Cloud security starts with reducing unnecessary exposure.
One common mistake when deploying virtual machines is assigning public IP addresses and opening SSH or RDP ports to the internet.
While this may work for quick testing, it significantly increases the attack surface of your infrastructure.
In this hands-on Azure lab, I explored a more secure approach by deploying Linux and Windows virtual machines that are administered entirely through Azure Bastion.
Project Goal
The objective was to deploy two virtual machines inside a secure Azure Virtual Network while ensuring that administrative access remained private.
The environment includes:
- Azure Resource Group
- Virtual Network
- AzureBastionSubnet
- Application subnet
- Network Security Group
- Ubuntu Server VM
- Windows Server 2022 VM
- Azure Bastion
The virtual machines were intentionally deployed without public IP addresses.
Architecture
Resource Group
│
├── Virtual Network
│
├── AzureBastionSubnet
│ └── Azure Bastion
│
└── subnet-webapp
├── Ubuntu VM
├── Windows Server VM
└── Network Security Group
This architecture follows Azure security best practices by keeping administrative services off the public internet.
Deploying the Virtual Machines
Both virtual machines were created inside the same Virtual Network.
For Linux:
Ubuntu Server 22.04 LTS
SSH Key Authentication
For Windows:
Windows Server 2022
Username & Password Authentication
Instead of assigning public IP addresses, Azure Bastion provides browser-based SSH and RDP access directly from the Azure Portal.
Security Configuration
The Network Security Group (NSG) was associated with the application subnet to manage inbound and outbound traffic for both virtual machines.
This approach simplifies administration because a single NSG protects every resource within the subnet.
Key security features include:
- No public IPs on either VM
- Azure Bastion for secure remote access
- Centralized traffic filtering through an NSG
- Private Virtual Network deployment
Validation
Linux
After connecting through Azure Bastion, I verified the deployment with:
whoami
pwd
uname -a
ls -la

These commands confirmed that the virtual machine was functioning correctly.
Windows
Using Azure Bastion's browser-based Remote Desktop connection, I successfully accessed:
Windows Desktop
Server Manager
Administrative tools

Both operating systems were fully accessible without exposing RDP or SSH to the internet.
Challenges Encountered
The Linux virtual machine connected successfully through Azure Bastion on the first attempt.
The Windows VM, however, initially failed to establish an RDP session.
To resolve the issue, I reviewed:
- Azure Bastion deployment
- AzureBastionSubnet configuration
- Virtual network settings
- Network Security Group association
- Windows administrator credentials
Once the networking configuration was corrected, Azure Bastion successfully connected to the Windows virtual machine.
This troubleshooting exercise reinforced the importance of validating every component of a cloud deployment instead of assuming the issue lies with a single service.
Lessons Learned
Working through this project reinforced several important Azure concepts:
- Azure Bastion provides secure browser-based administration without exposing virtual machines to the public internet.
- Network Security Groups can be applied at the subnet level to simplify security management.
- Proper subnet planning is critical when deploying Azure networking resources.
- Troubleshooting cloud infrastructure is an essential part of becoming a cloud engineer.
Final Thoughts
This lab strengthened my understanding of Azure networking, secure remote administration, and infrastructure security. More importantly, it demonstrated how Azure's native services can be combined to create environments that are both functional and secure.
The complete documentation, deployment notes, and project files are available on GitHub:
🔗 Repository: https://github.com/JoySmarty/3mtt-vm-remote-connection-lab
If you're learning Azure, I highly recommend building projects like this yourself. The lessons you gain from troubleshooting are often the ones you'll remember the longest.
I'm documenting my cloud engineering journey through hands-on Azure projects. Follow along as I continue exploring networking, security, identity, and infrastructure on Microsoft Azure.

Top comments (0)