SSH into your Azure Arc-enabled servers from anywhere

A new capability has been introduced for Azure Arc-enabled servers which allows you to SSH into your Windows/Linux servers from anywhere without requiring inbound ports or public IP addresses. While its in preview, it can allow you to SSH to Windows using a local user and to Linux using an Azure user. This capability can become handy if you want to grant your team access to those servers from any location without going through the hassle of opening ports on your firewalls or raising any security concerns.

Feature requirements

To start using this feature, we need to perform the following steps:

  1. Register the HybridConnectivity resource provider
  2. Onboard the server to Azure Arc
  3. Create the default endpoint for this Azure Arc-enabled server
  4. Assign the user to connect with the Virtual Machine Local User Login role
  5. Enable the sshd service (for Windows, we need to install OpenSSH)
  6. Enable the SSH feature on the Azure Arc-enabled server using the azcmagent command.

If you have a couple of servers, it can be ok to do those steps (specially 1-4) manually, but if you have 10s or 100s of servers and you want to enable it at scale then we need some sort of automation. I have a Hyper-V Windows server on my laptop that is Azure Arc-enabled ready to test this deployment.

Screenshot showing the Hyper-v console

Screenshot showing Azure portal with Azure Arc-enabled server

At scale deployment of SSH on Arc-enabled Windows servers

First lets assign the Virtual Machine Local User Login role to a normal user in my tenant.

Screenshot showing an RBAC permission assigned

Next, we need to populate the default connectivity endpoint for this Arc-enabled server.

Screenshot showing CLI creating the defauly connectivity endpoint

Since this server is Windows, we would need to install OpenSSH to have the needed sshd service and then run the azcmagent command to enable the SSH feature. To do this at scale, I’m going to use one of the capabilities that Azure Arc provides for servers which is VM extensions to install OpenSSH and configure the agent.

$Setting = @{ "commandToExecute" = "powershell.exe -c Add-WindowsCapability -Online -Name OpenSSH.Server~~~~;Start-Service sshd;Set-Service -Name sshd -StartupType 'Automatic';azcmagent config set incomingconnections.ports 22" }

New-AzConnectedMachineExtension `
   -MachineName "WIN-S0EJKBIMSJL" `
   -name "SSHConfig" `
   -location "eastus" `
   -ExtensionType CustomScriptExtension `
   -publisher "Microsoft.Compute" `
   -settings $Setting `
   -ResourceGroupName "Arc-Win-Servers" `

Screenshot showing the VM extension installation

OpenSSH is available as an extension that you can install directly. I will install it manually using PowerShell as I need to configure the agent and install the sshd service in one go.

Screenshot showing the OpenSSH vm extension in the Azure portal

We can see that the extension has been deployed successfully.

Screenshot showing the vm extension installed

Connecting to the Azure Arc-enabled server using SSH

I will login in CLI using the user assigned with the Virtual Machine Local User Login role.

Screenshot showing the clark kent user

Now trying to SSH into the Azure Arc-enabled server from CLI, I get prompted with the password of the local user and then I get into the machine using SSH.

Screenshot showing the clark kent user SSH to the VM

Screenshot showing the clark kent user SSH to the VM


Share on:

You May Also Like