Just in case someone came across a problem defining proper nsg rules for Azure Bastion…
Well, here they are:
Works like a charm 😀
And below the ARM for it:
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "projectPrefix": { "type": "string", "metadata": { "description": "Prefix for the name of resources." } }, "resourceLocation": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Location for all resources." } } }, "variables": { "nsgName": "[concat(parameters('projectPrefix'), 'NSG-Bastion')]" }, "resources": [ { "type": "Microsoft.Network/networkSecurityGroups", "apiVersion": "2019-09-01", "name": "[variables('nsgName')]", "location": "[parameters('resourceLocation')]", "properties": { "securityRules": [ { "name": "InboundFromAny", "properties": { "description": "Allow connection from any host on https.", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "name": "InboundFromGM", "properties": { "description": "This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "GatewayManager", "destinationAddressPrefix": "*", "access": "Allow", "priority": 120, "direction": "Inbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "name": "OutboundToVNET_SSH", "properties": { "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and SSH port", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "22", "sourceAddressPrefix": "*", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 120, "direction": "Outbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "name": "OutboundToVNET_RDP", "properties": { "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and RDP port", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "3389", "sourceAddressPrefix": "*", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 110, "direction": "Outbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "name": "OutboundHTTPStoAzureCloud", "properties": { "description": "Egress Traffic to other public endpoints in Azure", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "*", "destinationAddressPrefix": "AzureCloud", "access": "Allow", "priority": 100, "direction": "Outbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } } ] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2019-09-01", "name": "[concat(variables('nsgName'), '/InboundFromAny')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" ], "properties": { "description": "Allow connection from any host on https.", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "*", "destinationAddressPrefix": "*", "access": "Allow", "priority": 100, "direction": "Inbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2019-09-01", "name": "[concat(variables('nsgName'), '/InboundFromGM')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" ], "properties": { "description": "This enables the control plane, that is, Gateway Manager to be able to talk to Azure Bastion.", "protocol": "TCP", "sourcePortRange": "*", "sourceAddressPrefix": "GatewayManager", "destinationAddressPrefix": "*", "access": "Allow", "priority": 120, "direction": "Inbound", "sourcePortRanges": [ ], "destinationPortRanges": [ "443", "4443" ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2019-09-01", "name": "[concat(variables('nsgName'), '/OutboundHTTPStoAzureCloud')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" ], "properties": { "description": "Egress Traffic to other public endpoints in Azure", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "443", "sourceAddressPrefix": "*", "destinationAddressPrefix": "AzureCloud", "access": "Allow", "priority": 100, "direction": "Outbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2019-09-01", "name": "[concat(variables('nsgName'), '/OutboundToVNET_RDP')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" ], "properties": { "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and RDP port", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "3389", "sourceAddressPrefix": "*", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 110, "direction": "Outbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } }, { "type": "Microsoft.Network/networkSecurityGroups/securityRules", "apiVersion": "2019-09-01", "name": "[concat(variables('nsgName'), '/OutboundToVNET_SSH')]", "dependsOn": [ "[resourceId('Microsoft.Network/networkSecurityGroups', variables('nsgName'))]" ], "properties": { "description": "Egress Traffic to target VMs: Azure Bastion will reach the target VMs over private IP and SSH port", "protocol": "TCP", "sourcePortRange": "*", "destinationPortRange": "22", "sourceAddressPrefix": "*", "destinationAddressPrefix": "VirtualNetwork", "access": "Allow", "priority": 120, "direction": "Outbound", "sourcePortRanges": [ ], "destinationPortRanges": [ ], "sourceAddressPrefixes": [ ], "destinationAddressPrefixes": [ ] } } ] }