Share via

Bastion to VM connection through VHUB

Vidya Natarajan 20 Reputation points
2025-10-07T12:00:35.4133333+00:00

I have an Azure Bastion deployed in a VNet within my PLZ connectivity subscription. I also have a Virtual Hub (vHub) in the same PLZ connectivity subscription.

In a ALZ subscription, I have a Windows VM deployed in a VNet. Both the Bastion VNet and the VM VNet are connected to the vHub.

When I try to create a Bastion tunnel using the following command:

az network bastion tunnel --name <bastion-name> --resource-group <rg-name> --target-resource-id <vm-resource-id> --resource-port 3389 --port <localport>

and then attempt to connect to the VM via RDP, the connection fails.

However, if I connect directly to the VM using its private IP address from the Bastion host in Azure portal, the RDP connection works fine.

Also, If I peer both VNets directly (bypassing vHub), the Bastion tunnel and RDP works.

Has anyone faced this issue or knows what might be causing the VM access through Bastion -> Vhub -> VM fails?

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
0 comments
Answer accepted by question author
  1. Priya ranjan Jena 1,585 Reputation points Microsoft External Staff Moderator
    2025-10-07T17:00:34.31+00:00

    Hi Vidya Natarajan,

    Thank you for reaching out to the Microsoft Q&A forum.

    VM access through Bastion -> Vhub -> VM fails

    1. Azure Bastion does not natively support routing through Virtual WAN hubs for native client tunnels (az network bastion tunnel).

    User's image

    Reference link: https://free.blessedness.top/en-us/azure/bastion/bastion-faq

    Reference link for connecting via IP addresss for bastion:https://free.blessedness.top/en-us/azure/bastion/connect-ip-address

    When you use the CLI tunnel feature, Bastion expects direct VNet peering or local VNet connectivity to the target VMVirtual WAN introduces route tables and routing intent, which can break Bastion’s TCP forwarding because Bastion traffic is not automatically propagated through the vHub routes for this scenario.

    Portal-based RDP works (it uses Bastion’s web socket over HTTPS from the portal, which is handled differently).

    CLI tunnel fails (it relies on TCP forwarding through Bastion, which doesn’t traverse vHub routing properly).

    RDP via CLI

    az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>

    For Tunnel via CLI 

    :az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"

    Hope you find this answer helpful, if yes, please “up-vote” & accept for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any additional questions.

    Thanks

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alan Kinane 17,356 Reputation points MVP Volunteer Moderator
    2025-10-07T17:08:14.4333333+00:00

    If Virtual WAN (vHub) is in play here then you have to use the IP-based connection feature of Azure Bastion to connect to your VM endpoints.User's image

    https://free.blessedness.top/en-us/azure/bastion/connect-ip-address

    If you are trying to RDP from one VM to another (without using Bastion) then can you check that routes are propagating correctly. Check the effective routes on a NIC for one VM and see if it lists a route to the required destination VNET.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.