Connect to a Linux VM

In Azure there are multiple ways to connect to a Linux virtual machine. The most common practice for connecting to a Linux VM is using the Secure Shell Protocol (SSH). This is done via any standard SSH client commonly found in Linux and Windows. You can also use Azure Cloud Shell from any browser.

This document describes how to connect, via SSH, to a VM that has a public IP. If you need to connect to a VM without a public IP, see Azure Bastion Service.

Prerequisites

• You need an SSH key pair. If you don't already have one, Azure will create a key pair during the deployment process. If you need help with creating one manually, see Create and use an SSH public-private key pair for Linux VMs in Azure.

• You need an existing Network Security Group (NSG). Most VMs will have an NSG by default, but if you don't already have one you can create one and attach it manually. For more information, see Create, change, or delete a network security group.

• To connect to a Linux VM, you need the appropriate port open. Typically this will be port 22. The following instructions assume port 22 but the process is the same for other port numbers. You can validate an appropriate port is open for SSH using the troubleshooter or by checking manually in your VM settings. To check if port 22 is open:

  1. On the page for the VM, select Networking from the left menu.

  2. On the Networking page, check to see if there is a rule which allows TCP on port 22 from the IP address of the computer you are using to connect to the VM. If the rule exists, you can move to the next section.

     

  3. If there isn't a rule, add one by selecting Add inbound port rule.

  4. For Service, select SSH from the dropdown.

     

  5. Edit Priority and Source if necessary

  6. For Name, type SSH.

  7. When you're done, select Add.

  8. You should now have an SSH rule in the table of inbound port rules.

• Your VM must have a public IP address. To check if your VM has a public IP address, select Overview from the left menu and look at the Networking section. If you see an IP address next to Public IP address, then your VM has a public IP

  If your VM does not have a public IP Address, it will look like this:

  

  To learn more about adding a public IP address to an existing VM, see Associate a public IP address to a virtual machine

• Verify your VM is running. On the Overview tab, in the Essentials section, verify the status of the VM is Running. To start the VM, select Start at the top of the page.

  

Connect to the VM

Once the above prerequisites are met, you are ready to connect to your VM. Open your SSH client of choice. The SSH client command is typically included in Linux, macOS, and Windows. If you are using Windows 7 or older, where Win32 OpenSSH is not included by default, consider installing WSL or using Azure Cloud Shell from the browser.

Note

The following examples assume the SSH key is in the key.pem format. If you used CLI or Azure PowerShell to download your keys, they may be in the id_rsa format.

WSL, macOS, or native Linux client

SSH with a new key pair

1. Ensure your public and private keys are in the correct directory. The directory is usually ~/.ssh.

   If you generated keys manually or generated them with the CLI, then the keys are probably already there. However, if you downloaded them in pem format from the Azure portal, you may need to move them to the right location. This can be done with the following syntax: mv PRIVATE_KEY_SOURCE PRIVATE_KEY_DESTINATION

   For example, if the key is in the Downloads folder, and myKey.pem is the name of your SSH key, type:

   mv /Downloads/myKey.pem ~/.ssh
   

   Note

   If you're using WSL, local files are found in the mnt/c/ directory. Accordingly, the path to the downloads folder and SSH key would be /mnt/c/Users/{USERNAME}/Downloads/myKey.pem

2. Ensure you have read-only access to the private key by running

   chmod 400 ~/.ssh/myKey.pem
   

3. Run the SSH command with the following syntax: ssh -i PATH_TO_PRIVATE_KEY USERNAME@EXTERNAL_IP

   For example, if your azureuser is the username you created and 20.51.230.13 is the public IP address of your VM, type:

   ssh -i ~/.ssh/myKey.pem azureuser@20.51.230.13
   

4. Validate the returned fingerprint.

   If you have never connected to this VM before, you'll be asked to verify the hosts fingerprint. It's tempting to simply accept the fingerprint presented, but that exposes you to a potential person in the middle attack. You should always validate the hosts fingerprint. You only need to do this the first time you connect from a client. To get the host fingerprint via the portal, use the Run Command feature to execute the command:

   ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk '{print $2}'
   

5. Success! You should now be connected to your VM. If you're unable to connect, see Troubleshoot SSH connections.

SSH With existing public key

1. Run the following command in your SSH client. In this example, 20.51.230.13 is the public IP Address of your VM and azureuser is the username you created when you created the VM.

   ssh azureuser@20.51.230.13
   

2. Validate the returned fingerprint.

   If you have never connected to this VM before you will be asked to verify the hosts fingerprint. It is tempting to simply accept the fingerprint presented, however, this exposes you to a possible person in the middle attack. You should always validate the hosts fingerprint. You only need to do this on the first time you connect from a client. To obtain the host fingerprint via the portal, use the Run Command feature to execute the command:

   ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk '{print $2}'
   

3. Success! You should now be connected to your VM. If you're unable to connect, see our troubleshooting guide Troubleshoot SSH connections.

Password authentication

Warning

This type of authentication method is not as secure and is not recommended.

1. Run the following command in your SSH client. In this example, 20.51.230.13 is the public IP Address of your VM and azureuser is the username you created when you created the VM.

   ssh azureuser@20.51.230.13
   

   If you forgot your password or username see Reset Access to an Azure VM

2. Validate the returned fingerprint.

   If you have never connected to this VM before you will be asked to verify the hosts fingerprint. It is tempting to simply accept the fingerprint presented, however, this exposes you to a possible person in the middle attack. You should always validate the hosts fingerprint. You only need to do this on the first time you connect from a client. To obtain the host fingerprint via the portal, use the Run Command feature to execute the command:

   ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk '{print $2}'
   

3. Success! You should now be connected to your VM. If you're unable to connect using the correct method above, see Troubleshoot SSH connections.

Windows command line (cmd.exe, PowerShell etc.)

SSH with a new key pair

1. Locate your private SSH Key

2. Run the SSH command with the following syntax: ssh -i PATH_TO_PRIVATE_KEY USERNAME@EXTERNAL_IP

   For example, if your azureuser is the username you created and 20.51.230.13 is the public IP address of your VM, type:

   ssh -i  .\Downloads\myKey.pem azureuser@20.51.230.13 
   

3. Validate the returned fingerprint.

   If you have never connected to this VM before you will be asked to verify the hosts fingerprint. It is tempting to simply accept the fingerprint presented, however, this exposes you to a possible person in the middle attack. You should always validate the hosts fingerprint. You only need to do this on the first time you connect from a client. To obtain the host fingerprint via the portal, use the Run Command feature to execute the command:

   Invoke-AzVMRunCommand -ResourceGroupName 'myResourceGroup' -VMName 'myVM' -CommandId 'RunPowerShellScript' -ScriptString 
   'ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk '{print $2}''
   

4. Success! You should now be connected to your VM. If you are unable to connect, see Troubleshoot SSH connections.

Password authentication

Warning

This type of authentication method is not as secure and is not our recommended way to connect.

1. Run the following command in your SSH client, where 20.51.230.13 is the public IP Address of your VM and azureuser is the username you created when you created the VM.

   ssh azureuser@20.51.230.13
   

   If you forgot your password or username see Reset Access to an Azure VM

2. Validate the returned fingerprint.

   If you have never connected to this VM before you will be asked to verify the hosts fingerprint. It is tempting to simply accept the fingerprint presented, however, this exposes you to a potential person in the middle attack. You should always validate the hosts fingerprint. You only need to do this on the first time you connect from a client. To obtain the host fingerprint via the portal, use the Run Command feature to execute the command:

   ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk '{print $2}'
   

3. Success! You should now be connected to your VM. If you're unable to connect using the methods above, see Troubleshoot SSH connections.

Next steps

Learn how to transfer files to an existing VM, see Use SCP to move files to and from a VM.