Connecting via Bastion
There are 2 methods to connect to your resources via Bastion, the online portal or the native client.
Portal
To connect to a Windows Virtual Machine via RDP, see this Document
To connect to a Windows Virtual Machine via SSH using username/password authentication (not recommended), see this Document
Connection to a Windows Virtual Machine via SSH using a private key can be done in various ways:
Note, that while the documentation refers to windows virtual machines, ssh authentication would work exactly the same way for Linux virtual machines
Native Client
If you are connecting from a Windows machine to a windows virtual machine see this document.
If you are connecting from a Windows machine to a Linux virtual machine see this document
If you are connecting from a *nix machine to a Windows/Linux virtual machine see this document
See this helper script maintained by the ALZ team to simplify managing connections to multiple machines via the Native RDP client here
Connection scenarios
Authentication with a local account
Login using a local account created on the Virtual machine in question using the portal or CLI.
Pre-requisites:
- An Azure AD Account that has the following RBAC permissions:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Virtual Network that the NIC is connected to.
- Reader role on the Azure Bastion resource.
Authentication with an Azure AD Account
Login using your Azure AD account using the portal or CLI. Please note this only currently works in Production.
Pre-requisites:
- An Azure AD Account that has the following RBAC permissions:
- Either Virtual Machine Administrator Login or Virtual Machine User Login role on the virtual machine
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Virtual Network that the NIC is connected to.
- Reader role on the Azure Bastion resource.
Authentication with a traditional AD Account
Login using a local account created on the Virtual machine in question using the portal or CLI. Use the format {DOMAIN}\{USERNAME} for the username when logging in.
Pre-requisites:
- An Azure AD Account that has the following RBAC permissions:
- Reader role on the virtual machine.
- Reader role on the NIC with private IP of the virtual machine.
- Reader role on the Virtual Network that the NIC is connected to.
- Reader role on the Azure Bastion resource.
- The VM is joined to a domain
Notes and known issues
File transfer is only supported using the Native RDP or SSH client, not through the Azure Portal directly.
We’ve found this Windows GPO to cause issues with the file transfer if set to “enabled”:
Computer Configuration \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Hosts \ Device and Resource Redirection \ Do not allow clipboard redirection
Reader role on the Virtual Network has been added due to an edge case where a VM and it’s NIC existed in a different Resource Group to the Virtual Network. The Reader role could also be granted on the Resource Group that contained the Virtual Network.