Check provider logo

Azure subscription has at least one Bastion Host

network_bastion_host_exists

Severitymedium
Servicenetwork
by Prowler
internet-exposed

Azure subscription contains an Azure Bastion host for secure RDP/SSH brokering over TLS on 443/TCP to virtual machines using private IPs. The assessment identifies whether such a bastion is available.

Risk

Absent Bastion, admins often assign public IPs or open 22/3389, expanding attack surface.

This enables Internet brute force, credential stuffing, and RDP/SSH exploits, leading to unauthorized access, data exfiltration, and lateral movement. CIA impact: confidentiality/integrity loss and potential downtime from ransomware.

Run this check with Prowler CLI

prowler azure --checks network_bastion_host_exists

Run in Prowler Cloud

Recommendation

Standardize on Azure Bastion for admin access.

Remove VM public IPs and deny inbound 22/3389 via perimeter controls and NSGs. Apply least privilege and just-in-time access, integrate Entra ID with MFA and conditional access, monitor sessions/logs, and segment networks so only Bastion can reach management ports.

Remediation

CLI

az network bastion create --name <BASTION_NAME> --public-ip-address <PUBLIC_IP_NAME> --resource-group <RESOURCE_GROUP> --vnet-name <VNET_NAME> --location <LOCATION>

Native IaC
Terraform
Other
  1. In the Azure portal, go to Networking > Bastions > Create
  2. Select your Subscription and a Resource group
  3. Enter a Name and Region
  4. Under Virtual network, select an existing VNet or click Create new
  5. Ensure a subnet named AzureBastionSubnet exists with a /27 address space; create it if prompted
  6. For Public IP address, click Create new and accept defaults
  7. Click Review + create, then Create
  8. After deployment completes, the subscription now has a Bastion Host (check passes)

Source Code

Resource Type

microsoft.network/bastionhosts

References