You have an Azure subscription that contains the virtual networks shown in the following table.
All the virtual networks are peered. Each virtual network contains nine virtual machines.
You need to configure secure RDP connections to the virtual machines by using Azure Bastion.
What is the minimum number of Bastion hosts required?
Azure Bastion can be used with Virtual Network peering, and it supports both Virtual Network peering which connects virtual networks within the same Azure region and Global Virtual Network peering which connects virtual networks across different regions. With VM peering configured, a single Bastion host can manage secure RDP or SSH connections to all virtual machines within the peered virtual networks, regardless of the region. Thus, only one Bastion host is required to securely connect to all the virtual machines across the peered virtual networks in the Azure subscription.
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual network peering. Azure Bastion works with the following types of peering: Virtual network peering: Connect virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions. Answer is A
Answer is A. We required only one Bastion. https://learn.microsoft.com/en-us/azure/bastion/vnet-peering Azure Bastion works with the following types of peering: Virtual network peering: Connect virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions.
B. 3 Explanation: Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering, see About virtual network peering. Azure Bastion works with the following types of peering: Virtual network peering: Connect virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions. The question states that VNET peering is enabled, NOT Global VNET peering, thus you need a bastion host in each region.
Source: https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
Doesn't the very fact that a vnet in one region is peered to vnets in ither regions mean that global peering is effectively used? Otherwise you could not pair vnets in different regions!
YES "All the virtual networks are peered." So we have Global virtual network peering-> Answer A-> 1 Bastion
This is a tricky question because the answer depends also from the bastion capacity/sky and concurrent connection. When you configure Azure Bastion using the Basic SKU, two instances are created. If you use the Standard SKU, you can specify the number of instances (with a minimum of two instances). This is called host scaling. Each instance can support 20 concurrent RDP connections and 40 concurrent SSH connections for medium workloads. So... 10Vnet x 9VM = 90/20 concurrent sessions = 4,5/2 bastion instances = 2,25 = 3 this should be the minimum number. https://learn.microsoft.com/en-us/azure/bastion/configuration-settings#instance
Peering is a tricky, it's correct choosing A because all the Vnet are peared but it would be the correct answer only if bastion capacity was minimum 90 session per host.
Who said we need concurrent connections to all VMs? There may be just 1 user for all these 90 VMs, e.g. when they host some web app, and we may only need a single connection at the time e.g. when some troubleshooting is needed and the admin needs to connect to one of the VMs.
Only below region Azure Bastion is allowed Azure Bastion is available in any of these regions via the Azure portal: West US East US West Europe South Central US Australia East Japan East
Azure Bastion is a regional service, meaning it needs to be deployed in each Azure region where you want to use it. VNet peering across regions does not extend Bastion access to other regions.
Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host. For more information about VNet peering,
https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
Azure Bastion and Virtual Network peering can be used together. Reference: https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
I think its A. Explanation: Azure Bastion and VNet peering can be used together. When VNet peering is configured, you don't have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host. Reference: https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. As its a full mesh connection. And there are 10 VNet. It should have 10.
Answer is either 1 or 3 (if we consider it's NOT Global Network Peering): "Azure Bastion works with the following types of peering: Virtual network peering: Connect virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions." https://learn.microsoft.com/en-us/azure/bastion/vnet-peering
Does Azure Bastion support Virtual WAN? Yes, you can use Azure Bastion for Virtual WAN deployments. However, deploying Azure Bastion within a Virtual WAN hub isn't supported. You can deploy Azure Bastion in a spoke virtual network and use the IP-based connection feature to connect to virtual machines deployed across a different virtual network via the Virtual WAN hub. If the Azure Virtual WAN hub will be integrated with Azure Firewall as a Secured Virtual Hub, the AzureBastionSubnet must reside within a Virtual Network where the default 0.0.0.0/0 route propagation is disabled at the virtual network connection level.
When VNet peering is configured, Azure Bastion can be deployed in hub-and-spoke or full-mesh topologies. Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. Once you provision the Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same VNet and peered VNets. This means you can consolidate Bastion deployment to single VNet and still reach VMs deployed in a peered VNet, centralizing the overall deployment.
A is correct
answer is A: 1, key point is all the vnets are peered and bastion works as Virtual network peering: Connect virtual networks within the same Azure region. Global virtual network peering: Connecting virtual networks across Azure regions.
Answer - 1 · Azure Bastion and VNet peering can be used together. · When VNet peering is configured, you don’t have to deploy Azure Bastion in each peered VNet. This means if you have an Azure Bastion host configured in one virtual network (VNet), it can be used to connect to VMs deployed in a peered VNet without deploying an additional bastion host.
If you have multiple VNets within the same region, use VNet peering to allow a single Bastion instance in that region to access VMs across those peered VNets.
On the exam on 17.07.2024, Selected Answer: A; thanks to hfk2020