Skip to content

Commit 1c1afbc

Browse files
author
Abdullah Bell
committed
adjusted article and added diagram.
1 parent fc0ed3f commit 1c1afbc

2 files changed

Lines changed: 77 additions & 75 deletions

File tree

articles/bastion/bastion-connect-vm-ssh-linux.md

Lines changed: 77 additions & 75 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ For native client connections using Azure CLI, see [Connect to a VM using a Linu
1919

2020
The following diagram shows the dedicated deployment architecture using an SSH connection.
2121

22-
:::image type="content" source="./media/create-host/host-architecture.png" alt-text="Diagram that shows the Azure Bastion architecture." lightbox="./media/create-host/host-architecture.png":::
22+
:::image type="content" source="./media/connect-vm-ssh-linux/host-architecture-ssh-linux.png" alt-text="Diagram that shows the Azure Bastion architecture." lightbox="./media/connect-vm-ssh-linux/host-architecture-ssh-linux.png":::
2323

2424
## Prerequisites
2525

@@ -63,85 +63,17 @@ The following table shows which authentication methods are available for each co
6363
| SSH private key from local file | Azure portal, IP address (portal), native client | Basic (portal), Standard (IP address, native client) |
6464
| SSH private key from Azure Key Vault | Azure portal | Basic |
6565

66-
## Connect to a virtual machine using SSH
67-
68-
Choose your connection method tab below to see the navigation steps for connecting to your VM. Then, configure your authentication settings using the details in the [Authentication details](#authentication-details) section. For available authentication methods per connection method, see the [authentication methods](#authentication-methods) table.
69-
70-
# [Azure portal](#tab/portal)
71-
72-
Use the Azure portal to create a browser-based SSH connection to your Linux virtual machine. This method connects directly through your browser. No native SSH client or additional software is required on your local computer. The [Basic SKU](bastion-sku-comparison.md) or higher is required, or the Standard SKU if you need custom ports.
73-
74-
1. In the [Azure portal](https://portal.azure.com), go to the virtual machine to which you want to connect. At the top of the virtual machine **Overview** page, select **Connect**, then select **Connect via Bastion** from the dropdown. This opens the **Bastion** page. You can also go to the Bastion page directly in the left pane.
75-
76-
1. On the **Bastion** page, the settings that you can configure depend on the Bastion [SKU](bastion-overview.md#sku) that your bastion host has been configured to use.
77-
78-
* If you're using a SKU higher than the Basic SKU, **Connection Settings** values (ports and protocols) are visible and can be configured.
79-
* If you're using the Basic SKU or Developer SKU, you can't configure **Connection Settings** values. Instead, your connection uses the following default settings: SSH and port 22.
80-
* To view and select an available **Authentication Type**, use the dropdown.
81-
82-
1. Configure your authentication settings. For configuration details, see [Authentication details](#authentication-details). Select **Connect**.
83-
84-
# [IP address (portal)](#tab/ip-address)
85-
86-
Use the Azure portal to create a browser-based SSH connection to your Linux virtual machine using a specified IP address. This method connects through your browser and doesn't require a native SSH client or additional software on your local computer. The Standard SKU or higher is required, and you must enable [IP-based connection](connect-ip-address.md).
87-
88-
#### Enable IP-based connection
89-
90-
Before you can connect using an IP address, you must enable IP-based connection on your Bastion deployment.
91-
92-
1. In the [Azure portal](https://portal.azure.com), go to your Bastion deployment.
93-
94-
1. On the **Configuration** page, for **Tier**, verify the SKU is set to the **Standard** SKU or higher. If the SKU is set to the Basic SKU, select a higher SKU from the dropdown.
95-
96-
1. Select **IP based connection**.
97-
98-
1. Select **Apply** to apply the changes. It takes a few minutes for the Bastion configuration to complete.
99-
100-
After IP-based connection is enabled, you specify the IP address of the target virtual machine directly on the Bastion **Connect** page, rather than selecting a virtual machine from the Azure portal.
101-
102-
#### Connect using an IP address
103-
104-
1. To connect to a virtual machine using a specified IP address, make the connection from Bastion, not directly from the virtual machine page. On your Bastion resource, select **Connect** to open the Connect page.
105-
106-
1. On the Bastion **Connect** page, for **IP address**, enter the IP address of the target virtual machine.
107-
108-
1. Adjust your connection settings to the desired **Protocol** (SSH) and **Port**.
109-
110-
1. Available authentication types for IP-based SSH connections from the portal are **Password** and **SSH Private Key from Local File**. Configure your authentication settings. For configuration details, see [Authentication details](#authentication-details). Select **Connect**.
111-
112-
> [!NOTE]
113-
> Microsoft Entra ID authentication isn't supported for IP-based SSH connections. For more information, see [IP-based connections](connect-ip-address.md).
114-
115-
# [Native client](#tab/native-client)
116-
117-
Connect to your Linux virtual machine from a local computer using Azure CLI (`az network bastion ssh`). This method requires the [Standard SKU](bastion-sku-comparison.md) or higher with [native client support configured](native-client.md).
118-
119-
:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
120-
121-
[!INCLUDE [VM connect prerequisites](../../includes/bastion-native-pre-vm-connect.md)]
122-
123-
[!INCLUDE [roles and ports](../../includes/bastion-native-roles-ports.md)]
124-
125-
For complete steps to connect using the native client, see [Connect to a VM using Bastion and a Linux native client](connect-vm-native-client-linux.md).
126-
127-
For supported authentication types, see [Authentication details](#authentication-details).
128-
129-
> [!NOTE]
130-
> Signing in using an SSH private key stored in Azure Key Vault isn't supported with native client connections. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.
131-
132-
---
133-
13466
## Authentication details
13567

13668
Configure the authentication settings for your connection. Not all authentication methods are available for every connection method. See the [authentication methods](#authentication-methods) table for availability.
13769

138-
### Microsoft Entra ID
70+
# [Microsoft Entra ID](#tab/entra-id)
13971

14072
**Available for:** Azure portal, native client. Not supported for IP-based connections.
14173

14274
For prerequisites, setup steps, and connection instructions, see [Configure Microsoft Entra ID authentication for Azure Bastion](bastion-entra-id-authentication.md).
14375

144-
### Username and password
76+
# [Username and password](#tab/password)
14577

14678
**Available for:** Azure portal, IP address (portal), native client.
14779

@@ -155,7 +87,7 @@ To authenticate using a username and password, configure the following settings.
15587

15688
When connecting via the portal, select **Open in new browser tab** if desired, then select **Connect**.
15789

158-
### Password from Azure Key Vault
90+
# [Password from Azure Key Vault](#tab/keyvault-password)
15991

16092
**Available for:** Azure portal only.
16193

@@ -173,7 +105,7 @@ For Key Vault setup requirements, see [Key Vault configuration](#key-vault-confi
173105

174106
Select **Open in new browser tab** if desired, then select **Connect**.
175107

176-
### SSH private key from local file
108+
# [SSH private key from local file](#tab/ssh-key-local)
177109

178110
**Available for:** Azure portal, IP address (portal), native client.
179111

@@ -191,7 +123,7 @@ To authenticate using a private key from a local file, configure the following s
191123

192124
When connecting via the portal, select **Open in new browser tab** if desired, then select **Connect**.
193125

194-
### SSH private key from Azure Key Vault
126+
# [SSH private key from Azure Key Vault](#tab/ssh-key-keyvault)
195127

196128
**Available for:** Azure portal only. Not supported for native client or IP-based connections.
197129

@@ -211,14 +143,84 @@ For Key Vault setup requirements, see [Key Vault configuration](#key-vault-confi
211143

212144
Select **Open in new browser tab** if desired, then select **Connect**.
213145

214-
## Key Vault configuration
146+
---
147+
148+
### Key Vault configuration
215149

216150
If you're using Azure Key Vault to store a password or SSH private key, configure your Key Vault using the following requirements:
217151

218152
* If you didn't set up an Azure Key Vault resource, see [Create a key vault](/azure/key-vault/secrets/quick-create-powershell) and store your secret (password or SSH private key) as the value of a new Key Vault secret.
219153
* Make sure you have **List** and **Get** access to the secrets stored in the Key Vault resource. To assign and modify access policies for your Key Vault resource, see [Assign a Key Vault access policy](/azure/key-vault/general/assign-access-policy-portal).
220154
* Store your secret in Azure Key Vault using the **PowerShell** or **Azure CLI** experience. Storing your secret via the Azure Key Vault portal experience interferes with the formatting and results in unsuccessful login. If you stored your private key as a secret using the portal experience and no longer have access to the original private key file, see [Update SSH key](/azure/virtual-machines/extensions/vmaccess-linux#update-ssh-key) to update access to your target VM with a new SSH key pair.
221155

156+
## Connect to a virtual machine using SSH
157+
158+
Choose your connection method tab below to see the navigation steps for connecting to your VM. For available authentication methods per connection method, see the [authentication methods](#authentication-methods) table.
159+
160+
# [Azure portal](#tab/portal)
161+
162+
Use the Azure portal to create a browser-based SSH connection to your Linux virtual machine. This method connects directly through your browser. No native SSH client or additional software is required on your local computer. The [Basic SKU](bastion-sku-comparison.md) or higher is required, or the Standard SKU if you need custom ports.
163+
164+
1. In the [Azure portal](https://portal.azure.com), go to the virtual machine to which you want to connect. At the top of the virtual machine **Overview** page, select **Connect**, then select **Connect via Bastion** from the dropdown. This opens the **Bastion** page. You can also go to the Bastion page directly in the left pane.
165+
166+
1. On the **Bastion** page, the settings that you can configure depend on the Bastion [SKU](bastion-overview.md#sku) that your bastion host has been configured to use.
167+
168+
* If you're using a SKU higher than the Basic SKU, **Connection Settings** values (ports and protocols) are visible and can be configured.
169+
* If you're using the Basic SKU or Developer SKU, you can't configure **Connection Settings** values. Instead, your connection uses the following default settings: SSH and port 22.
170+
* To view and select an available **Authentication Type**, use the dropdown.
171+
172+
1. Configure your authentication settings. For details, see [Authentication details](#authentication-details). Select **Connect**.
173+
174+
# [IP address (portal)](#tab/ip-address)
175+
176+
Use the Azure portal to create a browser-based SSH connection to your Linux virtual machine using a specified IP address. This method connects through your browser and doesn't require a native SSH client or additional software on your local computer. The Standard SKU or higher is required, and you must enable [IP-based connection](connect-ip-address.md).
177+
178+
#### Enable IP-based connection
179+
180+
Before you can connect using an IP address, you must enable IP-based connection on your Bastion deployment.
181+
182+
1. In the [Azure portal](https://portal.azure.com), go to your Bastion deployment.
183+
184+
1. On the **Configuration** page, for **Tier**, verify the SKU is set to the **Standard** SKU or higher. If the SKU is set to the Basic SKU, select a higher SKU from the dropdown.
185+
186+
1. Select **IP based connection**.
187+
188+
1. Select **Apply** to apply the changes. It takes a few minutes for the Bastion configuration to complete.
189+
190+
After IP-based connection is enabled, you specify the IP address of the target virtual machine directly on the Bastion **Connect** page, rather than selecting a virtual machine from the Azure portal.
191+
192+
#### Connect using an IP address
193+
194+
1. To connect to a virtual machine using a specified IP address, make the connection from Bastion, not directly from the virtual machine page. On your Bastion resource, select **Connect** to open the Connect page.
195+
196+
1. On the Bastion **Connect** page, for **IP address**, enter the IP address of the target virtual machine.
197+
198+
1. Adjust your connection settings to the desired **Protocol** (SSH) and **Port**.
199+
200+
1. Available authentication types for IP-based SSH connections from the portal are **Password** and **SSH Private Key from Local File**. Configure your authentication settings. For details, see [Authentication details](#authentication-details). Select **Connect**.
201+
202+
> [!NOTE]
203+
> Microsoft Entra ID authentication isn't supported for IP-based SSH connections. For more information, see [IP-based connections](connect-ip-address.md).
204+
205+
# [Native client](#tab/native-client)
206+
207+
Connect to your Linux virtual machine from a local computer using Azure CLI (`az network bastion ssh`). This method requires the [Standard SKU](bastion-sku-comparison.md) or higher with [native client support configured](native-client.md).
208+
209+
:::image type="content" source="./media/native-client/native-client-architecture.png" alt-text="Diagram shows a connection via native client." lightbox="./media/native-client/native-client-architecture.png":::
210+
211+
[!INCLUDE [VM connect prerequisites](../../includes/bastion-native-pre-vm-connect.md)]
212+
213+
[!INCLUDE [roles and ports](../../includes/bastion-native-roles-ports.md)]
214+
215+
For complete steps to connect using the native client, see [Connect to a VM using Bastion and a Linux native client](connect-vm-native-client-linux.md).
216+
217+
For supported authentication types, see [Authentication details](#authentication-details).
218+
219+
> [!NOTE]
220+
> Signing in using an SSH private key stored in Azure Key Vault isn't supported with native client connections. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.
221+
222+
---
223+
222224
## Limitations
223225

224226
* **IP-based connections:** IP-based connection doesn't work with force tunneling over VPN, or when a default route is advertised over an ExpressRoute circuit. Azure Bastion requires access to the internet. Force tunneling or default route advertisement results in traffic being dropped.

articles/bastion/media/connect-vm-ssh-linux/host-architecture-ssh-linux.png

47.2 KB
Loading

0 commit comments

Comments
 (0)