Home / Azure / Fix Azure Bastion Connection Timeout

Azure

Fix Azure Bastion Connection Timeout

Resolve Azure Bastion connection timeouts by checking NSG rules, subnet configuration, and VM network settings for SSH/RDP access.

Published: Apr 2, 20267 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

Azure Bastion provides secure RDP and SSH connectivity to Azure VMs through the Azure portal without exposing public ports. When Bastion connections timeout, users cannot access their VMs, blocking administration and troubleshooting workflows.

Symptoms

Connection timeout in Azure portal:

bash

"Connection failed. The connection to the VM could not be established."
"Session has been disconnected. Unable to RDP to the VM."

Bastion connection stuck:

bash

# In Azure Portal > Bastion > Connect:
"Connecting..." message never resolves
# After timeout:
"Session has been disconnected due to inactivity"

Network connection error:

bash

"Unable to connect to the remote server. Please verify your network connection."

Common Causes

1.NSG blocking Bastion subnet - Network security group restricts traffic
2.VM NSG blocking RDP/SSH - Target VM NSG blocks port 3389/22
3.Bastion subnet misconfigured - Wrong subnet or insufficient IPs
4.VM not running or responsive - Target VM issues
5.Guest agent not running - VM agent required for Bastion
6.RDP/SSH service disabled - Services not running on VM
7.User permissions missing - No role assignment for VM access

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Bastion Service Status

bash

# Get Bastion host details
az network bastion show \
  --name my-bastion \
  --resource-group my-rg \
  --query '{Name:name,ProvisioningState:provisioningState,DnsName:dnsName,Subnet:ipConfigurations[0].subnet.id}'

Step 2: Verify Bastion Subnet Configuration

```bash # Check AzureBastionSubnet exists and is correctly sized az network vnet subnet show \ --vnet-name my-vnet \ --resource-group my-rg \ --name AzureBastionSubnet \ --query '{Name:name,AddressPrefix:addressPrefix,Nsg:networkSecurityGroup.id}'

# Requirements: # - Name must be exactly "AzureBastionSubnet" # - Minimum /26 CIDR (64 IPs) # - Must have NSG attached ```

Step 3: Check Bastion NSG Rules

```bash # Get NSG for Bastion subnet az network nsg show \ --name AzureBastionNsg \ --resource-group my-rg \ --query 'securityRules[]'

# Required inbound rules for Bastion: # 1. Allow HTTPS (443) from internet for portal access # 2. Allow GatewayManager service tag

# Required outbound rules: # 1. Allow RDP (3389) to VM subnet # 2. Allow SSH (22) to VM subnet # 3. Allow AzureCloud for management

# Add missing outbound rule for VM access az network nsg rule create \ --nsg-name AzureBastionNsg \ --resource-group my-rg \ --name AllowVMSSHRDP \ --direction Outbound \ --priority 100 \ --source-address-prefixes '*' \ --destination-address-prefixes 10.0.1.0/24 \ --destination-port-ranges 22 3389 \ --protocol Tcp \ --access Allow ```

Step 4: Check Target VM NSG

```bash # Get VM's network interface az vm show \ --name my-vm \ --resource-group my-rg \ --query 'networkProfile.networkInterfaces[0].id' -o tsv

# Get NSG for VM subnet az network nsg show \ --name my-vm-nsg \ --resource-group my-rg \ --query 'securityRules[]'

# Required inbound rules for Bastion access: # - Allow RDP (3389) from AzureBastionSubnet # - Allow SSH (22) from AzureBastionSubnet

# Add rule to allow Bastion subnet az network nsg rule create \ --nsg-name my-vm-nsg \ --resource-group my-rg \ --name AllowBastionAccess \ --direction Inbound \ --priority 100 \ --source-address-prefixes 10.0.2.0/26 \ --destination-address-prefixes '*' \ --destination-port-ranges 22 3389 \ --protocol Tcp \ --access Allow ```

Step 5: Verify VM is Running

bash # Check VM status az vm get-instance-view \ --name my-vm \ --resource-group my-rg \ --query '{PowerState:statuses[?code==PowerState/running],ProvisioningState:statuses[?starts_with(code, ProvisioningState`)]}'

# If not running, start the VM az vm start --name my-vm --resource-group my-rg ```

Step 6: Check VM Guest Agent

bash # Check VM agent status az vm get-instance-view \ --name my-vm \ --resource-group my-rg \ --query 'statuses[?contains(code,VMAgent`)]'

# Agent should show "Ready" # If not, restart agent inside VM: # Linux: sudo service walinuxagent restart # Windows: Restart "Windows Azure Guest Agent" service ```

Step 7: Verify RDP/SSH Services on VM

```bash # For Linux VMs, SSH in via serial console to check: # Azure Portal > VM > Support + troubleshooting > Serial console

sudo systemctl status sshd sudo netstat -tlnp | grep :22

# If SSH not running: sudo systemctl start sshd sudo systemctl enable sshd

# For Windows VMs, check RDP via serial console (SAC): # cmd # powershell # Get-Service TermService # Set-Service TermService -StartupType Automatic # Start-Service TermService ```

Step 8: Check User Permissions

```bash # Verify user has required role on VM az role assignment list \ --assignee user@example.com \ --resource-group my-rg \ --query "[?contains(roleDefinitionName, 'Virtual Machine')].roleDefinitionName"

# Required roles: # - Virtual Machine Administrator Login (full admin) # - Virtual Machine User Login (regular user) # - Owner or Contributor (includes login)

# Assign missing role az role assignment create \ --assignee user@example.com \ --role "Virtual Machine Administrator Login" \ --scope /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm ```

Step 9: Test Network Connectivity

```bash # Use Network Watcher to test connectivity az network watcher test-connectivity \ --resource-group my-rg \ --source-resource my-bastion \ --dest-resource my-vm \ --dest-port 3389

# Or use connection troubleshoot az network watcher connection show \ --resource-group my-rg \ --source-resource my-bastion-nic \ --destination-resource my-vm-nic \ --destination-port 3389 ```

Step 10: Check Bastion Logs

```bash # Enable diagnostic settings az monitor diagnostic-settings create \ --name bastion-logs \ --resource /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Network/bastionHosts/my-bastion \ --workspace /subscriptions/SUB/resourcegroups/my-rg/providers/microsoft.operationalinsights/workspaces/my-workspace \ --logs '[{"category":"BastionAuditLogs","enabled":true}]'

Azure Bastion Network Requirements

Direction	Port	Source	Destination	Purpose
Inbound	443	Internet	BastionSubnet	Portal access
Inbound	443	GatewayManager	BastionSubnet	Management
Outbound	22	BastionSubnet	VM Subnet	SSH to Linux VMs
Outbound	3389	BastionSubnet	VM Subnet	RDP to Windows VMs
Outbound	443	BastionSubnet	AzureCloud	Management

Verification

```bash # After configuration changes, test Bastion connection # Azure Portal > VM > Connect > Bastion

# Or test via CLI az network bastion ssh \ --name my-bastion \ --resource-group my-rg \ --target-resource-id /subscriptions/SUB/resourceGroups/my-rg/providers/Microsoft.Compute/virtualMachines/my-vm \ --username azureuser

# Connection should succeed without timeout ```

[Fix Azure VM Not Starting](/articles/fix-azure-vm-not-starting)
[Fix Azure Network Security Group Blocking](/articles/fix-azure-network-security-group-blocking)
[Fix Azure VM Extension Failed](/articles/fix-azure-vm-extension-failed)

[Technical troubleshooting: Fix Azure Aks Pod Crashloopbackoff Issue in Azure](azure-aks-pod-crashloopbackoff)
[Technical troubleshooting: Fix Azure Api Management Policy Expression Runtime](azure-api-management-policy-expression-runtime-error)
[Technical troubleshooting: Fix Azure App Configuration Feature Flag Not Refre](azure-app-configuration-feature-flag-not-refreshing)
[Technical troubleshooting: Fix Azure App Service 503 Always On Disabled Issue](azure-app-service-503-always-on-disabled)
[Technical troubleshooting: Fix Azure Application Gateway Err SSL Unrecognized](azure-application-gateway-err-ssl-unrecognized-name-alert)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

Azure Bastion Connection Timeout Azure Bastion Connection Timeout Azure Azure Bastion Connection Timeout troubleshooting Azure Bastion Connection Timeout fix Resolve Azure Bastion connection timeouts by checking NSG rules, subnet configuration, and VM network settings for SSH/RDP access Azure Resolve Azure Bastion connection timeouts by checking NSG rules, subnet configuration, and VM network settings for SSH/RDP access

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

Azure Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this azure-errors troubleshooting guide applies to my situation?

This guide is designed for azure-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these azure-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of azure-errors issue?

Most azure-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this azure-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for azure-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 2, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation

Fix Azure Bastion Connection Timeout

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Bastion Service Status

Step 2: Verify Bastion Subnet Configuration

Step 3: Check Bastion NSG Rules

Step 4: Check Target VM NSG

Step 5: Verify VM is Running

Step 6: Check VM Guest Agent

Step 7: Verify RDP/SSH Services on VM

Step 8: Check User Permissions

Step 9: Test Network Connectivity

Step 10: Check Bastion Logs

Azure Bastion Network Requirements

Verification

People also search for

Browse Guides from Other Categories

WordPress

SSL

DNS

Azure Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading

Fix Azure Bastion Connection Timeout

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Bastion Service Status

Step 2: Verify Bastion Subnet Configuration

Step 3: Check Bastion NSG Rules

Step 4: Check Target VM NSG

Step 5: Verify VM is Running

Step 6: Check VM Guest Agent

Step 7: Verify RDP/SSH Services on VM

Step 8: Check User Permissions

Step 9: Test Network Connectivity

Step 10: Check Bastion Logs

Azure Bastion Network Requirements

Verification

Related Issues

Related Articles

People also search for

Share this guide

More Azure Troubleshooting Guides

Browse Guides from Other Categories

Azure Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading