Equivalent of AWS Session Manager for Linux VMs in Azure?

Question

We're looking for an equivalent in Azure for the AWS Session Manager with Linux VMs? This allows secure access to VMs without exposing private ports, and without having to manage SSH keys on the Linux instance - for both terminal & RDP access.

In Azure, there seems to be

• 'just in time' access - which still exposes ports externally (and I'm not yet clear if it even works on Linux), and wouldn't solve any of the SSH key management issues
• bastion service - which also doesn't solve the SSH keys issue, can only be accessed via the Azure portal, and is super expensive

Have I missed an alternative? What's our best approach to enable secure access to Linux VMs via RDP? Thanks.

Answer 1

As far as I'm aware there is no direct replica of Session Manager.

If you want to use a browser session and keep all connectivity private you will need to use Bastion. You could create SSH keys within Azure and inject those into you're VM and call it from Bastion or store keys within a Key Vault. But yeah, some key management will be required.

Bastion now supports ssh & gui access to linux vm's once xfmc & xrdp are enabled

Alternatively you could create a secure jump box but you'll need to up some sort of external access. You can restrict access to your VM's from the private IP of said jump box.

Answer 2

There is no direct equivalent to SSM for patching in Azure.

While Azure does offer a bastion service which can be an equivalent of its AWS counterpart i.e. sessions manager this is not the same as SSM for patching.

However Azure also allows patching of on-prem VMs with Azure Update Manager. Ideally you would have to invest in Azure express route for Azure to have private connectivity back to on-prem.

Other alternative for some Azure customers would be to use Azure Arc.