{"id":"f2a5333a-eae7-4cfb-a9d7-7cb8e3acd254","shortId":"6s4zRM","kind":"skill","title":"azure-bastion","tagline":"Expert knowledge for Azure Bastion development including best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, and integrations & coding patterns. Use when configuring Bastion for AKS private clusters, VM scale sets, Entra ID a","description":"# Azure Bastion Skill\n\nThis skill provides expert guidance for Azure Bastion. Covers best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, and integrations & coding patterns. It combines local quick-reference content with remote documentation fetching capabilities.\n\n## How to Use This Skill\n\n> **IMPORTANT for Agent**: Use the **Category Index** below to locate relevant sections. For categories with line ranges (e.g., `L35-L120`), use `read_file` with the specified lines. For categories with file links (e.g., `[security.md](security.md)`), use `read_file` on the linked reference file\n\n> **IMPORTANT for Agent**: If `metadata.generated_at` is more than 3 months old, suggest the user pull the latest version from the repository. If `mcp_microsoftdocs` tools are not available, suggest the user install it: [Installation Guide](https://github.com/MicrosoftDocs/mcp/blob/main/README.md)\n\nThis skill requires **network access** to fetch documentation content:\n- **Preferred**: Use `mcp_microsoftdocs:microsoft_docs_fetch` with query string `from=learn-agent-skill`. Returns Markdown.\n- **Fallback**: Use `fetch_webpage` with query string `from=learn-agent-skill&accept=text/markdown`. Returns Markdown.\n\n## Category Index\n\n| Category | Lines | Description |\n|----------|-------|-------------|\n| Best Practices | L35-L39 | Guidance on reducing Azure Bastion costs through sizing, scaling, and usage patterns while maintaining secure remote access and compliance best practices. |\n| Decision Making | L40-L46 | Guidance on choosing and upgrading Bastion SKU tiers and using IP-based Bastion connections across VNets, subscriptions, and environments. |\n| Architecture & Design Patterns | L47-L53 | Architectural options and patterns for Azure Bastion: hub/spoke and peered VNets, private-only deployments, network/topology design, and deployment guidance for secure remote access. |\n| Limits & Quotas | L54-L58 | Configuring Azure Bastion host scaling limits, including max concurrent RDP/SSH sessions, connection thresholds, and how to adjust or plan capacity for different SKUs. |\n| Security | L59-L65 | Configuring secure Azure Bastion access: Entra ID authentication, required NSG rules, and hardening best practices to lock down Bastion hosts and connections. |\n| Configuration | L66-L77 | Configuring Azure Bastion settings, auth (Kerberos), monitoring/metrics/logs, native client access, session management, recording, and shareable links for secure RDP/SSH access |\n| Integrations & Coding Patterns | L78-L85 | How to use Azure Bastion with AKS private clusters, VM scale sets, and native Windows/Linux clients, including SSH/RDP connectivity patterns and file transfer via Bastion native clients. |\n\n### Best Practices\n| Topic | URL |\n|-------|-----|\n| Optimize Azure Bastion costs without reducing security | https://learn.microsoft.com/en-us/azure/bastion/cost-optimization |\n\n### Decision Making\n| Topic | URL |\n|-------|-----|\n| Select the appropriate Azure Bastion SKU tier | https://learn.microsoft.com/en-us/azure/bastion/bastion-sku-comparison |\n| Use Azure Bastion IP-based connections across environments | https://learn.microsoft.com/en-us/azure/bastion/connect-ip-address |\n| View and upgrade Azure Bastion SKU tiers safely | https://learn.microsoft.com/en-us/azure/bastion/upgrade-sku |\n\n### Architecture & Design Patterns\n| Topic | URL |\n|-------|-----|\n| Understand Azure Bastion deployment architectures | https://learn.microsoft.com/en-us/azure/bastion/design-architecture |\n| Design and deploy private-only Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/private-only-deployment |\n| Use Azure Bastion with VNet peering architectures | https://learn.microsoft.com/en-us/azure/bastion/vnet-peering |\n\n### Limits & Quotas\n| Topic | URL |\n|-------|-----|\n| Configure Azure Bastion host scaling limits | https://learn.microsoft.com/en-us/azure/bastion/configure-host-scaling |\n\n### Security\n| Topic | URL |\n|-------|-----|\n| Configure Microsoft Entra ID auth for Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/bastion-entra-id-authentication |\n| Configure Azure Bastion NSG rules for secure access | https://learn.microsoft.com/en-us/azure/bastion/bastion-nsg |\n| Harden and secure your Azure Bastion deployment | https://learn.microsoft.com/en-us/azure/bastion/secure-bastion |\n\n### Configuration\n| Topic | URL |\n|-------|-----|\n| Azure Bastion configuration settings and options | https://learn.microsoft.com/en-us/azure/bastion/configuration-settings |\n| Configure Kerberos authentication for Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/kerberos-authentication-portal |\n| Configure monitoring and diagnostics for Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/monitor-bastion |\n| Reference monitoring metrics and logs for Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/monitor-bastion-reference |\n| Configure Azure Bastion for native client access | https://learn.microsoft.com/en-us/azure/bastion/native-client |\n| Monitor and manage active Azure Bastion sessions | https://learn.microsoft.com/en-us/azure/bastion/session-monitoring |\n| Configure and use Azure Bastion session recording | https://learn.microsoft.com/en-us/azure/bastion/session-recording |\n| Create and use Azure Bastion shareable links | https://learn.microsoft.com/en-us/azure/bastion/shareable-link |\n\n### Integrations & Coding Patterns\n| Topic | URL |\n|-------|-----|\n| Connect to AKS private clusters via Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-to-aks-private-cluster |\n| Connect to VM scale sets using Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-scale-set |\n| Connect from Linux native clients through Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-linux |\n| Connect from Windows native clients through Azure Bastion | https://learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows |\n| Transfer files via Azure Bastion native clients | https://learn.microsoft.com/en-us/azure/bastion/vm-upload-download-native |","tags":["azure","bastion","agent","skills","microsoftdocs","agent-skills","agentic-skills","agentskill","ai-agents","ai-coding","azure-functions","azure-kubernetes-service"],"capabilities":["skill","source-microsoftdocs","skill-azure-bastion","topic-agent","topic-agent-skills","topic-agentic-skills","topic-agentskill","topic-ai-agents","topic-ai-coding","topic-azure","topic-azure-functions","topic-azure-kubernetes-service","topic-azure-openai","topic-azure-sql-database","topic-azure-storage"],"categories":["Agent-Skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/MicrosoftDocs/Agent-Skills/azure-bastion","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add MicrosoftDocs/Agent-Skills","source_repo":"https://github.com/MicrosoftDocs/Agent-Skills","install_from":"skills.sh"}},"qualityScore":"0.698","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 497 github stars · SKILL.md body (6,188 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T12:53:30.310Z","embedding":null,"createdAt":"2026-04-18T21:58:19.089Z","updatedAt":"2026-04-22T12:53:30.310Z","lastSeenAt":"2026-04-22T12:53:30.310Z","tsv":"'/en-us/azure/bastion/bastion-connect-to-aks-private-cluster':636 '/en-us/azure/bastion/bastion-connect-vm-scale-set':647 '/en-us/azure/bastion/bastion-entra-id-authentication':517 '/en-us/azure/bastion/bastion-nsg':528 '/en-us/azure/bastion/bastion-sku-comparison':433 '/en-us/azure/bastion/configuration-settings':550 '/en-us/azure/bastion/configure-host-scaling':503 '/en-us/azure/bastion/connect-ip-address':445 '/en-us/azure/bastion/connect-vm-native-client-linux':658 '/en-us/azure/bastion/connect-vm-native-client-windows':669 '/en-us/azure/bastion/cost-optimization':419 '/en-us/azure/bastion/design-architecture':469 '/en-us/azure/bastion/kerberos-authentication-portal':559 '/en-us/azure/bastion/monitor-bastion':569 '/en-us/azure/bastion/monitor-bastion-reference':580 '/en-us/azure/bastion/native-client':590 '/en-us/azure/bastion/private-only-deployment':480 '/en-us/azure/bastion/secure-bastion':538 '/en-us/azure/bastion/session-monitoring':600 '/en-us/azure/bastion/session-recording':610 '/en-us/azure/bastion/shareable-link':620 '/en-us/azure/bastion/upgrade-sku':456 '/en-us/azure/bastion/vm-upload-download-native':679 '/en-us/azure/bastion/vnet-peering':490 '/microsoftdocs/mcp/blob/main/readme.md)':166 '3':137 'accept':205 'access':171,235,294,331,362,372,525,587 'across':260,441 'activ':594 'adjust':316 'agent':86,130,189,203 'ak':31,385,628 'appropri':426 'architectur':15,56,265,271,457,466,487 'auth':357,511 'authent':334,553 'avail':156 'azur':2,7,40,49,222,276,301,329,354,382,411,427,435,449,463,476,482,496,513,519,533,542,555,565,576,582,595,604,614,632,643,654,665,673 'azure-bast':1 'base':257,439 'bastion':3,8,29,41,50,223,250,258,277,302,330,345,355,383,403,412,428,436,450,464,477,483,497,514,520,534,543,556,566,577,583,596,605,615,633,644,655,666,674 'best':11,52,214,238,340,406 'capabl':78 'capac':319 'categori':89,97,113,209,211 'choos':247 'client':361,394,405,586,652,663,676 'cluster':33,387,630 'code':24,65,374,622 'combin':68 'complianc':237 'concurr':308 'configur':21,28,62,300,327,349,353,495,507,518,539,544,551,560,581,601 'connect':259,311,348,397,440,626,637,648,659 'content':73,175 'cost':224,413 'cover':51 'creat':611 'decis':13,54,240,420 'deploy':285,289,465,472,535 'descript':213 'design':16,57,266,287,458,470 'develop':9 'diagnost':563 'differ':321 'doc':181 'document':76,174 'e.g':101,117 'entra':37,332,509 'environ':264,442 'expert':4,46 'fallback':193 'fetch':77,173,182,195 'file':107,115,122,127,400,671 'github.com':165 'github.com/microsoftdocs/mcp/blob/main/readme.md)':164 'guid':163 'guidanc':47,219,245,290 'harden':339,529 'host':303,346,498 'hub/spoke':278 'id':38,333,510 'import':84,128 'includ':10,306,395 'index':90,210 'instal':160,162 'integr':23,64,373,621 'ip':256,438 'ip-bas':255,437 'kerbero':358,552 'knowledg':5 'l120':104 'l35':103,217 'l35-l120':102 'l35-l39':216 'l39':218 'l40':243 'l40-l46':242 'l46':244 'l47':269 'l47-l53':268 'l53':270 'l54':298 'l54-l58':297 'l58':299 'l59':325 'l59-l65':324 'l65':326 'l66':351 'l66-l77':350 'l77':352 'l78':377 'l78-l85':376 'l85':378 'latest':145 'learn':188,202 'learn-agent-skil':187,201 'learn.microsoft.com':418,432,444,455,468,479,489,502,516,527,537,549,558,568,579,589,599,609,619,635,646,657,668,678 'learn.microsoft.com/en-us/azure/bastion/bastion-connect-to-aks-private-cluster':634 'learn.microsoft.com/en-us/azure/bastion/bastion-connect-vm-scale-set':645 'learn.microsoft.com/en-us/azure/bastion/bastion-entra-id-authentication':515 'learn.microsoft.com/en-us/azure/bastion/bastion-nsg':526 'learn.microsoft.com/en-us/azure/bastion/bastion-sku-comparison':431 'learn.microsoft.com/en-us/azure/bastion/configuration-settings':548 'learn.microsoft.com/en-us/azure/bastion/configure-host-scaling':501 'learn.microsoft.com/en-us/azure/bastion/connect-ip-address':443 'learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-linux':656 'learn.microsoft.com/en-us/azure/bastion/connect-vm-native-client-windows':667 'learn.microsoft.com/en-us/azure/bastion/cost-optimization':417 'learn.microsoft.com/en-us/azure/bastion/design-architecture':467 'learn.microsoft.com/en-us/azure/bastion/kerberos-authentication-portal':557 'learn.microsoft.com/en-us/azure/bastion/monitor-bastion':567 'learn.microsoft.com/en-us/azure/bastion/monitor-bastion-reference':578 'learn.microsoft.com/en-us/azure/bastion/native-client':588 'learn.microsoft.com/en-us/azure/bastion/private-only-deployment':478 'learn.microsoft.com/en-us/azure/bastion/secure-bastion':536 'learn.microsoft.com/en-us/azure/bastion/session-monitoring':598 'learn.microsoft.com/en-us/azure/bastion/session-recording':608 'learn.microsoft.com/en-us/azure/bastion/shareable-link':618 'learn.microsoft.com/en-us/azure/bastion/upgrade-sku':454 'learn.microsoft.com/en-us/azure/bastion/vm-upload-download-native':677 'learn.microsoft.com/en-us/azure/bastion/vnet-peering':488 'limit':18,59,295,305,491,500 'line':99,111,212 'link':116,125,368,617 'linux':650 'local':69 'locat':93 'lock':343 'log':574 'maintain':232 'make':14,55,241,421 'manag':364,593 'markdown':192,208 'max':307 'mcp':151,178 'metadata.generated':132 'metric':572 'microsoft':180,508 'microsoftdoc':152,179 'monitor':561,571,591 'monitoring/metrics/logs':359 'month':138 'nativ':360,392,404,585,651,662,675 'network':170 'network/topology':286 'nsg':336,521 'old':139 'optim':410 'option':272,547 'pattern':17,25,58,66,230,267,274,375,398,459,623 'peer':280,486 'plan':318 'practic':12,53,215,239,341,407 'prefer':176 'privat':32,283,386,474,629 'private-on':282,473 'provid':45 'pull':143 'queri':184,198 'quick':71 'quick-refer':70 'quota':19,60,296,492 'rang':100 'rdp/ssh':309,371 'read':106,121 'record':365,607 'reduc':221,415 'refer':72,126,570 'relev':94 'remot':75,234,293 'repositori':149 'requir':169,335 'return':191,207 'rule':337,522 'safe':453 'scale':35,227,304,389,499,640 'section':95 'secur':20,61,233,292,323,328,370,416,504,524,531 'security.md':118,119 'select':424 'session':310,363,597,606 'set':36,356,390,545,641 'shareabl':367,616 'size':226 'skill':42,44,83,168,190,204 'skill-azure-bastion' 'sku':251,429,451 'skus':322 'source-microsoftdocs' 'specifi':110 'ssh/rdp':396 'string':185,199 'subscript':262 'suggest':140,157 'text/markdown':206 'threshold':312 'tier':252,430,452 'tool':153 'topic':408,422,460,493,505,540,624 'topic-agent' 'topic-agent-skills' 'topic-agentic-skills' 'topic-agentskill' 'topic-ai-agents' 'topic-ai-coding' 'topic-azure' 'topic-azure-functions' 'topic-azure-kubernetes-service' 'topic-azure-openai' 'topic-azure-sql-database' 'topic-azure-storage' 'transfer':401,670 'understand':462 'upgrad':249,448 'url':409,423,461,494,506,541,625 'usag':229 'use':26,81,87,105,120,177,194,254,381,434,481,603,613,642 'user':142,159 'version':146 'via':402,631,672 'view':446 'vm':34,388,639 'vnet':261,281,485 'webpag':196 'window':661 'windows/linux':393 'without':414","prices":[{"id":"d103bef8-e9dd-4b31-a058-ff36a0c879c0","listingId":"f2a5333a-eae7-4cfb-a9d7-7cb8e3acd254","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"MicrosoftDocs","category":"Agent-Skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:58:19.089Z"}],"sources":[{"listingId":"f2a5333a-eae7-4cfb-a9d7-7cb8e3acd254","source":"github","sourceId":"MicrosoftDocs/Agent-Skills/azure-bastion","sourceUrl":"https://github.com/MicrosoftDocs/Agent-Skills/tree/main/skills/azure-bastion","isPrimary":false,"firstSeenAt":"2026-04-18T21:58:19.089Z","lastSeenAt":"2026-04-22T12:53:30.310Z"}],"details":{"listingId":"f2a5333a-eae7-4cfb-a9d7-7cb8e3acd254","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"MicrosoftDocs","slug":"azure-bastion","github":{"repo":"MicrosoftDocs/Agent-Skills","stars":497,"topics":["agent","agent-skills","agentic-skills","agentskill","ai","ai-agents","ai-coding","azure","azure-functions","azure-kubernetes-service","azure-openai","azure-sql-database","azure-storage","azure-virtual-machine","claude-code","github-copilot","microsoft-learn","openai-codex","skills"],"license":"cc-by-4.0","html_url":"https://github.com/MicrosoftDocs/Agent-Skills","pushed_at":"2026-04-22T01:37:27Z","description":"Curated Agent Skills for Microsoft & Azure – giving AI coding assistants structured, real-time expertise from Microsoft Learn docs.","skill_md_sha":"ec690b2f170f7fba1fe017977bd7765fe1dc805f","skill_md_path":"skills/azure-bastion/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/MicrosoftDocs/Agent-Skills/tree/main/skills/azure-bastion"},"layout":"multi","source":"github","category":"Agent-Skills","frontmatter":{"name":"azure-bastion","description":"Expert knowledge for Azure Bastion development including best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, and integrations & coding patterns. Use when configuring Bastion for AKS private clusters, VM scale sets, Entra ID auth, hub/spoke VNets, or native SSH/RDP clients, and other Azure Bastion related development tasks. Not for Azure Virtual Network (use azure-virtual-network), Azure Virtual Machines (use azure-virtual-machines), Azure VPN Gateway (use azure-vpn-gateway), Azure Firewall (use azure-firewall).","compatibility":"Requires network access. Uses mcp_microsoftdocs:microsoft_docs_fetch or fetch_webpage to retrieve documentation."},"skills_sh_url":"https://skills.sh/MicrosoftDocs/Agent-Skills/azure-bastion"},"updatedAt":"2026-04-22T12:53:30.310Z"}}