SSH access to your servers running anywhere using Azure Arc

SSH access to servers running anywhere using Azure Arc

With Azure Arc, you can remotely manage your Linux and Windows Servers using the Azure control plane and management services, such as Azure Policy, Update Management, Security Center, Azure Monitor, and many more. This allows you to manage servers running on-premises, at the edge, or in mutlicloud environments at scale. However, in some cases, you will need to have direct access to your servers for troubleshooting for example using an SSH connection. In many of these hybrid and mutlicloud environments, direct network connectivity can be a challenge, that is why you now can get SSH access to your Linux and Windows Servers running anywhere using Azure Arc enabled servers.

Imagine a scenario where you as an IT Pro or developer need to access a server remotely using SSH, to troubleshoot a system or install or configure an application or the server. However, you might don’t have direct network access to the server since you are working remotely or you don’t have a VPN set up. Azure Arc enabled server now allows you to use the Azure CLI SSH extension to connect to the Azure control plane and from there to securely connect to the Azure Arc enabled server using the Azure Connected Machine Agent without opening additional ports or firewall configurations. In addition, to enable the connection you can also use Azure AD for role-based access control.

SSH access to Azure Arc-enabled servers offers the following benefits:

  • Create interactive and automated SSH connections to Arc-enabled Servers
  • Securely access hybrid servers without any additional ports or a public IP address
  • Access to Windows and Linux machines
  • Leverage different authentication options: AAD login based on RBAC roles (Linux only), Key-based authentication, and username & password authentication
  • Connect as a local user or as an Azure user
  • Connect with existing SSH clients using a config file
  • Connect to servers using Azure Cloud Shell
  • Leverage existing workflows & scripts for Azure IaaS Virtual Machines on Arc-enabled Servers
SSH access to Linux and Windows Servers running anywhere using Azure Arc
SSH access to Linux and Windows Servers running anywhere using Azure Arc

You can read more on the official Tech Community blog.

How to set up SSH access for Azure Arc enabled servers

Prerequisites

Setting up this new feature (which is currently in preview) is very simple. If you haven’t already connected your Linux or Windows Server to Azure using Azure Arc, you need to first install the Azure Arc agent. You can find a simple blog post and video on how to install the Azure Arc agent here. If you are already using Azure Arc, make sure your servers hybrid agent version is “1.13.21320.014” or higher. You can check this by running the following command:

azcmagent show

Importantly your server needs to have SSH configured and working, otherwise, Azure Arc cannot use it. If you want to set up SSH on a Windows Server, check out Microsoft Docs or follow my blog.

Supported Operating Systems

  • Windows: Windows 7+ and Windows Server 2012+
  • Linux: Supported Linux distros and versions can be found on the Azure Documentation page.

After you have connected your server, and it shows up in the Azure portal. You now need to add the port to your server, for that you can run the following command on your server.

Enable the SSH capability on the Arc-enabled servers

Run the following in an elevated terminal on the Arc-enabled server:

azcmagent config set incomingconnections.ports 22<,other open ports,…>

Note: If you would like to use a custom port for the SSH connection, change the above command to use the custom port.

To view existing ports

azcmagent config list

Linux Server Azure Arc SSH setup
Linux Server Azure Arc SSH setup

Create default connectivity endpoint

Run the following commands for each of your Azure Arc enabled servers, replace subscription, resource group, and arc enabled server name.

az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{\"properties\": {\"type\": \"default\"}}'

az rest --method get --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview

Install and update the Azure CLI extension

On the client, you will need to add or update the Azure CLI SSH extension.

Add Az CLI SSH extension

az extension add --name ssh

Update Az CLI SSH extension

az extension update --name ssh

Optional: Enable Azure AD login on Linux

You can also use Azure AD to log in to the Linux server. For that, you can simply run the following command on your Linux machine

sudo apt-get install aadsshlogin

sudo apt-get install aadsshlogin
sudo apt-get install aadsshlogin

To enable the Azure AD user or group to log in you need to follow the “Configure role assignments for the VM” instructions on the AAD Login for Linux documentation.

Configure role assignments Azure RBAC
Configure role assignments Azure RBAC

SSH connect to Azure Arc enabled servers using the Azure CLI

Now after you have done that setup and have the right version of the Azure CLI SSH extension, you can now SSH connect to your Azure Arc enable server. Now you have multiple options, depending on how you want to connect. You can learn more by running: az ssh arc --help.

Give a resource group and Arc Server Name to SSH using AAD issued certificates

az ssh arc --resource-group myResourceGroup --vm-name myArcServer

az ssh arc connect using Azure AD
az ssh arc connect using Azure AD

Give the Resource ID of an Arc Server to SSH using AAD issued certificates

az ssh arc --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.HybridCompute/machines/myArcServer

Using a custom private key file

az ssh arc --resource-group myResourceGroup --vm-name myArcServer --private-key-file key --public-key-file key.pub

Give a local user name to SSH to a local user using certificate-based authentication

az ssh arc --resource-group myResourceGroup --vm-name myArcServer --certificate-file cert.pub --private-key key --local-user name

Give a local user name to SSH to a local user using key-based authentication

az ssh arc --resource-group myRG --vm-name myVM --local-user name --private-key-file key

Give a local user name to SSH to a local user using password-based authentication

az ssh arc --resource-id /subscriptions/mySubsription/resourceGroups/myRG/providers/Microsoft.HybridCompute/machines/myArcServer --local-user username

Azure Arc SSH Access local User
Azure Arc SSH Access local User

If you want to learn more check out Microsoft Docs and the Azure CLI help command.

az ssh arc --help
az ssh arc –help

Conclusion

For more information check out the documentation page here on Microsoft Docs. I hope this provides you with a great overview of how you can manage and SSH access your Linux and Windows Servers anywhere using Azure Arc. If you have any questions, feel free to leave a comment.