Connect to a VM using a native client

This article helps you configure your Bastion deployment, and then connect to a VM in the VNet using the native client (SSH or RDP) on your local computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Additionally with this feature, you can now also upload or download files, depending on the connection type and client.

Your capabilities on the VM when connecting via a native client are dependent on what is enabled on the native client. Controlling access to features such as file transfer via Bastion isn't supported.

Note

This configuration requires the Standard SKU tier for Azure Bastion.

There are two different sets of connection instructions.

  • Connect to a VM from the native client on a Windows local computer. This lets you do the following:

    • Connect using SSH or RDP.
    • Upload and download files over RDP.
    • If you want to connect using SSH and need to upload files to your target VM, use the az network bastion tunnel command instead.
  • Connect to a VM using the az network bastion tunnel command. This lets you do the following:

    • Use native clients on non-Windows local computers (example: a Linux PC).
    • Use the native client of your choice. (This includes the Windows native client.)
    • Connect using SSH or RDP.
    • Set up concurrent VM sessions with Bastion.
    • Upload files to your target VM from your local computer. File download from the target VM to the local client is currently not supported for this command.

Currently, this feature has the following limitation:

  • Signing in using an SSH private key stored in Azure Key Vault isn’t supported with this feature. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.

Prerequisites

Before you begin, verify that you have the following prerequisites:

Configure Bastion

You can either modify an existing Bastion deployment, or deploy Bastion to a virtual network.

To modify an existing Bastion deployment

If you have already deployed Bastion to your VNet, modify the following configuration settings:

  1. Navigate to the Configuration page for your Bastion resource. Verify that the SKU is Standard. If it isn't, change it to Standard from the dropdown.

  2. Check the box for Native Client Support and apply your changes.

    Settings for updating an existing host with Native Client Support box selected.

To deploy Bastion to a VNet

If you haven't already deployed Bastion to your VNet, deploy Bastion. When configuring Bastion, specify the following settings:

  1. On the Basics tab, for Instance Details -> Tier select Standard to deploy Bastion using the Standard SKU.

    Settings for a new bastion host with Standard SKU selected.

  2. On the Advanced tab, check the box for Native Client Support.

    Settings for a new bastion host with Native Client Support box selected.

Verify roles and ports

Verify that the following roles and ports are configured in order to connect.

Required roles

  • Reader role on the virtual machine.

  • Reader role on the NIC with private IP of the virtual machine.

  • Reader role on the Azure Bastion resource.

  • Virtual Machine Administrator Login or Virtual Machine User Login role, if you’re using the Azure AD sign-in method. You only need to do this if you're enabling Azure AD login using the processes outlined in one of these articles:

Ports

To connect to a Linux VM using native client support, you must have the following ports open on your Linux VM:

  • Inbound port: SSH (22) or
  • Inbound port: Custom value (you’ll then need to specify this custom port when you connect to the VM via Azure Bastion)

To connect to a Windows VM using native client support, you must have the following ports open on your Windows VM:

  • Inbound port: RDP (3389) or
  • Inbound port: Custom value (you’ll then need to specify this custom port when you connect to the VM via Azure Bastion)

Connect - Windows native client

This section helps you connect to your virtual machine from the native client on a local Windows computer. If you want to upload and download files after connecting, you must use an RDP connection. For more information about file transfers, see Upload or download files.

Use the example that corresponds to the type of target VM to which you want to connect.

Connect to a Windows VM

  1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

    az login
    az account list
    az account set --subscription "<subscription ID>"
    
  2. Sign in to your target Windows VM using one of the following example options. If you want to specify a custom port value, you should also include the field --resource-port in the sign-in command.

    RDP:

    To connect via RDP, use the following command. You’ll then be prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. For more information, see Azure Windows VMs and Azure AD.

    az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
    

    SSH:

    The extension can be installed by running, az extension add --name ssh. To sign in using an SSH key pair, use the following example.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
    
  3. Once you sign in to your target VM, the native client on your computer will open up with your VM session; MSTSC for RDP sessions, and SSH CLI extension (az ssh) for SSH sessions.

Connect to a Linux VM

  1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

    az login
    az account list
    az account set --subscription "<subscription ID>"
    
  2. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, you should also include the field --resource-port in the sign-in command.

    Azure AD:

    If you’re signing in to an Azure AD login-enabled VM, use the following command. For more information, see Azure Linux VMs and Azure AD.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type  "AAD"
    

    SSH:

    The extension can be installed by running, az extension add --name ssh. To sign in using an SSH key pair, use the following example.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
    

    Username/password:

    If you’re signing in using a local username and password, use the following command. You’ll then be prompted for the password for the target VM.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"
    
  3. Once you sign in to your target VM, the native client on your computer will open up with your VM session; MSTSC for RDP sessions, and SSH CLI extension (az ssh) for SSH sessions.

Connect - other native clients

This section helps you connect to your virtual machine from native clients on non-Windows local computers (example: a Linux PC) using the az network bastion tunnel command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM.

This connection supports file upload from the local computer to the target VM. For more information, see Upload files.

  1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

    az login
    az account list
    az account set --subscription "<subscription ID>"
    
  2. Open the tunnel to your target VM using the following command.

    az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"
    
  3. Connect to your target VM using SSH or RDP, the native client of your choice, and the local machine port you specified in Step 2.

    For example, you can use the following command if you have the OpenSSH client installed on your local computer:

    ssh <username>@127.0.0.1 -p <LocalMachinePort>
    

Next steps

Upload or download files