How many Azure Bastion subnets are required for a company moving all on-premises virtual machines to Azure?

In an Azure environment, Azure Bastion is a fully managed platform service that provides secure and seamless RDP and SSH connectivity to your virtual machines directly through the Azure portal without exposing them to the public internet.

To leverage Azure Bastion, only one subnet is required, known as the Bastion subnet. This subnet must be specially configured for Azure Bastion, and it must be named "AzureBastionSubnet" and have a specific subnet address range. The primary purpose of this subnet is to provision the Azure Bastion service that facilitates the connectivity to your VMs, ensuring secure access while minimizing the attack surface.

Other choices that suggest more subnets overestimate the typical configuration needed for Azure Bastion in relation to standard Azure networking. While additional subnets might be necessary for different Azure services or for isolating different resources, the requirement for Azure Bastion specifically is for just the one Bastion subnet.