Single VM under private net accessed by bastion in Azure (jumpbox)
GitHub Pages: Here
This page contains instructions to create a single VM under a private network that is accessed via a bastion service. This VM is known also as jumpbox.
Azure Bastion is a service maintained for you and is not part of the user VM. An Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine.
- create_bastion.sh: CLI-based script to automate bastion+vm creation
- setvars.sh: helper script to setup variables to customize deployment
DISCLAIMER. This document is work-in-progress and my personal experience performing this task.
setvars.sh to customize deployment variables (i.e. resource group, vnet, sku,..). Then:
After variables are setup:
The script will create the resource group, vnet, bastion and a VM (jumpbox). It will also create the
jumpboxaccess.sh script, which contains a bash function to simplify the jupmpbox access.
To access the jumpbox vm, just type:
Behind the scenes
There are no highlight discussions on this topic so all required steps are in the
Another way to connect to the jumpbox VM
You can ignore the
jumpboxaccess.sh script and run the steps manually:
VMID=`az vm show --name $VMNAME \ --resource-group $RG \ --query 'id' \ --output tsv` az network bastion ssh --name $BASTIONNAME \ --resource-group $RG \ --target-resource-id $VMID \ --auth-type ssh-key \ --username $ADMINUSER \ --ssh-key ~/.ssh/id_rsa
Alternatively, first open a tunnel, for instance:
az network bastion tunnel --name mnettohpc1bastion \ --resource-group mnettohpc1 \ --target-resource-id $VMID \ --resource-port 22 \ --port 2200
ssh firstname.lastname@example.org -p 2200
You can also establish the ssh connection using bastion ssh and then, once you
are in the vm, you can type
C. This will open prompt:
ssh> to add
the tunnel (using the same syntax you would add to the ssh commandline):
azureuser@vm01:~$ ssh> -L 2201:localhost:22 azureuser@vm01:~$
then in your machine:
ssh email@example.com -p 2201
Delete all resources
az group delete -n $RG \ --force-deletion-types Microsoft.Compute/virtualMachines \ --yes
If you cannot connect to bastion+vm make sure there is no security rule in your subscription.
- bastion overview: https://learn.microsoft.com/en-us/azure/bastion/bastion-overview
- bastion overview: https://azure.microsoft.com/en-us/products/azure-bastion
- deploy bastion via cli: https://learn.microsoft.com/en-us/azure/bastion/create-host-cli
- bastion connection: https://learn.microsoft.com/en-us/azure/bastion/connect-native-client-windows
- escape characters: https://man.openbsd.org/ssh#ESCAPE_CHARACTERS