azlin bastion configure¶
Configure Bastion connection for a VM.
Synopsis¶
Description¶
Creates a mapping between a VM and a Bastion host, so azlin will automatically use the Bastion when connecting to the VM via SSH.
This is useful for VMs without public IPs that require Azure Bastion for connectivity.
Arguments¶
VM_NAME - VM name to configure (required)
Options¶
| Option | Description |
|---|---|
--bastion-name TEXT | Bastion host name (required) |
--resource-group, --rg TEXT | VM resource group |
--bastion-resource-group, --bastion-rg TEXT | Bastion resource group (defaults to VM RG) |
--enable / --disable | Enable or disable mapping |
-h, --help | Show help message |
Examples¶
Basic Configuration¶
After configuration, azlin connect my-vm will automatically use the Bastion.
Cross-Resource-Group¶
# Bastion in different resource group
azlin bastion configure my-vm \
--bastion-name shared-bastion \
--rg vm-rg \
--bastion-rg bastion-rg
Useful when Bastion is shared across multiple resource groups.
Disable Bastion¶
# Disable Bastion for direct SSH
azlin bastion configure my-vm --bastion-name my-bastion --rg my-rg --disable
Removes Bastion mapping, returns to direct SSH.
Enable After Disabling¶
Use Cases¶
Secure VM Access¶
# 1. List available Bastions
azlin bastion list
# 2. Configure VM
azlin bastion configure prod-vm --bastion-name prod-bastion --rg production
# 3. Connect (automatically uses Bastion)
azlin connect prod-vm
Shared Bastion Infrastructure¶
# Multiple VMs using same Bastion
azlin bastion configure web-01 --bastion-name shared-bastion --rg my-rg
azlin bastion configure web-02 --bastion-name shared-bastion --rg my-rg
azlin bastion configure api-01 --bastion-name shared-bastion --rg my-rg
All VMs now accessible via the shared Bastion.
Migration from Public to Private¶
# Before: VM has public IP
azlin connect my-vm # Direct SSH
# Remove public IP, configure Bastion
azlin bastion configure my-vm --bastion-name my-bastion --rg my-rg
# After: Secure Bastion access
azlin connect my-vm # Via Bastion
How It Works¶
- Mapping Created - Configuration stored in azlin
- Connect Command -
azlin connectdetects mapping - Bastion Tunnel - Creates Azure Bastion tunnel
- SSH Connection - SSH over tunnel to VM
Configuration Storage¶
Bastion mappings are stored in: - ~/.azlin/config.toml - Per-VM Bastion configuration - Persists across azlin sessions - Can be edited manually if needed
Troubleshooting¶
Bastion Not Found¶
# Verify Bastion exists
azlin bastion list
# Check status
azlin bastion status my-bastion --rg my-rg
Connection Fails¶
# Test Bastion directly
az network bastion ssh --name my-bastion --resource-group my-rg \
--target-resource-id /subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/virtualMachines/my-vm \
--auth-type ssh-key --username azureuser --ssh-key ~/.ssh/id_rsa
Wrong Resource Group¶
# Find Bastion's location
azlin bastion list | grep my-bastion
# Use correct resource groups
azlin bastion configure my-vm \
--bastion-name my-bastion \
--rg vm-rg \
--bastion-rg correct-bastion-rg
Remove Configuration¶
# Disable Bastion mapping
azlin bastion configure my-vm --bastion-name my-bastion --rg my-rg --disable
# Or edit ~/.azlin/config.toml manually
Security Benefits¶
Using Bastion provides:
- No Public IPs - VMs don't need public IP addresses
- Centralized Access - Single secure entry point
- Azure Integration - Native Azure security features
- Audit Logs - Connection logging in Azure Monitor
- NSG Protection - Network-level security rules
Related Commands¶
- azlin bastion list - List Bastion hosts
- azlin bastion status - Check Bastion status
- azlin connect - SSH to VM (uses configured Bastion)