To manage Azure virtual machines (VMs) and install and configure the applications within them, you can connect via either PowerShell or RDP. In this article, I'm going to demonstrate how to access Windows VMs using PowerShell

Prerequisites ^

To connect to Azure VMs, make sure you fulfill the following prerequisites:

  • Install the Azure Resource Manager (AzureRM) PowerShell module on the machine you want to use to connect to Azure VMs. You can do this with the following PowerShell cmdlet:
    Install-Module AzureRM
  • Verify the WinRM service is running on your local machine. You can run it using the following cmdlet:
    Start-Service WinRM
  • Add the VM's public IP address to the trusted hosts of the local machine using the following cmdlet:
    Set-Item WSMan:\localhost\Client\TrustedHosts -Value <Public IP address of the VM>

Open the ports in the network security group ^

First, you need to open the Windows Remote Management (WinRM) HTTP and HTTPS ports on the network security group (NSG) associated with the VM you want to access via PowerShell.

You can do this by running the following cmdlets:

Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5986 | Set-AzureRmNetworkSecurityGroup
Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTP -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5985 | Set-AzureRmNetworkSecurityGroup

Every operation that adds a rule to the NSG consists of three cmdlets. Let's explain what each cmdlet does.

The following cmdlet retrieves the NSG to which you want to add rules, with the following parameters:

  • Name: The name of the NSG
  • ResourceGroupName: The name of the resource group within which this NSG exists
Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps

Then we'll pipe the result of this cmdlet to the following cmdlet, where you have to specify the following parameters:

  • Name: A descriptive name for the rule
  • Description: A detailed description about the rule if you wish
  • Access: Specify whether you are going to allow or deny access for this rule
  • Protocol: Specify which service protocol you want to open the port for
  • Direction: Specify whether it is an inbound or outbound rule; in this case, it is inbound for the VM
  • Priority: You can prioritize the rules according to their importance and indicate which one to process first
  • SourceAddressPrefix: In this case, it will be internet because you will be accessing the VM in Azure using PowerShell via the public internet
  • SourcePortRange: You can specify the source port range via which you will connect; if you cannot specify it, you can specify *, which will accept access from all ports
  • DestinationAddressPrefix: You can specify the IP address of the VM to access using PowerShell or you can select * if applying the NSG at the subnet level and you want to connect to all the VMs within this subnet.
  • DestinationPortRange: Specify the port you want to access the VM through
Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix *  DestinationPortRange 5986

Finally, you need to save this rule in the NSG, and for that, we'll pipe the result to the following cmdlet:

Set-AzureRmNetworkSecurityGroup

Preparing to access the VM using PowerShell ^

The second step will prepare the VM for access via PowerShell. For this, you have to do the following:

  • Enable WinRM on the VM
  • Open the required WinRM firewall ports on the VM if the local Windows Firewall is activated

To this end, you can use a PowerShell script with these requirements and then push it to the Azure VM.

  • Create an empty PowerShell script on your local machine using the following cmdlet:
    New-Item -ItemType File -Path C:\injectedscript.ps1
  • Store the tasks you want to do on the VM in a variable:
    $Content = "winrm qc /force
    netsh advfirewall firewall add rule name= WinRMHTTP dir=in action=allow protocol=TCP localport=5985
    netsh advfirewall firewall add rule name= WinRMHTTPS dir=in action=allow protocol=TCP localport=5986"
  • Add these tasks to the PowerShell script:
    Add-Content C:\injectedscript.ps1 $Content
  • Run this script inside the VM using the VMRunCommand feature:
    Invoke-AzureRmVMRunCommand -ResourceGroupName 4SysOps -Name Demo -CommandId 'RunPowerShellScript' -ScriptPath C:\injectedscript.ps1
    
  • Finally, you can remove the script you created locally (since you don't need it anymore) by running the following cmdlet:
    Remove-Item C:\injectedscript.ps1

Connect to the VM using PowerShell ^

Now you can connect to the VM using PowerShell by running the following cmdlet:

Enter-PSSession -ComputerName <The public IP address of the VM>
Remote PowerShell session with Azure VM

Remote PowerShell session with Azure VM

You are now connected and should be able to manage the VM as you wish using PowerShell.

Subscribe to 4sysops newsletter!

Conclusion ^

In this article, I've covered how to connect to an Azure VM using PowerShell. To save time in preparing everything to connect to Azure VMs using PowerShell, you can use the PowerShell cmdlets provided in this article.

avatar
3 Comments
  1. Varun 1 year ago

    Very nice blog, very useful. It really helped me to finish task. Nice Work, Really Appreciate.

  2. Robert Hardy 1 year ago

    Where you have:
     

    Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix *  DestinationPortRange 5986 | Set-AzureRmNetworkSecurityGroup
    Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTP -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix *  DestinationPortRange 5985 | Set-AzureRmNetworkSecurityGroup

    You're missing the "-" character in a couple of places. So it should be:

    Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5986 | Set-AzureRmNetworkSecurityGroup
    Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTP -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5985 | Set-AzureRmNetworkSecurityGroup
    avatar

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account