From 407717282ec343e9043e3bebe8a81c10cde18a85 Mon Sep 17 00:00:00 2001
From: Fuming Zhang <fumingzhang@microsoft.com>
Date: Wed, 11 Mar 2026 14:55:45 +1100
Subject: [PATCH 1/2] fix

---
 .../azext_aks_preview/bastion/bastion.py      | 56 +++++++++++--------
 src/aks-preview/azext_aks_preview/custom.py   |  4 +-
 2 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/src/aks-preview/azext_aks_preview/bastion/bastion.py b/src/aks-preview/azext_aks_preview/bastion/bastion.py
index 210d86f046a..d9ac42684c0 100644
--- a/src/aks-preview/azext_aks_preview/bastion/bastion.py
+++ b/src/aks-preview/azext_aks_preview/bastion/bastion.py
@@ -36,7 +36,7 @@ def __init__(self, name, resource_group):
 
 
 def aks_bastion_parse_bastion_resource(
-    bastion: str, resource_groups: List[str]
+    bastion: str, resource_groups: List[str], subscription_id: str = None
 ) -> BastionResource:
     """Get the bastion resource name from the provided name or node resource group."""
 
@@ -55,18 +55,21 @@ def aks_bastion_parse_bastion_resource(
                     resource_group,
                 )
                 # check if the bastion exists in the provided resource group
+                show_cmd = [
+                    "network",
+                    "bastion",
+                    "show",
+                    "--resource-group",
+                    resource_group,
+                    "--name",
+                    bastion,
+                    "--output",
+                    "json",
+                ]
+                if subscription_id:
+                    show_cmd.extend(["--subscription", subscription_id])
                 result = run_az_cmd(
-                    [
-                        "network",
-                        "bastion",
-                        "show",
-                        "--resource-group",
-                        resource_group,
-                        "--name",
-                        bastion,
-                        "--output",
-                        "json",
-                    ],
+                    show_cmd,
                     out_file=TextIO(),
                 )
                 if result.exit_code != 0:
@@ -92,16 +95,19 @@ def aks_bastion_parse_bastion_resource(
     # list bastions in the provided resource groups
     for resource_group in resource_groups:
         logger.debug("Searching for bastion in resource group '%s'.", resource_group)
+        list_cmd = [
+            "network",
+            "bastion",
+            "list",
+            "--resource-group",
+            resource_group,
+            "--output",
+            "json",
+        ]
+        if subscription_id:
+            list_cmd.extend(["--subscription", subscription_id])
         result = run_az_cmd(
-            [
-                "network",
-                "bastion",
-                "list",
-                "--resource-group",
-                resource_group,
-                "--output",
-                "json",
-            ],
+            list_cmd,
             out_file=TextIO(),
         )
         if result.exit_code != 0:
@@ -243,12 +249,12 @@ def aks_bastion_set_kubeconfig(kubeconfig_path, port, cluster_name=None):
 
 
 async def aks_bastion_runner(
-    bastion_resource, port, mc_id, kubeconfig_path, test_hook=None
+    bastion_resource, port, mc_id, kubeconfig_path, subscription_id=None, test_hook=None
 ):
     """Run the bastion tunnel and subshell in parallel, cancelling the other if one completes."""
 
     task1 = asyncio.create_task(
-        _aks_bastion_launch_tunnel(bastion_resource, port, mc_id)
+        _aks_bastion_launch_tunnel(bastion_resource, port, mc_id, subscription_id)
     )
     if test_hook:
         task2 = asyncio.create_task(
@@ -468,7 +474,7 @@ async def _aks_bastion_launch_subshell(kubeconfig_path, port):
             logger.warning("Subshell was cancelled before it could be launched.")
 
 
-async def _aks_bastion_launch_tunnel(bastion_resource, port, mc_id):
+async def _aks_bastion_launch_tunnel(bastion_resource, port, mc_id, subscription_id=None):
     """Launch the bastion tunnel using the provided parameters."""
 
     tunnel_proces = None
@@ -478,6 +484,8 @@ async def _aks_bastion_launch_tunnel(bastion_resource, port, mc_id):
             f"{az_cmd_name} network bastion tunnel --resource-group {bastion_resource.resource_group} "
             f"--name {bastion_resource.name} --port {port} --target-resource-id {mc_id} --resource-port 443"
         )
+        if subscription_id:
+            cmd += f" --subscription {subscription_id}"
         logger.warning("Creating bastion tunnel with command: '%s'", cmd)
 
         # Use start_new_session on Unix to create a new process group
diff --git a/src/aks-preview/azext_aks_preview/custom.py b/src/aks-preview/azext_aks_preview/custom.py
index 3b4f1ceb1b6..b2529edcaba 100644
--- a/src/aks-preview/azext_aks_preview/custom.py
+++ b/src/aks-preview/azext_aks_preview/custom.py
@@ -5242,10 +5242,11 @@ def aks_bastion(cmd, client, resource_group_name, name, bastion=None, port=None,
         kubeconfig_path = os.path.join(temp_dir, ".kube", "config")
 
     try:
+        subscription_id = get_subscription_id(cmd.cli_ctx)
         mc = client.get(resource_group_name, name)
         mc_id = mc.id
         nrg = mc.node_resource_group
-        bastion_resource = aks_bastion_parse_bastion_resource(bastion, [nrg])
+        bastion_resource = aks_bastion_parse_bastion_resource(bastion, [nrg], subscription_id)
         port = aks_bastion_get_local_port(port)
 
         # Fetch credentials only if kubeconfig not provided
@@ -5277,6 +5278,7 @@ def aks_bastion(cmd, client, resource_group_name, name, bastion=None, port=None,
                 port,
                 mc_id,
                 kubeconfig_path,
+                subscription_id=subscription_id,
                 test_hook=os.getenv("AKS_BASTION_TEST_HOOK"),
             )
         )

From e8b561e3ad26d63e68b06d892c73143983b7f64d Mon Sep 17 00:00:00 2001
From: Fuming Zhang <fumingzhang@microsoft.com>
Date: Wed, 11 Mar 2026 15:00:18 +1100
Subject: [PATCH 2/2] fix

---
 src/aks-preview/HISTORY.rst | 4 ++++
 src/aks-preview/setup.py    | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/aks-preview/HISTORY.rst b/src/aks-preview/HISTORY.rst
index 7b605c161a7..2f135009204 100644
--- a/src/aks-preview/HISTORY.rst
+++ b/src/aks-preview/HISTORY.rst
@@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
 Pending
 +++++++
 
+19.0.0b25
++++++++
+* `az aks bastion`: Fix `--subscription` not being passed to internal `az network bastion tunnel` and bastion discovery commands.
+
 19.0.0b24
 +++++++
 * Vendor new SDK and bump API version to 2026-01-02-preview.
diff --git a/src/aks-preview/setup.py b/src/aks-preview/setup.py
index 5458ace4319..541174f9afb 100644
--- a/src/aks-preview/setup.py
+++ b/src/aks-preview/setup.py
@@ -9,7 +9,7 @@
 
 from setuptools import find_packages, setup
 
-VERSION = "19.0.0b24"
+VERSION = "19.0.0b25"
 
 CLASSIFIERS = [
     "Development Status :: 4 - Beta",