A new capability has been introduced for Azure Arc-enabled servers which allows you to SSH into your Windows/Linux servers from anywhere without requiring inbound ports or public IP addresses. While its in preview, it can allow you to SSH to Windows using a local user and to Linux using an Azure user. This capability can become handy if you want to grant your team access to those servers from any location without going through the hassle of opening ports on your firewalls or raising any security concerns.

Feature requirements

To start using this feature, we need to perform the following steps:

1. Register the HybridConnectivity resource provider
2. Onboard the server to Azure Arc
3. Create the default endpoint for this Azure Arc-enabled server
4. Assign the user to connect with the Virtual Machine Local User Login role
5. Enable the sshd service (for Windows, we need to install OpenSSH)
6. Enable the SSH feature on the Azure Arc-enabled server using the azcmagent command.

If you have a couple of servers, it can be ok to do those steps (specially 1-4) manually, but if you have 10s or 100s of servers and you want to enable it at scale then we need some sort of automation. I have a Hyper-V Windows server on my laptop that is Azure Arc-enabled ready to test this deployment.

At scale deployment of SSH on Arc-enabled Windows servers

First lets assign the Virtual Machine Local User Login role to a normal user in my tenant.

Next, we need to populate the default connectivity endpoint for this Arc-enabled server.

Since this server is Windows, we would need to install OpenSSH to have the needed sshd service and then run the azcmagent command to enable the SSH feature. To do this at scale, I’m going to use one of the capabilities that Azure Arc provides for servers which is VM extensions to install OpenSSH and configure the agent.

$Setting = @{ "commandToExecute" = "powershell.exe -c Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0;Start-Service sshd;Set-Service -Name sshd -StartupType 'Automatic';azcmagent config set incomingconnections.ports 22" }

New-AzConnectedMachineExtension `
   -MachineName "WIN-S0EJKBIMSJL" `
   -name "SSHConfig" `
   -location "eastus" `
   -ExtensionType CustomScriptExtension `
   -publisher "Microsoft.Compute" `
   -settings $Setting `
   -ResourceGroupName "Arc-Win-Servers" `

OpenSSH is available as an extension that you can install directly. I will install it manually using PowerShell as I need to configure the agent and install the sshd service in one go.

We can see that the extension has been deployed successfully.

Connecting to the Azure Arc-enabled server using SSH

I will login in CLI using the user assigned with the Virtual Machine Local User Login role.

Now trying to SSH into the Azure Arc-enabled server from CLI, I get prompted with the password of the local user and then I get into the machine using SSH.

References

• If you want to have an automated demo of this feature, check out this Azure Arc Jumpstart scenario.
• Feature documentation