diff --git a/infrastructure/base/main.tf b/infrastructure/base/main.tf
index e03597cdd3..84465f1f2c 100644
--- a/infrastructure/base/main.tf
+++ b/infrastructure/base/main.tf
@@ -39,6 +39,7 @@ module "bastion" {
   project_name            = var.project_name
   bastion_ssh_public_keys = var.bastion_ssh_public_keys
   bastion_subnet_id       = module.network.bastion_subnet_id
+  bastion_nsg_id          = module.network.bastion_nsg_id
   dns_zone                = module.dns.dns_zone
 }
 
diff --git a/infrastructure/base/modules/bastion/main.tf b/infrastructure/base/modules/bastion/main.tf
index cf94557e5a..3226d05743 100644
--- a/infrastructure/base/modules/bastion/main.tf
+++ b/infrastructure/base/modules/bastion/main.tf
@@ -23,6 +23,11 @@ resource "azurerm_network_interface" "bastion_nic" {
   }
 }
 
+resource "azurerm_network_interface_security_group_association" "bastion_nic_nsg_association" {
+  network_interface_id      = azurerm_network_interface.bastion_nic.id
+  network_security_group_id = var.bastion_nsg_id
+}
+
 resource "tls_private_key" "ssh_private_key" {
   algorithm = "RSA"
   rsa_bits  = 4096
@@ -30,6 +35,16 @@ resource "tls_private_key" "ssh_private_key" {
 
 locals {
   admin_user = "ubuntu"
+
+  cloud_init_custom_data = <<-EOF
+    #cloud-config
+    runcmd:
+      - fallocate -l 2G /swapfile
+      - chmod 600 /swapfile
+      - mkswap /swapfile
+      - swapon /swapfile
+      - echo '/swapfile none swap sw 0 0' | tee -a /etc/fstab
+  EOF
 }
 
 resource "azurerm_linux_virtual_machine" "bastion" {
@@ -59,10 +74,18 @@ resource "azurerm_linux_virtual_machine" "bastion" {
 
   source_image_reference {
     publisher = "Canonical"
-    offer     = "0001-com-ubuntu-server-focal"
-    sku       = "20_04-lts"
+    offer     = "ubuntu-24_04-lts"
+    sku       = "minimal"
     version   = "latest"
   }
+
+  # Since the VM for this bastion host is provisioned with a very small VM size
+  # by default (Standard_B1ls, with 1 vCPU core and 0.5GiB of memory), memory
+  # may typically not be enough if needing to run an apt update/upgrade to pull
+  # in security-fix packages, so a small swapfile should help here. This is
+  # created via cloud-init
+  # (https://learn.microsoft.com/en-us/azure/virtual-machines/linux/tutorial-automate-vm-deployment)
+  custom_data = base64encode(local.cloud_init_custom_data)
 }
 
 resource "azurerm_dns_a_record" "bastion_dns_record" {
diff --git a/infrastructure/base/modules/bastion/variables.tf b/infrastructure/base/modules/bastion/variables.tf
index 13e23e0b6f..e685eb2631 100644
--- a/infrastructure/base/modules/bastion/variables.tf
+++ b/infrastructure/base/modules/bastion/variables.tf
@@ -21,6 +21,10 @@ variable "bastion_subnet_id" {
   description = "The id of the subnet where the bastion host will be placed"
 }
 
+variable "bastion_nsg_id" {
+  description = "The id of the network security group for the bastion host"
+}
+
 variable "dns_zone" {
   description = "The Azure DNS zone where the bastion A record will be added"
 }
diff --git a/infrastructure/base/modules/network/outputs.tf b/infrastructure/base/modules/network/outputs.tf
index 6087b90a6e..fb61cec7ac 100644
--- a/infrastructure/base/modules/network/outputs.tf
+++ b/infrastructure/base/modules/network/outputs.tf
@@ -26,6 +26,10 @@ output "bastion_subnet_id" {
   value = azurerm_subnet.bastion_subnet.id
 }
 
+output "bastion_nsg_id" {
+  value = azurerm_network_security_group.bastion_nsg.id
+}
+
 output "firewall_subnet_id" {
   value = azurerm_subnet.firewall_subnet.id
 }