Bicep resource definition
The bastionHosts resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/bastionHosts resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/bastionHosts@2020-07-01' = {
scope: resourceSymbolicName or scope
___location: 'string'
name: 'string'
properties: {
dnsName: 'string'
ipConfigurations: [
{
id: 'string'
name: 'string'
properties: {
privateIPAllocationMethod: 'string'
publicIPAddress: {
id: 'string'
}
subnet: {
id: 'string'
}
}
}
]
}
tags: {
{customized property}: 'string'
}
}
Property Values
Microsoft.Network/bastionHosts
| Name |
Description |
Value |
| ___location |
Resource ___location. |
string |
| name |
The resource name |
string (required) |
| properties |
Represents the bastion host resource. |
BastionHostPropertiesFormat |
| scope |
Use when creating a resource at a scope that is different than the deployment scope. |
Set this property to the symbolic name of a resource to apply the extension resource. |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
BastionHostIPConfiguration
| Name |
Description |
Value |
| id |
Resource ID. |
string |
| name |
Name of the resource that is unique within a resource group. This name can be used to access the resource. |
string |
| properties |
Represents the ip configuration associated with the resource. |
BastionHostIPConfigurationPropertiesFormat |
| Name |
Description |
Value |
| privateIPAllocationMethod |
Private IP allocation method. |
'Dynamic'
'Static' |
| publicIPAddress |
Reference of the PublicIP resource. |
SubResource (required) |
| subnet |
Reference of the subnet resource. |
SubResource (required) |
| Name |
Description |
Value |
| dnsName |
FQDN for the endpoint on which bastion host is accessible. |
string |
| ipConfigurations |
IP configuration of the Bastion Host resource. |
BastionHostIPConfiguration[] |
SubResource
| Name |
Description |
Value |
| id |
Resource ID. |
string |
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module |
Description |
| Bastion Host |
AVM Resource Module for Bastion Host |
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File |
Description |
| AKS Cluster with a NAT Gateway and an Application Gateway |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
| AKS cluster with the Application Gateway Ingress Controller |
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
| Azure Bastion as a Service |
This template provisions Azure Bastion in a Virtual Network |
| Azure Bastion as a Service with NSG |
This template provisions Azure Bastion in a Virtual Network |
| Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
| Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
| Create a cross-region load balancer |
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
| Create a Private AKS Cluster |
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
| Create a standard internal load balancer |
This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80 |
| Create a standard load-balancer |
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
| Deploy a Bastion host in a hub Virtual Network |
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet |
| Deploy Secure AI Foundry with a managed virtual network |
This template creates a secure Azure AI Foundry environment with robust network and identity security restrictions. |
| Public Load Balancer chained to a Gateway Load Balancer |
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool. |
| Testing environment for Azure Firewall Premium |
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology |
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
ARM template resource definition
The bastionHosts resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/bastionHosts resource, add the following JSON to your template.
{
"type": "Microsoft.Network/bastionHosts",
"apiVersion": "2020-07-01",
"name": "string",
"___location": "string",
"properties": {
"dnsName": "string",
"ipConfigurations": [
{
"id": "string",
"name": "string",
"properties": {
"privateIPAllocationMethod": "string",
"publicIPAddress": {
"id": "string"
},
"subnet": {
"id": "string"
}
}
}
]
},
"tags": {
"{customized property}": "string"
}
}
Property Values
Microsoft.Network/bastionHosts
| Name |
Description |
Value |
| apiVersion |
The api version |
'2020-07-01' |
| ___location |
Resource ___location. |
string |
| name |
The resource name |
string (required) |
| properties |
Represents the bastion host resource. |
BastionHostPropertiesFormat |
| tags |
Resource tags |
Dictionary of tag names and values. See Tags in templates |
| type |
The resource type |
'Microsoft.Network/bastionHosts' |
BastionHostIPConfiguration
| Name |
Description |
Value |
| id |
Resource ID. |
string |
| name |
Name of the resource that is unique within a resource group. This name can be used to access the resource. |
string |
| properties |
Represents the ip configuration associated with the resource. |
BastionHostIPConfigurationPropertiesFormat |
| Name |
Description |
Value |
| privateIPAllocationMethod |
Private IP allocation method. |
'Dynamic'
'Static' |
| publicIPAddress |
Reference of the PublicIP resource. |
SubResource (required) |
| subnet |
Reference of the subnet resource. |
SubResource (required) |
| Name |
Description |
Value |
| dnsName |
FQDN for the endpoint on which bastion host is accessible. |
string |
| ipConfigurations |
IP configuration of the Bastion Host resource. |
BastionHostIPConfiguration[] |
SubResource
| Name |
Description |
Value |
| id |
Resource ID. |
string |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template |
Description |
AKS Cluster with a NAT Gateway and an Application Gateway
 |
This sample shows how to a deploy an AKS cluster with NAT Gateway for outbound connections and an Application Gateway for inbound connections. |
AKS cluster with the Application Gateway Ingress Controller
|
This sample shows how to deploy an AKS cluster with Application Gateway, Application Gateway Ingress Controller, Azure Container Registry, Log Analytics and Key Vault |
Azure Bastion as a Service
|
This template provisions Azure Bastion in a Virtual Network |
Azure Bastion as a Service with NSG
|
This template provisions Azure Bastion in a Virtual Network |
Azure Machine Learning end-to-end secure setup
|
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Azure Machine Learning end-to-end secure setup (legacy)
|
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
Create a cross-region load balancer
|
This template creates a cross-region load balancer with a backend pool containing two regional load balancers. Cross-region load balancer is currently available in limited regions. The regional load balancers behind the cross-region load balancer can be in any region. |
Create a Private AKS Cluster
|
This sample shows how to create a private AKS cluster in a virtual network along with a jumpbox virtual machine. |
Create a Private AKS Cluster with a Public DNS Zone
|
This sample shows how to a deploy a private AKS cluster with a Public DNS Zone. |
Create a standard internal load balancer
|
This template creates a standard internal Azure Load Balancer with a rule load-balancing port 80 |
Create a standard load-balancer
|
This template creates an Internet-facing load-balancer, load balancing rules, and three VMs for the backend pool with each VM in a redundant zone. |
Deploy a Bastion host in a hub Virtual Network
|
This template creates two vNets with peerings, a Bastion host in the Hub vNet and a Linux VM in the spoke vNet |
Deploy Darktrace Autoscaling vSensors
|
This template allows you to deploy an automatically autoscaling deployment of Darktrace vSensors |
Deploy Secure AI Foundry with a managed virtual network
|
This template creates a secure Azure AI Foundry environment with robust network and identity security restrictions. |
Example Parameterized Deployment With Linked Templates
|
This sample template will deploy multiple tiers of resources into an Azure Resource Group. Each tier has configurable elements, to show how you can expose parameterization to the end user. |
Public Load Balancer chained to a Gateway Load Balancer
|
This template allows you to deploy a Public Standard Load Balancer chained to a Gateway Load Balancer. The traffic incoming from internet is routed to the Gateway Load Balancer with linux VMs (NVAs) in the backend pool. |
Standard Load Balancer with Backend Pool by IP Addresses
|
This template is used to demonstrate how ARM Templates can be used to configure the Backend Pool of a Load Balancer by IP Address as outlined in the Backend Pool management document. |
Testing environment for Azure Firewall Premium
|
This template creates an Azure Firewall Premium and Firewall Policy with premium features such as Intrusion Inspection Detection (IDPS), TLS inspection and Web Category filtering |
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology
|
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. |
The bastionHosts resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
To create a Microsoft.Network/bastionHosts resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/bastionHosts@2020-07-01"
name = "string"
parent_id = "string"
___location = "string"
tags = {
{customized property} = "string"
}
body = {
properties = {
dnsName = "string"
ipConfigurations = [
{
id = "string"
name = "string"
properties = {
privateIPAllocationMethod = "string"
publicIPAddress = {
id = "string"
}
subnet = {
id = "string"
}
}
}
]
}
}
}
Property Values
Microsoft.Network/bastionHosts
| Name |
Description |
Value |
| ___location |
Resource ___location. |
string |
| name |
The resource name |
string (required) |
| parent_id |
The ID of the resource to apply this extension resource to. |
string (required) |
| properties |
Represents the bastion host resource. |
BastionHostPropertiesFormat |
| tags |
Resource tags |
Dictionary of tag names and values. |
| type |
The resource type |
"Microsoft.Network/bastionHosts@2020-07-01" |
BastionHostIPConfiguration
| Name |
Description |
Value |
| id |
Resource ID. |
string |
| name |
Name of the resource that is unique within a resource group. This name can be used to access the resource. |
string |
| properties |
Represents the ip configuration associated with the resource. |
BastionHostIPConfigurationPropertiesFormat |
| Name |
Description |
Value |
| privateIPAllocationMethod |
Private IP allocation method. |
'Dynamic'
'Static' |
| publicIPAddress |
Reference of the PublicIP resource. |
SubResource (required) |
| subnet |
Reference of the subnet resource. |
SubResource (required) |
| Name |
Description |
Value |
| dnsName |
FQDN for the endpoint on which bastion host is accessible. |
string |
| ipConfigurations |
IP configuration of the Bastion Host resource. |
BastionHostIPConfiguration[] |
SubResource
| Name |
Description |
Value |
| id |
Resource ID. |
string |
Usage Examples
A basic example of deploying Bastion Host.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "___location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
___location = var.___location
}
resource "azapi_resource" "virtualNetwork" {
type = "Microsoft.Network/virtualNetworks@2022-07-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
___location = var.___location
body = {
properties = {
addressSpace = {
addressPrefixes = [
"192.168.1.0/24",
]
}
dhcpOptions = {
dnsServers = [
]
}
subnets = [
]
}
}
schema_validation_enabled = false
response_export_values = ["*"]
lifecycle {
ignore_changes = [body.properties.subnets]
}
}
resource "azapi_resource" "publicIPAddress" {
type = "Microsoft.Network/publicIPAddresses@2022-07-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
___location = var.___location
body = {
properties = {
ddosSettings = {
protectionMode = "VirtualNetworkInherited"
}
idleTimeoutInMinutes = 4
publicIPAddressVersion = "IPv4"
publicIPAllocationMethod = "Static"
}
sku = {
name = "Standard"
tier = "Regional"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "subnet" {
type = "Microsoft.Network/virtualNetworks/subnets@2022-07-01"
parent_id = azapi_resource.virtualNetwork.id
name = "AzureBastionSubnet"
body = {
properties = {
addressPrefix = "192.168.1.224/27"
delegations = [
]
privateEndpointNetworkPolicies = "Enabled"
privateLinkServiceNetworkPolicies = "Enabled"
serviceEndpointPolicies = [
]
serviceEndpoints = [
]
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "bastionHost" {
type = "Microsoft.Network/bastionHosts@2022-07-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
___location = var.___location
body = {
properties = {
disableCopyPaste = false
enableFileCopy = false
enableIpConnect = false
enableShareableLink = false
enableTunneling = false
ipConfigurations = [
{
name = "ip-configuration"
properties = {
publicIPAddress = {
id = azapi_resource.publicIPAddress.id
}
subnet = {
id = azapi_resource.subnet.id
}
}
},
]
scaleUnits = 2
}
sku = {
name = "Basic"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module |
Description |
| Bastion Host |
AVM Resource Module for Bastion Host |