Naming follows the CAF pattern bas-{workload}-{env}-{region}-{index} for the Bastion host and pip-{workload}-{env}-{region}-{index} for its Public IP. Bastion is a shared hub networking service — in a hub-spoke topology it is deployed in the connectivity subscription hub VNet and accessed by spoke workloads through VNet peering (Standard+ SKU IP-based connection) without requiring a Bastion instance per spoke. Governance items address resource tagging (Workload, Environment, CostCenter, createdBy), CanNotDelete resource locks on the Bastion resource group, and Azure Policy compliance — including the built-in policy "Azure Bastion should be enabled for virtual machines with private IP addresses". Bastion names and Public IP names are immutable after deployment; confirm all naming before first deployment.

Reliability: Zone-redundant Standard Static Public IP and a minimum of 2 scale units (Standard/Premium) for high availability across availability zones. Basic SKU does not support zone redundancy or scale-out — evaluate SKU against your availability SLA before committing. Security: Bastion eliminates the need for public IP addresses on all target VMs, removing the single largest VM attack surface. NSG rules on the VM subnet are tightened to allow RDP/SSH from VirtualNetwork service tag only, not the Internet. Performance Efficiency: Scale units are planned against measured peak concurrent session count (25 sessions per unit); scale can be adjusted post-deployment without service disruption (Standard/Premium). Cost Optimization: SKU and scale units selected based on actual feature and capacity requirements — Basic at ~$0.19/hr is appropriate for dev environments; Standard scale unit cost grows linearly. Operational Excellence: Full IaC with diagnostic settings, budget alerting, and idempotent deployment scripts.

Verify explicitly: Bastion is the sole ingress point for RDP/SSH to protected VMs — all sessions are brokered through an Entra-authenticated Azure portal or native client session, with no alternative inbound path. For the strongest posture, combine Bastion with Entra ID VM Login (AADLoginForWindows/AADSSHLoginForLinux extension) to eliminate local password authentication entirely and enforce MFA via Conditional Access on VM login. Removing public IPs from target VMs is the highest-impact action Bastion enables. Least privilege: Users require only Reader on the Bastion host, target VM, and its NIC — not Contributor. PIM/JIT gates Bastion configuration changes and high-privilege VM administrator sessions. Shareable links (Standard+) are treated as temporary privileged credentials with defined expiry. Assume breach: BastionAuditLogs provide a session-level audit trail — who connected, when, to which VM by private IP, over which protocol, and for how long. Session recording (Premium) creates an irrefutable in-session record. NSGs on VM subnets restrict RDP/SSH to VirtualNetwork service tag only, eliminating all alternative direct access paths.