To improve the security of Linux virtual machines (VMs) in Azure, now we can integrate the VM with Azure Active Directory (Azure AD) authentication. Azure AD can be used as a core authentication platform to SSH into a Linux VM. This functionality allows organizations to manage security access to VMs with Azure role-based access control (RBAC) and Conditional Access policies.
This article shows how to create and configure a Linux VM and log in with Azure AD by using OpenSSH certificate-based authentication.
1.1. Benefits
- Use your Azure AD credentials to log in to Azure Linux Virtual machines. No need to remember any separate login credentials.
- No separate Bastion Virtual machine is required.
- No public IP/Port exposure for any Virtual machines to the outside world.
- Get Open SSH key-based authentication without needing to distribute SSH keys to users or provision SSH public keys on any Azure Linux VMs that you deploy.
- Reduce reliance on local administrator accounts, credential theft, and weak credentials.
- With RBAC, specify who can log in to a virtual machine as a regular user or with administrator privileges. When users join your team, you can update the Azure RBAC policy for the VM to grant access as appropriate. When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.
With Conditional Access, configure policies to require multifactor authentication or to require that your client device is managed (for example, compliant or hybrid Azure AD joined) before you can use it SSH into Linux VMs.
Note
Azure Active Directory native client for Azure Bastion is officially supported by Microsoft and is now GA. In this article we will use this feature to solve our objective of login to virtual machines with active directory login credentials.
1.2. Installing Azure CLI on Local Laptop/Desktop
- Open command prompt. Type az at the root. This will check if azure cli is already installed in your VM and if found you would see something similar below and you can skip this section and move to next section.
- If not found then go ahead and install Azure CLI from the below link.
Windows : https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?tabs=azure-cli
Linux : curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
1.3. Configuring AAD login feature on New VMs
- Create a new Linux Virtual Machine. Keeping all other configurations of your choice, make sure to check the "Login with Azure AD" feature on under the Management tab. 💡 This is very important! The identity will be automatically get selected to system assigned managed identity.
- Once the VM gets provisioned, you must see the installed Azure AD Login extensions under the Extensions + applications menu under Settings blade of the respective VM.
1.4. Enabling AAD login feature on Existing VMs
- Go to the Setting blade of the respective VM and click on Extensions + application menu. Click +Add to add a new extension
- Select extension "Azure AD based SSH Login" and click Next and then Review and create button. Click Create after the validation passed message is shown.
- After the installation complete check the Extensions + application menu again under the Settings blade of the VM. This time it must show the installed extension.
1.5. Terraform Script to enable AAD login (Linux VM)
resource "azurerm_linux_virtual_machine" "example" {
// blah-blah
identity {
type = "SystemAssigned"
}
}
resource "azurerm_virtual_machine_extension" "example" {
name = "AADSSHLoginForLinux_extn"
virtual_machine_id = azurerm_linux_virtual_machine.example.id
publisher = "Microsoft.Azure.ActiveDirectory"
type = "AADSSHLoginForLinux"
type_handler_version = "1.0"
}
1.6. Enabling RBAC (Configure role assignments)
Any of the following roles must be given to the user accessing the VM.
💡 Assigning any of these roles to a particular user or to a particular group is mandatory inorder to access the VM via Azure AD credentials.
- Virtual Machine Administrator Login: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.
- Virtual Machine User Login: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges
- From the Access control (IAM) menu of the respective VM; click on +Add and select Add role assignment submenu option. You must have "Owner" or "User Access Administrator" privilege to perform this operation.
- Search for any of the above role and proceed. I have selected the "Virtual Machine Administrator Login" role for this article. Click Next
- Select an user or group to whom you want the role to get assigned. Click Review + assign
1.7. Configuring Azure Bastion (With Native support, New Bastion Host)
- Create a new azure bastion service. Keeping all other configurations of your choice, make sure to check the "Native client support" feature on under the Advanced tab. 💡 This is very important!
1.8. Configuring Azure Bastion (With Native support, Existing Bastion Host)
- Go to the Configuration option under the Setting tab and check the "Native client support" checkbox. Hit Apply.
1.9. Terraform Script to enable Native client support for Azure Bastion Host
resource "azurerm_bastion_host" "example" {
// blah-blah
tunneling_enabled = true
}
1.10. Login to Application VMs with Azure AD credentials via Bastion Host (Local Laptop/Desktop)
- Open Windows Command Prompt or Windows PowerShell IDE in your machine.
- Type az login and press enter. (Make sure you are disconnected from G+D VPN, 💡 This is important!). This will open up a browser window as would ask for login credentials. Please enter your azure active directory login credentials.
- Upon successful login, it will show all the subscription on which you have access under the tenant. You can execute the following command to list all subscriptions in a readable table format.
az account list -o table
- Type the following command to check the current subscription you are logged in.
az account show -o table
If it's the right subscription then move to the next step. Else execute the following command to set your correct subscription.
az account set --subscription "<<subscription_id or subscription_name>>"
- Get the resource id of your target VM by running the following query. Copy the return value and keep in notepad. You would need this in the next step
az vm show --name <<vm name>> --resource-group <<resource group name>> --query "id"
- Now the important part which we are waiting for. We are going to login to our target VM via Azure Bastion. Run the following command
az network bastion ssh \
--name "<<bastion-host name>>" \
--resource-group "<<resource group name>>" \
--target-resource-id "<<vm resource id copied from the previous step>>" \
--auth-type "AAD"
- Voila!... you are now successfully connected to your target VM via Azure Bastion. 😊 The prompt will quickly change to show your [AAD login id]@[target VM name]
Congratulations! for coming this far. Hope this article will help you to further explore more on this topic.
Do share with me about your experience and what you have built upon this
foundation. I would love
to hear from you.
No comments:
Post a Comment