Category: Uncategorized

With Azure Arc, you can remotely manage your Linux and Windows Servers using the Azure control plane and management services, such as Azure Policy, Update Management, Security Center, Azure Monitor, and many more. This allows you to manage servers running on-premises, at the edge, or in mutlicloud environments at scale. However, in some cases, you will need to have direct access to your servers for troubleshooting for example using an SSH connection. In many of these hybrid and mutlicloud environments, direct network connectivity can be a challenge, that is why you now can get SSH access to your Linux and Windows Servers running anywhere using Azure Arc enabled servers.

Imagine a scenario where you as an IT Pro or developer need to access a server remotely using SSH, to troubleshoot a system or install or configure an application or the server. However, you might don’t have direct network access to the server since you are working remotely or you don’t have a VPN set up. Azure Arc enabled server now allows you to use the Azure CLI SSH extension to connect to the Azure control plane and from there to securely connect to the Azure Arc enabled server using the Azure Connected Machine Agent without opening additional ports or firewall configurations. In addition, to enable the connection you can also use Azure AD for role-based access control.

SSH access to Azure Arc-enabled servers offers the following benefits:

• Create interactive and automated SSH connections to Arc-enabled Servers
• Securely access hybrid servers without any additional ports or a public IP address
• Access to Windows and Linux machines
• Leverage different authentication options: AAD login based on RBAC roles (Linux only), Key-based authentication, and username & password authentication
• Connect as a local user or as an Azure user
• Connect with existing SSH clients using a config file
• Connect to servers using Azure Cloud Shell
• Leverage existing workflows & scripts for Azure IaaS Virtual Machines on Arc-enabled Servers

You can read more on the official Tech Community blog.

How to set up SSH access for Azure Arc enabled servers

Prerequisites

Setting up this new feature (which is currently in preview) is very simple. If you haven’t already connected your Linux or Windows Server to Azure using Azure Arc, you need to first install the Azure Arc agent. You can find a simple blog post and video on how to install the Azure Arc agent here. If you are already using Azure Arc, make sure your servers hybrid agent version is “1.13.21320.014” or higher. You can check this by running the following command:

azcmagent show

Importantly your server needs to have SSH configured and working, otherwise, Azure Arc cannot use it. If you want to set up SSH on a Windows Server, check out Microsoft Docs or follow my blog.

Supported Operating Systems

• Windows: Windows 7+ and Windows Server 2012+
• Linux: Supported Linux distros and versions can be found on the Azure Documentation page.

After you have connected your server, and it shows up in the Azure portal. You now need to add the port to your server, for that you can run the following command on your server.

Enable the SSH capability on the Arc-enabled servers

Run the following in an elevated terminal on the Arc-enabled server:

azcmagent config set incomingconnections.ports 22<,other open ports,…>

Note: If you would like to use a custom port for the SSH connection, change the above command to use the custom port.

To view existing ports

azcmagent config list

Create default connectivity endpoint

Run the following commands for each of your Azure Arc enabled servers, replace subscription, resource group, and arc enabled server name.

az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{\"properties\": {\"type\": \"default\"}}'

az rest --method get --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview

Install and update the Azure CLI extension

On the client, you will need to add or update the Azure CLI SSH extension.

Add Az CLI SSH extension

az extension add --name ssh

Update Az CLI SSH extension

az extension update --name ssh

Optional: Enable Azure AD login on Linux

You can also use Azure AD to log in to the Linux server. For that, you can simply run the following command on your Linux machine

sudo apt-get install aadsshlogin

To enable the Azure AD user or group to log in you need to follow the “Configure role assignments for the VM” instructions on the AAD Login for Linux documentation.

SSH connect to Azure Arc enabled servers using the Azure CLI

Now after you have done that setup and have the right version of the Azure CLI SSH extension, you can now SSH connect to your Azure Arc enable server. Now you have multiple options, depending on how you want to connect. You can learn more by running: az ssh arc --help.

Give a resource group and Arc Server Name to SSH using AAD issued certificates

az ssh arc --resource-group myResourceGroup --vm-name myArcServer

Give the Resource ID of an Arc Server to SSH using AAD issued certificates

az ssh arc --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myRG/providers/Microsoft.HybridCompute/machines/myArcServer

Using a custom private key file

az ssh arc --resource-group myResourceGroup --vm-name myArcServer --private-key-file key --public-key-file key.pub

Give a local user name to SSH to a local user using certificate-based authentication

az ssh arc --resource-group myResourceGroup --vm-name myArcServer --certificate-file cert.pub --private-key key --local-user name

Give a local user name to SSH to a local user using key-based authentication

az ssh arc --resource-group myRG --vm-name myVM --local-user name --private-key-file key

Give a local user name to SSH to a local user using password-based authentication

az ssh arc --resource-id /subscriptions/mySubsription/resourceGroups/myRG/providers/Microsoft.HybridCompute/machines/myArcServer --local-user username

If you want to learn more check out Microsoft Docs and the Azure CLI help command.

Conclusion

For more information check out the documentation page here on Microsoft Docs. I hope this provides you with a great overview of how you can manage and SSH access your Linux and Windows Servers anywhere using Azure Arc. If you have any questions, feel free to leave a comment.

I am sure you might already have heard of our upcoming event called ITOps Talks – All Things Hybrid starting February 2nd. ITOps Talks – All Things Hybrid is an initiative of our Cloud Advocacy AzOps team, to bring you Hybrid Cloud deep dive sessions from your favorite speakers and program managers at Microsoft. You can learn directly from the people behind the products how you can make your on-premises environment better using build-in technologies in Windows Server, Microsoft Azure, and many more!

Now, you might think, not again another online event where I need to wait for the sessions coming up. Well, we do things a little differently. On February 2nd, we will have a keynote by no one else than Microsoft Azure CTO (Chief Technology Officer) Mark Russinovich. After that all the deep-dive sessions are becoming available on-demand, so you can watch them when you have time for it. But how about Q&A? To also allow you not only to watch these sessions but also to interact with others and ask your questions, we have set up a community discord server, where you will have channels for all the different sessions to ask questions. In addition to that, we will also host live Q&As with the speakers a week later.

There is no need for registration to attend this event. However, you might want to make sure you don’t miss it! Here’s a handy landing page where you can quickly/conveniently download an iCal reminder for the Europe/Eastern NorthAmerica livestream OR Asia Pacific/Western NorthAmerica livestream.

The ITOps Talks – All Things Hybrid Keynote

Mark Russinovich was an obvious choice to ask. As a Technical Fellow and CTO of Azure paired with his deep technical expertise in the Microsoft ecosystem – Mark brings a unique perspective to the table. He’s put together this exclusive session about Microsoft Hybrid Solutions and has agreed to join us for a brief interview and live Q&A following the keynote. I’ve had a quick peek at what he has in store for us and I’m happy to report: it’s really cool.

You can find out more about Mark Russinovich’s keynote here.

ITOps Talks – Sessions

As promised, for the ITOps Talks – All Things Hybrid event, we have a list of awesome speakers who will provide deep-dive sessions on some of our best Hybrid Cloud technologies, which will help you to make your hybrid and multi-cloud environment even better!

Check this out the list of ITOps Talks sessions:

OPS101 – Securing your Hybrid environment Part 1 – Azure Security Center
Sarah Young (@_sarahyo) – Sr. Program Manager
Now more than ever, organizations are challenged with keeping their employees productive working remotely and interacting with their customers over digital channels. At the same time there has been an increase in evolving digital security threats as bad actors recognize an opportunity to disrupt your business. Moreover, security resources are stretched, and prioritization is important.

OPS103 – Securing your Hybrid environment Part 2 – Azure Sentinel
Sarah Young (@_sarahyo) – Sr. Program Manager
Sit down with Azure Sentinel Sr. PM Sarah Young to discuss new features, functionality, and best practices on harnessing the AI enabled security solution.

OPS104 – Securing SMB from within and without
Ned Pyle (@nerdPyle) – Principal Program Manager
Learn specific strategies to secure SMB from lateral movement and external interception attacks! Watch interesting demos of the steps you can take to protect your organization! See the often unpredictable Ned Pyle struggle to be professional on camera!

OPS105 – Virtualized and Hybrid Backup Deep Dive
Ben Armstrong (@vBenArmstrong) – Principal Program Manager
Ben Armstrong does a deep dive on Virtualized and Hybrid Backup

OPS106 – How to be an AD Hybrid Health Hero
Mark Morowczynski (@markmorow) – Principal Program Manager, Grace Picking – Program Manager
Once you’ve connected your identity to Azure AD, how do you ensure it continues to function as expected? In this session, you’ll learn how to keep your hybrid identity environment healthy, across different Active Directory and Azure Active Directory scenarios.

OPS107 – Hybrid as a management plane
Jeff Woolsey (@WSV_GUY)- Principal Program Manager
Jeff, Orin & Sonia discuss how cloud makes on-prem environments better, including cloud tiering & management tools, and what the future looks like for IT Pros.

OPS108 – Windows Authentication Internals in a Hybrid World
Steve Syfuhs (@SteveSyfuhs) – Senior Software Engineer
Have you ever wondered what happens when you type your password into Windows? With the cloud becoming a major part of our world, we find ourselves having to talk to both on-premises and cloud-native resources, which dramatically affects what happens when you do type your password into Windows. Follow along as Steve Syfuhs gives a guided tour of how Windows handles logons internally and secures your authentication in a hybrid world.

OPS109 – Getting started with Azure Kubernetes Service (AKS) on Azure Stack HCI
Matt McSpirit (@mattmcspirit) – Senior Program Manager
In this session, you’ll learn about the new Azure Kubernetes Service on Azure Stack HCI, how you can use it to run your containerized Windows and Linux apps, how it integrates with Azure, and how it provides the best platform to run additional Azure services, including Arc-enabled Data Services. This will help you to modernize your existing applications on our Azure Stack HCI Hybrid Cloud Platform

OPS101 – Windows Virtual Desktop Road Map Deep Dive
Tom Hickling (@tomhickling) – WVD Global Black Belt
Dive into the forthcoming WVD roadmap and how it can help be part of your hybrid cloud strategy.

OPS111 – Learn the 5 key areas to consider for your hybrid workloads
David Kurth (@TheDaveKurth) – Senior Product Marketing Manager
In this whiteboard session (after a few slides for context), we will discuss the 5 key areas of any hybrid cloud workload, connectivity, application, data, identity, security & management.

OPS112 – Azure Stack HCI Hybrid is built-in: How does it really work?
Kerim Hanif (@kerimhanif) – Senior Program Manager
Ready to deploy Azure Stack HCI, the new hyperconverged infrastructure operating system delivered as an Azure service? Join this session to learn everything you need to know about how Azure Stack HCI’s hybrid connectivity works. Is it hard to register? (Hint: no.) Is there an agent? (Hint: no.) Does Azure see my VMs and their data? (Hint: no.) Do I need to open my firewall to freely allow Internet traffic? (Hint: no.) All these answers and more.

OPS113 – From WS2008 to Azure with containers – An Ops view on how to modernize existing applications with Windows Admin Center
Vinicius Apolinario (@vrapolinario) – Senior Program Manager
ITPros around the globe are trying to figure out how to modernize existing applications. End of Support for Windows Server 2008, how to move applications to the cloud, and how to leverage new technologies such as Kubernetes have become a daunting process for Ops teams. In this session, we will cover how to containerize existing applications from the perspective of an ITPro. We will use tools that you are used to – such as Windows Admin Center to jumpstart your modernization process and show how to move an application from Windows Server 2008 to Azure Kubernetes Service.

OPS114 – Governing baselines such as STIG in hybrid server environments using Azure Policy Guest Configuration
Michael Greene (@migreene) – Principal Program Manager
Learn to use services in Azure to audit the state of servers across private and public clouds and upcoming plans to expand capabilities in this area.

OPS115 – Log Analytics workspace design deep dive
Meir Mendelovich (@MMendelovich) – Principal Program Manager
in this session we will cover

1. Proper Workspace design: resource-centric and RBAC.
2. Resource-centric alerts.
3. Enterprise features: Dedicated cluster, high scale, AZ, DE, CMK
4. OneAgent, Query Packs and infrastructure as code
5. Workspace data Export and proper data placement
6. Workspace Optimization

OPS116 – Monitoring and Responding to alerts in hybrid environments using Azure Monitor
Erik Namtvedt (@ErikN_MSFT) – Senior Service Engineer
A deep dive of the framework Microsoft Retail has leveraged over the last 3-4 years to monitor all their on-prem system, including in-store Video walls and others. It’s based on Azure Public-Offering technologies. It leverages Application Insights, OMS (SCOM too), Log Analytics, Azure Storage (Blob/Tables), Azure Automation, and PowerShell.

OPS117 – PowerShell Deep dive
Joey Aiello (@joeyaiello) – Senior Program Manager
We will use this time to take a deep dive on migrating\adapting old PowerShell scripts from previous versions and making them work in PowerShell 7 and PowerShell Core.
We’ll also take a serious look at secret management with PowerShell to avoid the ever annoying problem of hardcode creds or use prompts.

OPS118 – Deep dive on Onboarding customers into Lighthouse
Archana Balakrishnan (@Archun0505) – Principal Program Manager
In this session we will demystify the intricacies of onboarding customers in Azure Lighthouse from a service provider’s perspective – soup to nuts.

OPS119 – Databases are cattle too! Running highly available databases consistently on any infrastructure using Arc data services
Travis Wright (@radtravis) – Principal Group Program Manager
Have you heard people say ‘containers or Kubernetes is not for databases’? Let me show you how that is definitely not the case in 2021. Kubernetes provides an abstraction layer over any infrastructure and an orchestration engine that powers Arc enabled data services so DevOps, DBAs, and developers can provision and manage highly available SQL and PostrgreSQL database instances on any infrastructure – on-prem, AWS, or Google. In this session, I’ll dive deep into the technical weeds with nearly 100% demos that show you exactly how it all works and you can manage it all with GUI, CLI, Azure-native tools, or Kubernetes-native tools.

OPS121 – Modernize how you manage hybrid servers with Azure Arc
Ryan Puffer – Senior Program Manager
Think the cloud is just for things that are…in the cloud? Come learn how you can use Azure Arc to simplify IT operations across your entire fleet, no matter where your servers run. We’ll start with a deep dive into the architecture and benefits of Azure Arc followed by a demonstration of how Azure Arc can help you monitor, secure, and simplify management of a multi-tier on-premises application.

You can find out more about the agenda here.

Conclusion

I was recording sessions within the last couple of weeks and days, and trust me I can wait for you to see them! So make sure you block your calendars and join us for our ITOps Talks All Things Hybrid starting February 2nd! I know that the whole team has worked very hard to provide you with some awesome sessions!

If you have any questions, feel free to leave a comment or ping us with a tweet using the #AzOps hashtag on Twitter. I hope you will enjoy ITOps Talks All Things Hybrid!