Remote SSH via Azure Bastion (with AAD auth)

[hansenms]

Azure Bastion is a managed to service for secure access to virtual machines in a vnet. I would like to be able to do VS Code remote SSH (and remote container) development on a VM that is accessed via a bastion host. Additioally, I would like this to worth with Azure Active Directory (AAD) auth enabled on the VM.

I can get a shell in the remove VM with something like:

az network bastion ssh --name <bastion name> -g <bastion resource group> --target-resource-id <vm resource id> --auth-type AAD

However the remote-ssh extension in vscode seems to rely on a direct ssh command and not this sort of proxied ssh connection. There was a related question on this #4553, which I don't think was answered and maybe bastion was not as mature at the time.

[eleanorjboyd]

Hello! Currently we do not have support for Azure Bastion specifically and therefore I will move this issue to be a feature-request in our backlog. Since I cannot give a timeline on when we might tackle this feature request, there are a few options on ways that you might be able to build you own custom solutions. First you could making a custom script that handles the connection via bastion and set the ssh binary to this script so we run this script when attempting to connect via ssh. Additionally we have a new workflow called vscode server cli which is outlined here: https://code.visualstudio.com/blogs/2022/07/07/vscode-server. This is in private preview but I can give you access if you think that tool would be a good solution. Thanks!

[vscodenpa]

This feature request is now a candidate for our backlog. The community has 60 days to upvote the issue. If it receives 10 upvotes we will move it to our backlog. If not, we will close it. To learn more about how we handle feature requests, please see our documentation.

Happy Coding!

[madhavchereddyacc]

any update on this issue?

[eleanorjboyd]

@madhavchereddyacc, no updates at this point. This issue will be mentioned in a planning issue when it comes on the docket for engineering and this issue will be updated with notice once it comes in the release to see if it works for everyone correctly in this thread.

[donglixp]

GCR is now moving to Bastion...

[sytelus]

This is very important functionality given big push towards Bastion. Any updates?

For a temporary workaround, you can use tunneling feature of Bastion to enable remote SSH. In this case, add following in your $USERPROFILE.ssh\config file:

# Beow is for vscode remote connection for Azure Bastion 
Host tunnel
  HostName 127.0.0.1
  Port 2222
  User DOMAIN.login
  StrictHostKeyChecking=No
  UserKnownHostsFile=\\.\NUL

Then use PowerShell to connect to Bastion host in Azure:

az network bastion tunnel --subscription SUBSCRIPTION_GUID --name BASTION_NAME --resource-group RESOURSE_GROUP --target-resource-id VM_ID --resource-port 22 --port 22

In VSCode when you click on Connect to Host, you will see host named tunnel which should work as expected.

Also see this: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/accessing-aks-private-clusters-with-azure-bastion-and-vs-code/ba-p/3581367

[MicheleDelliVeneri]

I was experiencing the same issue, I have fixed it through the StrictHostKeyChecking=No option in the config.

[eric-therond]

With the above az network bastion tunnel command it's not even possible to connect to a completely new VM that is behind an Azure bastion.

[14:21:47.943] > local-server-2> Running ssh connection command: "-v -T -D 58040 -o ConnectTimeout=15 xxx bash"
[14:21:47.946] > local-server-2> Spawned ssh, pid=19183
[14:21:47.954] stderr> OpenSSH_9.0p1, LibreSSL 3.3.6
[14:21:47.955] stderr> ssh: connect to host 127.0.0.1 port 2222: Connection refused
[14:21:47.955] > local-server-2> ssh child died, shutting down
[14:21:47.957] Local server exit: 0
[14:21:47.957] Received install output: local-server-2> Running ssh connection command: "-v -T -D 58040 -o ConnectTimeout=15 xxx bash"
local-server-2> Spawned ssh, pid=19183
OpenSSH_9.0p1, LibreSSL 3.3.6
ssh: connect to host 127.0.0.1 port 2222: Connection refused
local-server-2> ssh child died, shutting down

[14:21:47.958] Failed to parse remote port from server output
[14:21:47.958] Exec server for ssh-remote+xxx failed: Error
[14:21:47.958] Error opening exec server for ssh-remote+xxx: Error

[dunalduck0]

Thanks for the solution. This is also what GCR recommended. It worked well for me until I wanted to add devcontainer into my project. All VsCode devcontainer commands failed with "SSH connection error", even the command to add a devcontainer configuration. I wonder if there is fix for it.

This is very important functionality given big push towards Bastion. Any updates?

For a temporary workaround, you can use tunneling feature of Bastion to enable remote SSH. In this case, add following in your $USERPROFILE.ssh\config file:

# Beow is for vscode remote connection for Azure Bastion 
Host tunnel
  HostName 127.0.0.1
  Port 2222
  User DOMAIN.login
  StrictHostKeyChecking=No
  UserKnownHostsFile=\\.\NUL

Then use PowerShell to connect to Bastion host in Azure:

az network bastion tunnel --subscription SUBSCRIPTION_GUID --name BASTION_NAME --resource-group RESOURSE_GROUP --target-resource-id VM_ID --resource-port 22 --port 22

In VSCode when you click on Connect to Host, you will see host named tunnel which should work as expected.

Also see this: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/accessing-aks-private-clusters-with-azure-bastion-and-vs-code/ba-p/3581367

[MRDGH2821]

In #4553, I saw the config property ProxyJump
So this allowed me to directly login to target vm, via bastion.

So I had to put password for bastion first then VM and I was good to go.

[dunalduck0]

@MRDGH2821 is your post above regarding to my question? I didn't fully understand what ProxyJump can do. Can you please be more specific? Thank you!

[MRDGH2821]

@MRDGH2821 is your post above regarding to my question? I didn't fully understand what ProxyJump can do. Can you please be more specific? Thank you!

Oh sorry I had been ambiguous a little.

At my work place, I was given IP address of 2 VMs, which are in Azure portal. One of them was Azure bastion.
I was told to connect first to Azure bastion and then the target VM.
No direct connection was possible to the VM.
In #4553 I saw the property ProxyJump which did enable me to jump into the target VM.

Now I realise that the issue presented here & my comment may be unrelated 😅

[dunalduck0]

Thank you @MRDGH2821. I am glad you’ve got a solution to your problem. With your multi-hop connection, have you ever tried DevContainer feature in VsCode?

[MRDGH2821]

Thank you @MRDGH2821. I am glad you’ve got a solution to your problem. With your multi-hop connection, have you ever tried DevContainer feature in VsCode?

In the target vm protected behind bastion, I had setup a folder which has a sub folder .devcontainer
I opened the folder in devcontainer once.

Then after reopening vscode -> welcome screen, I see my dev container.
I click on that, put passwords for bastion & target
And done - I get into dev container.

[eric-therond]

a working workaround:

• https://github.com/MicrosoftDocs/azure-docs/issues/98747
• https://feedback.azure.com/d365community/idea/e55b67ca-3b39-ed11-a81b-000d3a04ded5

[PandyaDarshit]

Anyone working on this feature request? I would like to contribute on this.

[sanelson]

None of the workarounds posted here seemed to work for me but the following steps work well for me to connect through a Bastion to a VM which uses AAD auth. Works great with VSCode as well as any other ssh client.

Note: These steps are specific to Powershell under Windows. However, with some minimal tweaks they should work under WSL or on Linux/MacOS as well.

Step 1: Set up a tunnel through the Bastion and run as a background process

# Configure Bastion tunnel to VM
$subscription = "cae391e3-b3b7-4096-b58c-91b3eb68382e"
$bastionName = "my-bastion"
$rgName = "my-rg"
$vmName = "my-vm"
$vmResourceId = "/subscriptions/$subscription/resourceGroups/$rgName/providers/Microsoft.Compute/virtualMachines/$vmName"
Start-Process az -NoNewWindow -ArgumentList "network bastion tunnel --name $bastionName --resource-group $rgName --target-resource-id $vmResourceId --resource-port 22 --port 2222"

Step 2: Create a SSH config directory for dynamically generated host specific configs

# Set up dynamic ssh config dir
mkdir ~/.ssh/config.d/

Step 3: Include dynamic host configs in main SSH config.

# Prepend dynamic host config include to main SSH config
$( Write-Output "Include config.d/*.conf"; Get-Content ~/.ssh/config -Raw ) | Set-Content ~/.ssh/config

Step 4: Generate dynamic SSH config for VM host and temporary keys/certs

# Generate custom SSH config & issue temporary (1hr) keys + certificate
Write-Host "y" | az ssh config `
  --overwrite -y `
  --prefer-private-ip `
  --port 2222 `
  --resource-group $rgName
  --name $vmName
  --file $env:USERPROFILE\.ssh\config.d\$vmName.conf

Step 5: Replace private IP in dynamic config with "localhost" as we're using the Bastion Tunnel

# Replace private IP in custom SSH config with localhost
(Get-Content $env:USERPROFILE\.ssh\config.d\$vmName.conf) -replace 'HostName.*', 'HostName localhost' | Set-Content $env:USERPROFILE\.ssh\config.d\$vmName.conf

Step 6: Test the connection via the CLI or in VSCode.

# Test the new connection
ssh "$rgName-$vmName" 

Since the SSH certificate is only valid for 1hr, if you're using VSCode and after an hour you can't start a new terminal window, you should be able to just run steps 4 & 5 again to "refresh" your temporary SSH key and cert. The tunnel also tends to timeout after a while, just stop the background process if it hasn't already completely died and restart the tunnel.

Hopefully this is helpful!

[joshspicer]

I think this kind of workflow should now be easier to automate/script with the remote.SSH.preconnect setting (currently only in the pre-release build). More info here: #6835 (comment)

Anyone watching this issue and able to comment on if this helps?