Is Azure Bastion able to connect via transitive peering?

Question

For a while now it is possible for Azure Bastion to reach networks which are connected over vnet peering. I'm wondering if it is able to reach networks which are peered via transitive peering, a multiple hub-spoke model (see below image)?

Answer 1

The bellow topology does not allow you to connect from the Azure bastion to the VM

Scenario

• Bastion:
  • Standard tier
  • Allow Copy and paste
  • Allow Native client support
  • Allow IP-based connection
• vNet peerings:
  • Allow Traffic to remote virtual network
  • Allow Traffic forwarded from remote virtual network
  • None (default) Virtual network gateway or Route Server

For instance, with the above topology, the following would not work:

• In the Azure Portal the bastion will not show under the VM we attempt to connect
• Ip-base connection will not connect to the VM
• az network bastion rdp --name "<BastionName>" --resource-group "<BastionResourceGroupName>" --target-resource-id "<VMResourceId>" --disable-gateway will not connect to the VM

Answer 2

I have tested in my environment.

Azure Bastion is not able to reach the networks which are peered via transitive peering

I have created 3 virtual networks : vnet1, vnet2 and vnet3.

I created vnet peering between vnet1 and vnet2, another vnet peering between vnet2 and vnet3.

I created Azure Bastion in vnet1, vnet2 and vnet3.

I deployed a VM in vnet3.

While trying to connect to that VM via Azure Bastion, the only options available are Bastions created in vnet2 and vnet3.

So, I am not able use Bastion created in vnet1 to connect to VM created in vnet3.