The Azure Portal tunnel experience works, but it’s clunky. You can do the same thing straight from your terminal.
SSH into a VM through Bastion:
az network bastion ssh \
--name MyBastionHost \
--resource-group MyResourceGroup \
--target-resource-id /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Compute/virtualMachines/<vm-name> \
--auth-type AADForward a local port to a remote service behind Bastion (e.g. a database on port 5432):
az network bastion tunnel \
--name MyBastionHost \
--resource-group MyResourceGroup \
--target-resource-id /subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Compute/virtualMachines/<vm-name> \
--resource-port 5432 \
--port 5432Now connect to localhost:5432 as if the remote database was local.
Note: The bastion extension is required. Install it with az extension add --name bastion. You also need the Bastion resource to be configured with the Standard SKU — the Basic SKU does not support tunneling.