Azure Bastion configuration via CLI or ARM template

Question

Azure Bastion configuration via CLI or ARM template

Marcel Kornegoor 21

Hello, first ever question on this platform....

I'm writing a deployment script for an application in Azure and as best practice I want to deploy a Bastion service as part of it. Via Bastion I want to ssh into a Linux VM.

All works fine: deploying a vnet, subnet, public IP and the Bastian itself with az network bastion create but it seems ssh to a host in the private vnet only works when you manually check a box in the Azure Portal. Can anybody confirm? I cannot find any ARM parameter for this.... Just opened an issue on GitHub (https://github.com/Azure/azure-cli/issues/23525)

With az network bastion show you can see the parameter (and change after checking the box in the portal). The parameter is:

 `"enableTunneling": true,`

which with the az CLI deployment can only be done with the "default" value which is false. there is no way (at least not according to documention) how to change this parameter.

risolis 8,741 Reputation points

2022-08-14T04:14:43.097+00:00

Hello @Marcel Kornegoor

Thank you for your heads up.

I went through the GitHub problem report given above as well as the documentation.... I wonder if you are referring to this syntax command below:

az login
az account list
az account set --subscription "<subscription ID>"
az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"
ssh <username>@127.0.0.1 -p <LocalMachinePort>

Please correct me if I am mistaken about it.

Looking forward to your feedback,

Cheers

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Marcel Kornegoor 21 Reputation points

2022-08-14T09:43:24.963+00:00

Yes, I've done these steps. The steps work fine, but a prerequisite for az network bastion tunnel to work is that you have Native Client Support enabled (see https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows)

Point is that this option is not configurable via az cli or arm template and the only way to enable Native Client Support at this moment is manually in the Azure Portal. This makes it impossible to fully automate the deployment and configuration of azure bastion.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-08-17T07:46:50.61+00:00

Hi @Marcel Kornegoor ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to enable "enable tunneling" via script/ARM template.

I did some research and I notice we do not have an Azure CLI parameter to enable this as of now.

However, I can see the parameter for ARM template.

Refer : https://learn.microsoft.com/en-us/azure/templates/microsoft.network/bastionhosts?pivots=deployment-language-arm-template#resource-format-1

I shall check internally to create a work item.
Once again, thank you for your feedback.

Please feel free to let me know if you have any concerns on this.

Cheers,
Kapil.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-08-23T16:58:46.957+00:00

Hello @Marcel Kornegoor and @risolis ,

This is to update you that I have communicated this missing parameter to our Product Group.
An internal work item has been created successfully.

I shall update the thread once we complete the work item

Thank you once again for bringing this to our notice.

Cheers,
Kapil
risolis 8,741 Reputation points

2022-08-27T07:04:57.64+00:00

Many thanks : )

Accepted answer

0 additional answers

Your answer

risolis 8,741 Reputation points

2022-08-14T04:14:43.097+00:00

Hello @Marcel Kornegoor

Thank you for your heads up.

I went through the GitHub problem report given above as well as the documentation.... I wonder if you are referring to this syntax command below:

az login
az account list
az account set --subscription "<subscription ID>"
az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"
ssh <username>@127.0.0.1 -p <LocalMachinePort>

Please correct me if I am mistaken about it.

Looking forward to your feedback,

Cheers

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Marcel Kornegoor 21 Reputation points

2022-08-14T09:43:24.963+00:00

Yes, I've done these steps. The steps work fine, but a prerequisite for az network bastion tunnel to work is that you have Native Client Support enabled (see https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows)

Point is that this option is not configurable via az cli or arm template and the only way to enable Native Client Support at this moment is manually in the Azure Portal. This makes it impossible to fully automate the deployment and configuration of azure bastion.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-08-17T07:46:50.61+00:00

Hi @Marcel Kornegoor ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are trying to enable "enable tunneling" via script/ARM template.

I did some research and I notice we do not have an Azure CLI parameter to enable this as of now.

However, I can see the parameter for ARM template.

Refer : https://learn.microsoft.com/en-us/azure/templates/microsoft.network/bastionhosts?pivots=deployment-language-arm-template#resource-format-1

I shall check internally to create a work item.
Once again, thank you for your feedback.

Please feel free to let me know if you have any concerns on this.

Cheers,
Kapil.
KapilAnanth-MSFT 49,536 Reputation points Microsoft Employee Moderator

2022-08-23T16:58:46.957+00:00

Hello @Marcel Kornegoor and @risolis ,

This is to update you that I have communicated this missing parameter to our Product Group.
An internal work item has been created successfully.

I shall update the thread once we complete the work item

Thank you once again for bringing this to our notice.

Cheers,
Kapil
risolis 8,741 Reputation points

2022-08-27T07:04:57.64+00:00

Many thanks : )

Answer 1

risolis 8,741

Hello @Marcel Kornegoor

Thank you for your answer.

Let me share with you what I just found so see it below please:

Here it is the link as well:

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/bastion_host

Looking forward to your feedback,

Cheers

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Marcel Kornegoor 21 Reputation points

2022-08-16T17:38:04.453+00:00

Thanks for digging this up! It's fun to see that Terraform has this option, but I went through the az cli source code and there is no --tunneling --tunneling-enabled or --tunnel implemented. They all result in unrecognized arguments in bash.

So the option does exist and is reachable via API (otherwise it wouldn't work with Terraform), but it seems just not implemented (yet) in az cli
risolis 8,741 Reputation points

2022-08-17T05:02:03.127+00:00

Hello @Marcel Kornegoor

You're very welcome.

Yes, you are fully right on this one and I can not deny that this brought my attention too. Furthermore, I found this other way but it does not apply for CLI terminal if I am not mistaken....

https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.network.models.bastionhost.enabletunneling?view=azure-dotnet

I believe this is where I can get since this has to be taken care by Engineering team....

I have to say to you,... Thank you for the opportunity to assist you and I hope this can be solved shortly.

Have a good one : )

Cheers

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

Azure Bastion configuration via CLI or ARM template

0 additional answers

Your answer