Unlocking Remote Access on Azure Arc
Secure SSH and RDP Connections in PowerShell and Azure Cloud Shell
Now that we onboarded a server to Azure Arc, the first thing I want to do is add the ability to remotely control it using either SSH or RDP. The cool thing about doing this with Azure Arc is it allows you to create the connection through Azure, so you aren’t having to open any ports or permissions on your firewall or tunnel through a VPN, and you can do it from anywhere you’re permitted to login from your Microsoft account. This should work as long as your account can pass any Conditional Access restrictions — and you NEED Conditional Access restrictions if you’re going to rely on Identity as your perimeter. More on this in a future article.
Install the SSH Extension
First, we need to add SSH to your Azure Arc machine. To do this, log in to your Azure portal and go to the Azure Arc —> Machines page (azhybridcompute.cmd.ms) and click on the name of the machine you want to access. For me, it’s WIN-B6G313GKDVH. (Note: I renamed this to Lab-Server-01, so you may see that referenced in the device property screenshots and at the CLI for that server.)
After selecting your machine, go to the Extensions page.
From the Extensions page, search for/select OpenSSH for Windows - Azure Arc, then click Next to start the Wizard, and then click Create.
You should then get a message that Deployment is in progress:
After a few minutes, it should update to Your deployment is complete.
Cloud Shell or Local PowerShell?
At this point, we now have a choice in how we connect to the remote Arc machine. We can either connect through PowerShell installed on our local machine, or you can use the Cloud Shell available inside of Azure. We’ll look at both, but there is a richer feature set using PowerShell, so we’ll start there first.
PowerShell
Locally Installing the Azure CLI
First, you’ll need to install the Azure CLI for Windows. The installer and instructions are available from Microsoft here but if you love Winget like I do, this is your easiest option… run this command from Terminal AS ADMIN:
winget install -e --id Microsoft.AzureCLI
After installing Azure CLI, it can be used from a normal PowerShell prompt through the PowerShell application, PowerShell ISE, or the Terminal app. Whichever you choose, be sure to run as admin.
Note: There have been times when I’ve installed the Azure CLI that I’ve had to close the Terminal app and restart before PowerShell recognized that the AZ module was installed. If you get the red error message that “az is not recognized as the name of a cmdlet,” grab a coffee, close Terminal, and try again. Reboot if that doesn’t do the trick.
Login to Azure
Next, login to Azure with the command:
az login
You’ll then be prompted for interactive sign in to either choose an M365 account that you’re already signed in with, or sign in with a different one like below:
After logging in, you’ll be prompted to select the applicable Azure subscription. If you don’t do much in Azure, there will likely be only one option, and you can hit enter to accept it. If there are multiple Azure subscriptions, be sure to select the right one so you can access the right resources.
If you’re not sure of the subscription, you can go to the Azure Arc —> Machines page in Azure and the subscription will be listed next to your machine.
Connecting to the Azure Arc Machine Remotely
If everything has worked as expected, we can now remotely SSH into our Arc machine using a single command in PowerShell. You’ll need to know the name of the Resource Group (AzureArc, in this case), the remote computer’s name (mine is WIN-B6G3I3GKDVH), and the name of the account you’ll be logging in as (my account is the default account name Administrator):
az ssh arc --resource-group AzureArc --name WIN-B6G3I3GKDVH --local-user Administrator
If the SSH Extension hasn’t been added on your local machine yet, you’ll be prompted to install it after running the above command. You may also be prompted to say “Yes” to the machine’s fingerprint and be prompted to enter the user’s password. After that, you should arrive at a prompt on that machine, and you can now execute commands. In my case, I’m running the command from my home computer and it’s executing on a VM server in our dev lab at the office that’s a 10-minute drive away, with no VPN, tunnel, or firewall exceptions in place. Like the Zero Trust mantra, my identity is the perimeter.
RDP Access
SSH access is great, but if we want to take it a step further, we can also use RDP to interact with the server graphically using this command. (Be sure to Exit the SSH session first by using the command exit):
az ssh arc --resource-group AzureArc --name WIN-B6G3I3GKDVH --local-user Administrator --rdp
You’ll be prompted to enter the credentials for that machine twice… once in your Terminal, and once in a Windows Security popup.
After entering creds (and saying yes on the “Are you sure you want to connect” popup), I’m now remotely accessing the Desktop of my Azure Arc machine from the comfort of my home:
Opening the Cloud Shell
If you’re in a position where you need to use Cloud Shell, the process is a little simpler, but doesn’t have the ability to RDP. To begin, open the Cloud Shell by clicking on the PowerShell icon in the top bar from anywhere in Azure. If you haven’t run Cloud Shell before you’ll be prompted to pick a default shell. We’re going to pick PowerShell.
If this is your first time launching Cloud Shell, you’ll also be prompted to pick a storage account. This is for if you want to have saved files and installed tools persist across sessions. If you do, you can choose Mount Storage account. You’ll then be prompted to either select an existing storage account, or create one. For this tutorial, you don’t have to set a storage account, but it’s worthwhile to set this up. I selected Mount storage account and then selected the option for Azure to create a storage account for me.
After the deployment completes, you should see a PowerShell prompt like below:
The easy part about doing the Cloud Shell is that since you’re initiating it from inside Azure, you’re already logged in and don’t have to connect to it. All you have to do after launching the Cloud Shell is enter the command below, substituting your server name, resource group name, and user name
az ssh arc --resource-group AzureArc --name WIN-B6G313GKDVH --local-user Administrator
If this is your first time doing this with this machine, you’ll be prompted to have the remote machine allow connections on port 22 for SSH. You’ll need to answer y to allow:
After running the command and allowing port 22, you should then get a prompt on your remote machine inside of the Cloud Shell like below. You’re now remotely controlling your server from the CLI!
The main limitation to using the Cloud Shell method is that it only works for SSH. If you run the RDP command like we did in PowerShell, you’ll get an error that the Cloud Shell is an unsupported platform:
In Conclusion
And just like that, you have two methods for remotely accessing a single Azure Arc machine. This can be beneficial for real life server management, but everything in this article is also do-able in a homelab scenario for free. Over the next few articles, we’ll also explore managing Arc servers through Windows Admin Center, as well as automating server updates with Azure Update Manager.