My initial understanding was that an Azure Bastion acts like a lightweight SSH (and RDP) gateway to resources -- specifically, VMs -- on the same virtual network, rather than provisioning a full VM as a jumpbox. That is, I would expect to be able to do this, from anywhere on the public Internet, to SSH into a VM on the same network:
ssh -i /path/to/private.key -J BASTION_IP user@VM_IP
Where BASTION_IP
is the public IP associated with the Bastion resource and VM_IP
is the internal IP address of the VM in a sibling subnet to the Bastion subnet.
I've set this up in Terraform, using the "Basic" Bastion SKU but, when I try connecting, it times out. In the Azure Poral, there is an option named "Native Client Support" (which needs the "Standard" SKU), exposed as the tunneling_enabled
argument in the respective Terraform resource. With those changes made, my connection still times out.
Following the rabbit hole of documentation suggests that you have to use the Azure CLI. Indeed, I can get tunnelling to work using the Azure CLI -- the SSH extension is Windows only, apparently -- but it's a bit of a faff:
az login # I assume there's a way to login unattended
az account set --subscription SUBSCRIPTION_ID
az network bastion tunnel --name BASTION_NAME --resource-group RG_NAME --target-resource-id REALLY_LONG_VM_RESOURCE_ID --resource-port 22 --port 2222 &
ssh -i /path/to/private.key -p 2222 user@localhost
Is there a non-proprietary way of SSH'ing into an Azure VM through an Azure Bastion? Or is my assumption on its use-case off?
You really only have two ways to connect to Bastion with SSH, using a local client, and both involve the Azure CLI:
You could automate this connection if you wanted to connect using a service principal, but assuming you want to connect as a user then it would be a bit of a pain having to store the users credentials and deal with MFA etc.