Connect to a VM using a native client

This article helps you configure your Bastion deployment, and then connect to a VM in the VNet using the native client (SSH or RDP) on your local computer. The native client feature lets you connect to your target VMs via Bastion using Azure CLI, and expands your sign-in options to include local SSH key pair and Azure Active Directory (Azure AD). Additionally with this feature, you can now also upload or download files, depending on the connection type and client.

Your capabilities on the VM when connecting via native client are dependent on what is enabled on the native client. Controlling access to features such as file transfer via Bastion isn't supported.

Note

This configuration requires the Standard SKU tier for Azure Bastion.

After you deploy this feature, there are two different sets of connection instructions.

Currently, this feature has the following limitation:

  • Signing in using an SSH private key stored in Azure Key Vault isn’t supported with this feature. Before signing in to your Linux VM using an SSH key pair, download your private key to a file on your local machine.

Prerequisites

Before you begin, verify that you have the following prerequisites:

Configure the native client support feature

You can configure this feature by either modifying an existing Bastion deployment, or you can deploy Bastion with the feature configuration already specified.

To modify an existing Bastion deployment

If you've already deployed Bastion to your VNet, modify the following configuration settings:

  1. Navigate to the Configuration page for your Bastion resource. Verify that the SKU Tier is Standard. If it isn't, select Standard.

  2. Select the box for Native Client Support, then apply your changes.

    Screenshot that shows settings for updating an existing host with Native Client Support box selected.

To deploy Bastion with the native client feature

If you haven't already deployed Bastion to your VNet, you can deploy with the native client feature specified by deploying Bastion using manual settings. For steps, see Tutorial - Deploy Bastion with manual settings. When you deploy Bastion, specify the following settings:

  1. On the Basics tab, for Instance Details -> Tier select Standard. Native client support requires the Standard SKU.

    Settings for a new bastion host with Standard SKU selected.

  2. Before you create the bastion host, go to the Advanced tab and check the box for Native Client Support, along with the checkboxes for any other additional features that you want to deploy.

    Screenshot that shows settings for a new bastion host with Native Client Support box selected.

  3. Click Review + create to validate, then click Create to deploy your Bastion host.

Verify roles and ports

Verify that the following roles and ports are configured in order to connect to the VM.

Required roles

  • Reader role on the virtual machine.

  • Reader role on the NIC with private IP of the virtual machine.

  • Reader role on the Azure Bastion resource.

  • Virtual Machine Administrator Login or Virtual Machine User Login role, if you’re using the Azure AD sign-in method. You only need to do this if you're enabling Azure AD login using the processes outlined in one of these articles:

Ports

To connect to a Linux VM using native client support, you must have the following ports open on your Linux VM:

  • Inbound port: SSH (22) or
  • Inbound port: Custom value (you’ll then need to specify this custom port when you connect to the VM via Azure Bastion)

To connect to a Windows VM using native client support, you must have the following ports open on your Windows VM:

  • Inbound port: RDP (3389) or
  • Inbound port: Custom value (you’ll then need to specify this custom port when you connect to the VM via Azure Bastion)

To learn about how to best configure NSGs with Azure Bastion, see Working with NSG access and Azure Bastion.

Connect to VM - Windows native client

This section helps you connect to your virtual machine from the native client on a local Windows computer. If you want to upload and download files after connecting, you must use an RDP connection. For more information about file transfers, see Upload or download files.

Use the example that corresponds to the type of target VM to which you want to connect.

Connect to a Windows VM

  1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

    az login
    az account list
    az account set --subscription "<subscription ID>"
    
  2. Sign in to your target Windows VM using one of the following example options. If you want to specify a custom port value, you should also include the field --resource-port in the sign-in command.

    RDP:

    To connect via RDP, use the following command. You’ll then be prompted to input your credentials. You can use either a local username and password, or your Azure AD credentials. For more information, see Azure Windows VMs and Azure AD.

    az network bastion rdp --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>"
    

    SSH:

    The extension can be installed by running, az extension add --name ssh. To sign in using an SSH key pair, use the following example.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
    
  3. Once you sign in to your target VM, the native client on your computer will open up with your VM session; MSTSC for RDP sessions, and SSH CLI extension (az ssh) for SSH sessions.

Connect to a Linux VM

  1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

    az login
    az account list
    az account set --subscription "<subscription ID>"
    
  2. Sign in to your target Linux VM using one of the following example options. If you want to specify a custom port value, you should also include the field --resource-port in the sign-in command.

    Azure AD:

    If you’re signing in to an Azure AD login-enabled VM, use the following command. For more information, see Azure Linux VMs and Azure AD.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type  "AAD"
    

    SSH:

    The extension can be installed by running, az extension add --name ssh. To sign in using an SSH key pair, use the following example.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "ssh-key" --username "<Username>" --ssh-key "<Filepath>"
    

    Username/password:

    If you’re signing in using a local username and password, use the following command. You’ll then be prompted for the password for the target VM.

    az network bastion ssh --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --auth-type "password" --username "<Username>"
    
  3. Once you sign in to your target VM, the native client on your computer will open up with your VM session; MSTSC for RDP sessions, and SSH CLI extension (az ssh) for SSH sessions.

Connect to VM - other native clients

This section helps you connect to your virtual machine from native clients on non-Windows local computers (example: a Linux PC) using the az network bastion tunnel command. You can also connect using this method from a Windows computer. This is helpful when you require an SSH connection and want to upload files to your VM.

This connection supports file upload from the local computer to the target VM. For more information, see Upload files.

  1. Sign in to your Azure account. If you have more than one subscription, select the subscription containing your Bastion resource.

    az login
    az account list
    az account set --subscription "<subscription ID>"
    
  2. Open the tunnel to your target VM using the following command.

    az network bastion tunnel --name "<BastionName>" --resource-group "<ResourceGroupName>" --target-resource-id "<VMResourceId or VMSSInstanceResourceId>" --resource-port "<TargetVMPort>" --port "<LocalMachinePort>"
    
  3. Connect to your target VM using SSH or RDP, the native client of your choice, and the local machine port you specified in Step 2.

    For example, you can use the following command if you have the OpenSSH client installed on your local computer:

    ssh <username>@127.0.0.1 -p <LocalMachinePort>
    

Next steps

Upload or download files