Share via

Azure Arc Bastion

Handian Sudianto 7,026 Reputation points
2026-04-13T07:10:58.9+00:00

In Azure Local environtment I install the azure arc to every VM hosted inside the Azure Local, but why if I want to connect via azure portal then there no connect using bastion, only 'connect with SSH' is showing even the VM is windows.

User's image

Azure Arc
Azure Arc

A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bharath Y P 8,495 Reputation points Microsoft External Staff Moderator
    2026-04-13T08:10:01.6266667+00:00

    Hello Handian, thanks for reaching out! I ran into the same thing when I first onboarded on-prem/Arc-registered VMs—under the “Connect” blade you only get “Connect with SSH,” even on Windows machines. That’s because:

    • Azure Bastion is a PaaS service you deploy into an Azure Virtual Network; it only knows how to RDP/SSH into VMs that have a private IP on that VNet

    • Arc-enabled servers, by default, are external resources (on-prem, other clouds, Azure Stack HCI) and don’t live inside your Azure VNet, so Bastion can’t see or route to them

    • The Arc connected-machine agent exposes an SSH channel for management, which is why you see SSH for every Arc VM

    If you want RDP over Bastion into your Arc-managed Windows boxes you currently need to deploy the Arc Proxy/Gateway service (gated preview) or use the new Bastion extension for Arc machines, which will bridge Bastion into your on-prem hosts. Until that preview capability is enabled in your tenant, Bastion won’t show up as a connection option for Arc VMs.

    Hope that explains why you only see SSH—for now that’s expected behavior with Arc. Let me know if you want details on the Arc Proxy/Gateway preview!

    References

    Azure Bastion overview & connection methods

    Azure Arc–enabled servers doc:

    0 comments
  2. Q&A Assist
    2026-04-13T07:11:14.0966667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    In an Azure Local environment, Windows VMs that are Azure Arc–enabled expose connectivity through Arc SSH, not Azure Bastion. This is why only Connect with SSH is shown in the Azure portal for those machines, even if the guest OS is Windows.

    For Azure Local VMs, the supported pattern is:

    1. Install the OpenSSH Server extension on the Windows VM via Azure Arc (either from Extensions in the portal or using az connectedmachine extension create).
    2. Use Arc SSH from the Azure CLI to connect: 
         az ssh arc --resource-group <resourceGroup> --name <serverName> --local-user <localUser>
    3. If an RDP session is needed, use RDP over SSH (Windows VMs only): 
         az ssh arc --resource-group <resourceGroup> --name <serverName> --local-user <localUser> --rdp

    Azure Bastion’s native client integration (az network bastion ssh) is documented for Azure VMs, not for Azure Local/Arc-enabled VMs. For Azure Local, remote access is provided via Arc SSH and RDP-over-SSH instead of a Bastion “Connect” button in the portal.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.