Azure Bastion is a platform-managed PaaS service that allows you to connect to a virtual machine using your browser and the Azure portal. It provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal over TLS. When you connect via Azure Bastion, your virtual machines do not need a public IP address or agent. So Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.
The Azure Bastion service is a PaaS service that you provision inside your virtual network. Until now it was not possible to connect with Azure Bastion to a virtual machine in another virtual network which is peered with the virtual network where Azure Bastion is located. As a result, you were forced to deploy an Azure bastion per virtual network, which can be quite pricey in hub-spoke scenarios and larger deployments .
Fortunately, this has recently changed. It is no longer necessary to place an Azure Bastion in each peered virtual network. So you can place your Azure Bastion centrally and connect to all VMs deployed in any peered virtual network. As long as you have the required permissions of course. This is supported for virtual network peering within the same Azure region and across Azure regions (global virtual network peering).
For more information about Azure Bastion see the following documentation: Link