Skip to content

Latest commit

 

History

History
142 lines (86 loc) · 8.07 KB

connect-vm-native-client-windows.md

File metadata and controls

142 lines (86 loc) · 8.07 KB
Raw
title titleSuffix description author ms.service ms.custom ms.topic ms.date ms.author
Connect to a VM using Bastion - Windows native client
Azure Bastion
Learn how to connect to a VM from a Windows computer by using Bastion and a native client.
cherylmc
bastion
devx-track-azurecli
how-to
09/21/2023
cherylmc

Connect to a VM using Bastion and the Windows native client

This article helps you connect to a VM in the VNet using the native client (SSH or RDP) on your local Windows computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Microsoft Entra ID. For more information and steps to configure Bastion for native client connections, see Configure Bastion for native client connections. Connections via native client require the Bastion Standard SKU.

:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::

After you've configured Bastion for native client support, you can connect to a VM using a native Windows client. The method you use to connect depends on both the client you're connecting from, and the VM you're connecting to. The following list shows some of the available ways you can connect from a Windows native client. See Connect to VMs for the full list showing available client connection/feature combinations.

  • Connect to a Windows VM using az network bastion rdp.
  • Connect to a Linux VM using az network bastion ssh.
  • Connect to a VM using az network bastion tunnel.
  • Upload and download files over RDP.
  • Upload files over SSH using az network bastion tunnel.

Prerequisites

[!INCLUDE VM connect prerequisites]

Verify roles and ports

Verify that the following roles and ports are configured in order to connect to the VM.

[!INCLUDE roles and ports]

Connect to a VM

The steps in the following sections help you connect to a VM from a Windows native client using the az network bastion command.

RDP to a Windows VM

[!INCLUDE Remote Desktop Users]

  1. Sign in to your Azure account using az login. If you have more than one subscription, you can view them using az account list and select the subscription containing your Bastion resource using az account set --subscription "<subscription ID>".

  2. To connect via RDP, use the following example.

    az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"

  3. After running the command, you're prompted to input your credentials. You can use either a local username and password, or your Microsoft Entra credentials. Once you sign in to your target VM, the native client on your computer opens up with your VM session via MSTSC.

    [!IMPORTANT] Remote connection to VMs that are joined to Microsoft Entra ID is allowed only from Windows 10 or later PCs that are Microsoft Entra registered (starting with Windows 10 20H1), Microsoft Entra joined, or Microsoft Entra hybrid joined to the same directory as the VM.

Specify authentication method

Optionally, you can also specify the authentication method as part of the command.

Specify a custom port

You can specify a custom port when you connect to a Windows VM via RDP.

One scenario where this could be especially useful would be connecting to a Windows VM via port 22. This is a potential workaround for the limitation with the az network bastion ssh command, which can't be used by a Windows native client to connect to a Windows VM.

To specify a custom port, include the field --resource-port in the sign-in command, as shown in the following example.

az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --resource-port "22"

RDP to a Windows VM IP address

You can also connect to a VM private IP address, instead of the resource ID. Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see Connect to a VM - IP address.

Using the az network bastion command, replace --target-resource-id with --target-ip-address and the specified IP address to connect to your VM.

az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>"

SSH to a Linux VM

  1. Sign in to your Azure account using az login. If you have more than one subscription, you can view them using az account list and select the subscription containing your Bastion resource using az account set --subscription "<subscription ID>".

  2. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, include the field --resource-port in the sign-in command.

    Microsoft Entra ID:

    If you’re signing in to a Microsoft Entra login-enabled VM, use the following command. For more information, see Azure Linux VMs and Microsoft Entra ID.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "AAD"

    SSH key pair:

    The extension can be installed by running, az extension add --name ssh. To sign in using an SSH key pair, use the following example.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

    Username/password:

    If you’re signing in using a local username and password, use the following command. You’ll then be prompted for the password for the target VM.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"

  3. Once you sign in to your target VM, the native client on your computer opens up with your VM session using SSH CLI extension (az ssh).

SSH to a Linux VM IP address

You can also connect to a VM private IP address, instead of the resource ID. Microsoft Entra authentication, and custom ports and protocols aren't supported when using this type of connection. For more information about IP-based connections, see Connect to a VM - IP address.

Using the az network bastion command, replace --target-resource-id with --target-ip-address and the specified IP address to connect to your VM.

az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-ip-address "<VMIPAddress>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"

Connect to a VM - tunnel command

[!INCLUDE tunnel command]

Tunnel to a VM IP address

[!INCLUDE IP address]

Multi-connection tunnel

[!INCLUDE multi-connection tunnel]

Next steps

Upload or download files