Remote SSH via Azure Bastion (with AAD auth)

[hansenms]

Azure Bastion is a managed to service for secure access to virtual machines in a vnet. I would like to be able to do VS Code remote SSH (and remote container) development on a VM that is accessed via a bastion host. Additioally, I would like this to worth with Azure Active Directory (AAD) auth enabled on the VM.

I can get a shell in the remove VM with something like:

az network bastion ssh --name <bastion name> -g <bastion resource group> --target-resource-id <vm resource id> --auth-type AAD

However the remote-ssh extension in vscode seems to rely on a direct ssh command and not this sort of proxied ssh connection. There was a related question on this #4553, which I don't think was answered and maybe bastion was not as mature at the time.

[eleanorjboyd]

Hello! Currently we do not have support for Azure Bastion specifically and therefore I will move this issue to be a feature-request in our backlog. Since I cannot give a timeline on when we might tackle this feature request, there are a few options on ways that you might be able to build you own custom solutions. First you could making a custom script that handles the connection via bastion and set the ssh binary to this script so we run this script when attempting to connect via ssh. Additionally we have a new workflow called vscode server cli which is outlined here: https://code.visualstudio.com/blogs/2022/07/07/vscode-server. This is in private preview but I can give you access if you think that tool would be a good solution. Thanks!

[VSCodeTriageBot]

This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 10 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

[madhavchereddyacc]

any update on this issue?

[eleanorjboyd]

@madhavchereddyacc, no updates at this point. This issue will be mentioned in a planning issue when it comes on the docket for engineering and this issue will be updated with notice once it comes in the release to see if it works for everyone correctly in this thread.

[donglixp]

GCR is now moving to Bastion...

[sytelus]

This is very important functionality given big push towards Bastion. Any updates?

For a temporary workaround, you can use tunneling feature of Bastion to enable remote SSH. In this case, add following in your $USERPROFILE.ssh\config file:

# Beow is for vscode remote connection for Azure Bastion 
Host tunnel
  HostName 127.0.0.1
  Port 2222
  User DOMAIN.login
  StrictHostKeyChecking=No
  UserKnownHostsFile=\\.\NUL

Then use PowerShell to connect to Bastion host in Azure:

az network bastion tunnel --subscription SUBSCRIPTION_GUID --name BASTION_NAME --resource-group RESOURSE_GROUP --target-resource-id VM_ID --resource-port 22 --port 22

In VSCode when you click on Connect to Host, you will see host named tunnel which should work as expected.

Also see this: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/accessing-aks-private-clusters-with-azure-bastion-and-vs-code/ba-p/3581367

[MicheleDelliVeneri]

I was experiencing the same issue, I have fixed it through the StrictHostKeyChecking=No option in the config.

[eric-therond]

With the above az network bastion tunnel command it's not even possible to connect to a completely new VM that is behind an Azure bastion.

[14:21:47.943] > local-server-2> Running ssh connection command: "-v -T -D 58040 -o ConnectTimeout=15 xxx bash"
[14:21:47.946] > local-server-2> Spawned ssh, pid=19183
[14:21:47.954] stderr> OpenSSH_9.0p1, LibreSSL 3.3.6
[14:21:47.955] stderr> ssh: connect to host 127.0.0.1 port 2222: Connection refused
[14:21:47.955] > local-server-2> ssh child died, shutting down
[14:21:47.957] Local server exit: 0
[14:21:47.957] Received install output: local-server-2> Running ssh connection command: "-v -T -D 58040 -o ConnectTimeout=15 xxx bash"
local-server-2> Spawned ssh, pid=19183
OpenSSH_9.0p1, LibreSSL 3.3.6
ssh: connect to host 127.0.0.1 port 2222: Connection refused
local-server-2> ssh child died, shutting down

[14:21:47.958] Failed to parse remote port from server output
[14:21:47.958] Exec server for ssh-remote+xxx failed: Error
[14:21:47.958] Error opening exec server for ssh-remote+xxx: Error

[dunalduck0]

Thanks for the solution. This is also what GCR recommended. It worked well for me until I wanted to add devcontainer into my project. All VsCode devcontainer commands failed with "SSH connection error", even the command to add a devcontainer configuration. I wonder if there is fix for it.

This is very important functionality given big push towards Bastion. Any updates?

For a temporary workaround, you can use tunneling feature of Bastion to enable remote SSH. In this case, add following in your $USERPROFILE.ssh\config file:

# Beow is for vscode remote connection for Azure Bastion 
Host tunnel
  HostName 127.0.0.1
  Port 2222
  User DOMAIN.login
  StrictHostKeyChecking=No
  UserKnownHostsFile=\\.\NUL

Then use PowerShell to connect to Bastion host in Azure:

az network bastion tunnel --subscription SUBSCRIPTION_GUID --name BASTION_NAME --resource-group RESOURSE_GROUP --target-resource-id VM_ID --resource-port 22 --port 22

In VSCode when you click on Connect to Host, you will see host named tunnel which should work as expected.

Also see this: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/accessing-aks-private-clusters-with-azure-bastion-and-vs-code/ba-p/3581367

[MRDGH2821]

In #4553, I saw the config property ProxyJump
So this allowed me to directly login to target vm, via bastion.

So I had to put password for bastion first then VM and I was good to go.

[dunalduck0]

@MRDGH2821 is your post above regarding to my question? I didn't fully understand what ProxyJump can do. Can you please be more specific? Thank you!

[MRDGH2821]

@MRDGH2821 is your post above regarding to my question? I didn't fully understand what ProxyJump can do. Can you please be more specific? Thank you!

Oh sorry I had been ambiguous a little.

At my work place, I was given IP address of 2 VMs, which are in Azure portal. One of them was Azure bastion.
I was told to connect first to Azure bastion and then the target VM.
No direct connection was possible to the VM.
In #4553 I saw the property ProxyJump which did enable me to jump into the target VM.

Now I realise that the issue presented here & my comment may be unrelated 😅

[dunalduck0]

Thank you @MRDGH2821. I am glad you’ve got a solution to your problem. With your multi-hop connection, have you ever tried DevContainer feature in VsCode?

[MRDGH2821]

Thank you @MRDGH2821. I am glad you’ve got a solution to your problem. With your multi-hop connection, have you ever tried DevContainer feature in VsCode?

In the target vm protected behind bastion, I had setup a folder which has a sub folder .devcontainer
I opened the folder in devcontainer once.

Then after reopening vscode -> welcome screen, I see my dev container.
I click on that, put passwords for bastion & target
And done - I get into dev container.

[eric-therond]

a working workaround:

• Make the limitations of the az network bastion tunnel feature explicit MicrosoftDocs/azure-docs#98747
• https://feedback.azure.com/d365community/idea/e55b67ca-3b39-ed11-a81b-000d3a04ded5

[PandyaDarshit]

Anyone working on this feature request? I would like to contribute on this.