Connect using SSH to a Linux virtual machine using Azure Bastion

This article shows you how to securely and seamlessly SSH to your Linux VMs in an Azure virtual network. You can connect to a VM directly from the Azure portal. When using Azure Bastion, VMs don't require a client, agent, or additional software. For more information about Azure Bastion, see the Overview.

You can use Azure Bastion to connect to a Linux virtual machine using SSH. You can use both username/password and SSH keys for authentication. You can connect to your VM with SSH keys by using either:

  • A private key that you manually enter
  • A file that contains the private key information

The SSH private key must be in a format that begins with "-----BEGIN RSA PRIVATE KEY-----" and ends with "-----END RSA PRIVATE KEY-----".

Prerequisites

Make sure that you have set up an Azure Bastion host for the virtual network in which the VM resides. For more information, see Create an Azure Bastion host. Once the Bastion service is provisioned and deployed in your virtual network, you can use it to connect to any VM in this virtual network.

When you use Bastion to connect, it assumes that you are using RDP to connect to a Windows VM, and SSH to connect to your Linux VMs. For information about connecting to a Windows VM, see Connect to a VM - Windows.

Required roles

In order to make a connection, the following roles are required:

  • Reader role on the virtual machine
  • Reader role on the NIC with private IP of the virtual machine
  • Reader role on the Azure Bastion resource

Ports

In order to connect to the Linux VM via SSH, you must have the following ports open on your VM:

  • Inbound port: SSH (22)

Connect: Using username and password

  1. Open the Azure portal. Navigate to the virtual machine that you want to connect to, then click Connect and select Bastion from the dropdown.

    Screenshot shows the overview for a virtual machine in Azure portal with Connect selected

  2. After you select Bastion, click Use Bastion. If you didn't provision Bastion for the virtual network, see Configure Bastion.

  3. On the Connect using Azure Bastion page, enter the Username and Password.

    Password authentication

  4. Select Connect to connect to the VM.

Connect: Manually enter a private key

  1. Open the Azure portal. Navigate to the virtual machine that you want to connect to, then click Connect and select Bastion from the dropdown.

    Screenshot shows the overview for a virtual machine in Azure portal with Connect selected

  2. After you select Bastion, click Use Bastion. If you didn't provision Bastion for the virtual network, see Configure Bastion.

  3. On the Connect using Azure Bastion page, enter the Username and SSH Private Key.

    SSH Private Key authentication

  4. Enter your private key into the text area SSH Private Key (or paste it directly).

  5. Select Connect to connect to the VM.

Connect: Using a private key file

  1. Open the Azure portal. Navigate to the virtual machine that you want to connect to, then click Connect and select Bastion from the dropdown.

    Screenshot shows the overview for a virtual machine in Azure portal with Connect selected

  2. After you select Bastion, click Use Bastion. If you didn't provision Bastion for the virtual network, see Configure Bastion.

  3. On the Connect using Azure Bastion page, enter the Username and SSH Private Key from Local File.

    SSH Private Key file

  4. Browse for the file, then select Open.

  5. Select Connect to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.

Connect: Using a private key stored in Azure Key Vault

Note

The portal update for this feature is currently rolling out to regions.

  1. Open the Azure portal. Navigate to the virtual machine that you want to connect to, then click Connect and select Bastion from the dropdown.

    Screenshot shows the overview for a virtual machine in Azure portal with Connect selected

  2. After you select Bastion, click Use Bastion. If you didn't provision Bastion for the virtual network, see Configure Bastion.

  3. On the Connect using Azure Bastion page, enter the Username and select SSH Private Key from Azure Key Vault.

    SSH Private Key from Azure Key Vault

  4. Select the Azure Key Vault dropdown and select the resource in which you stored your SSH private key. If you didn’t set up an Azure Key Vault resource, see Create a key vault and store your SSH private key as the value of a new Key Vault secret.

    Azure Key Vault

    Make sure you have List and Get access to the secrets stored in the Key Vault resource. To assign and modify access policies for your Key Vault resource, see Assign a Key Vault access policy.

  5. Select the Azure Key Vault Secret dropdown and select the Key Vault secret containing the value of your SSH private key.

  6. Select Connect to connect to the VM. Once you click Connect, SSH to this virtual machine will directly open in the Azure portal. This connection is over HTML5 using port 443 on the Bastion service over the private IP of your virtual machine.

Next steps

For more information about Azure Bastion, see the Bastion FAQ.