. Create a subnet that must be called AzureBastionSubnet with a minimum /27 prefix, and the NSG must allow inbound traffic on port 443 from any source.
D. Create a subnet with any name with a minimum /26 prefix and ensure no NSG is associated with it.
Question 2 β Technical Scenarioβ
An administrator deployed Azure Bastion on the Basic SKU in a VNet called vnet-prod. Now they need to connect via Bastion to a VM that is in a different VNet called vnet-dev, with peering configured between the two VNets. When attempting the connection through the Azure portal, it fails.
What is the most likely cause of the failure?
A. VNet peering is not supported by Azure Bastion under any circumstances; the VM must be moved to the same VNet.
B. The Basic SKU does not support connectivity with VMs in peered VNets; this feature requires the Standard SKU or higher.
C. The peering is configured incorrectly because the Use remote gateways option was not enabled on the vnet-dev side.
D. Bastion can only reach VMs in peered VNets if both VNets are in the same Azure region.
Question 3 β True or Falseβ
Azure Bastion, even on the Basic SKU, allows administrators to upload and download files during an RDP session initiated through the Azure portal.
True or False?
Question 4 β Technical Scenarioβ
An engineer needs to connect to a Linux VM without using the Azure portal, preferring the native SSH client from their local machine. Azure Bastion is already deployed on the Standard SKU. They execute the command below but receive a connection refused error:
ssh -i ~/.ssh/id_rsa azureuser@10.0.1.5
What adjustment is necessary for the connection via native SSH client to work correctly with Azure Bastion?
A. Install the Azure Bastion agent on the target VM and open port 22 in the NSG of the VM's subnet.
B. Use the az network bastion ssh command or tunnel the connection via az network bastion tunnel, as access by native client requires the Azure CLI as an intermediary.
C. Change the Bastion SKU to Premium, as the Standard SKU does not support access by native SSH clients.
D. Expose the VM's private IP directly to the internet and connect via conventional SSH, as Bastion does not support native clients in any scenario.
Question 5 β Multiple Choiceβ
When comparing Azure Bastion with using a jumpserver (customer-managed bastion host) deployed on a VM, which statement correctly describes an operational advantage of Azure Bastion?
A. Azure Bastion eliminates the need for any Network Security Group in the VNet, simplifying all network configuration.
B. Azure Bastion eliminates the management of patches, operating system updates, and access host infrastructure availability, as it is a service managed by Microsoft.
C. Azure Bastion guarantees lower session latency compared to a jumpserver, as it processes sessions locally on the target VM's hypervisor.
D. Azure Bastion completely replaces Microsoft Entra Conditional Access, applying its own conditional access policies natively.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Azure Bastion requires a subnet with the exact name AzureBastionSubnet β any other name prevents deployment. The minimum required prefix is /26 (62 usable addresses), not /27. While it's possible to associate an NSG to the Bastion subnet, this is not mandatory for basic functionality; when present, the NSG must follow specific rules documented by Microsoft (allow inbound on 443 from GatewayManager and Internet, and outbound to VirtualNetwork on ports 3389/22).
Alternative C is wrong on the prefix (/27 is insufficient). Alternatives A and D are wrong on the mandatory subnet name. Choosing /27 would result in deployment failure with an explicit error message about insufficient subnet size.
Answer Key β Question 2β
Answer: B
Support for VNet peering in Azure Bastion is an exclusive feature of the Standard SKU (and higher). On the Basic SKU, Bastion can only reach VMs within the same VNet where it was deployed. Therefore, even with correctly configured peering, the connection fails on the Basic SKU.
Alternative A is incorrect because peering is supported, but depends on the SKU. Alternative C describes a gateway routing problem, which is irrelevant for Bastion sessions. Alternative D is incorrect because Bastion supports cross-region peering on the Standard SKU, without region restrictions. The common mistake here is assuming that configured peering is sufficient, ignoring the SKU restriction.
Answer Key β Question 3β
Answer: False
File transfer during RDP sessions via Azure portal is a feature of the Standard SKU, not the Basic SKU. On the Basic SKU, RDP and SSH sessions are functional, but with limited features: no support for file upload/download, native tunneling, or native client support. This distinction is relevant in the AZ-104 exam because the behavior seems intuitively available in any RDP session, but is deliberately restricted by SKU in Azure Bastion.
Answer Key β Question 4β
Answer: B
Access by native SSH or RDP client in Azure Bastion Standard SKU does not occur via direct connection to the VM's private IP. The correct flow requires using the Azure CLI as an intermediary: the az network bastion ssh command establishes the session directly, or az network bastion tunnel creates a local tunnel that the native client uses as destination.
Alternative A is incorrect because Bastion does not require an agent on the VM nor opening port 22 to the internet. Alternative C is incorrect because the Standard SKU already supports this feature. Alternative D contradicts Bastion's purpose. The most common error is trying to access the private IP directly from the local client, without understanding that traffic must pass through Bastion's control plane.
Answer Key β Question 5β
Answer: B
The main operational advantage of Azure Bastion over a customer-managed jumpserver is the elimination of infrastructure management overhead: no OS patching, no VM availability monitoring, no operating system license management. Microsoft is responsible for service availability and updates.
Alternative A is incorrect because NSGs remain necessary and recommended in the architecture. Alternative C is technically unfounded; Bastion does not process sessions on the VM's hypervisor. Alternative D is incorrect because Bastion does not replace or incorporate Microsoft Entra Conditional Access; both are complementary and independent security layers.