- EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
- Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
- AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021
To connect to Azure VMs, make sure you fulfill the following prerequisites:
- Install the Azure Resource Manager (AzureRM) PowerShell module on the machine you want to use to connect to Azure VMs. You can do this with the following PowerShell cmdlet:
- Verify the WinRM service is running on your local machine. You can run it using the following cmdlet:
- Add the VM's public IP address to the trusted hosts of the local machine using the following cmdlet:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value <Public IP address of the VM>
Open the ports in the network security group
First, you need to open the Windows Remote Management (WinRM) HTTP and HTTPS ports on the network security group (NSG) associated with the VM you want to access via PowerShell.
You can do this by running the following cmdlets:
Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5986 | Set-AzureRmNetworkSecurityGroup Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTP -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5985 | Set-AzureRmNetworkSecurityGroup
Every operation that adds a rule to the NSG consists of three cmdlets. Let's explain what each cmdlet does.
The following cmdlet retrieves the NSG to which you want to add rules, with the following parameters:
- Name: The name of the NSG
- ResourceGroupName: The name of the resource group within which this NSG exists
Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps
Then we'll pipe the result of this cmdlet to the following cmdlet, where you have to specify the following parameters:
- Name: A descriptive name for the rule
- Description: A detailed description about the rule if you wish
- Access: Specify whether you are going to allow or deny access for this rule
- Protocol: Specify which service protocol you want to open the port for
- Direction: Specify whether it is an inbound or outbound rule; in this case, it is inbound for the VM
- Priority: You can prioritize the rules according to their importance and indicate which one to process first
- SourceAddressPrefix: In this case, it will be internet because you will be accessing the VM in Azure using PowerShell via the public internet
- SourcePortRange: You can specify the source port range via which you will connect; if you cannot specify it, you can specify *, which will accept access from all ports
- DestinationAddressPrefix: You can specify the IP address of the VM to access using PowerShell or you can select * if applying the NSG at the subnet level and you want to connect to all the VMs within this subnet.
- DestinationPortRange: Specify the port you want to access the VM through
Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * DestinationPortRange 5986
Finally, you need to save this rule in the NSG, and for that, we'll pipe the result to the following cmdlet:
Preparing to access the VM using PowerShell
The second step will prepare the VM for access via PowerShell. For this, you have to do the following:
- Enable WinRM on the VM
- Open the required WinRM firewall ports on the VM if the local Windows Firewall is activated
To this end, you can use a PowerShell script with these requirements and then push it to the Azure VM.
- Create an empty PowerShell script on your local machine using the following cmdlet:
New-Item -ItemType File -Path C:\injectedscript.ps1
- Store the tasks you want to do on the VM in a variable:
$Content = "winrm qc /force netsh advfirewall firewall add rule name= WinRMHTTP dir=in action=allow protocol=TCP localport=5985 netsh advfirewall firewall add rule name= WinRMHTTPS dir=in action=allow protocol=TCP localport=5986"
- Add these tasks to the PowerShell script:
Add-Content C:\injectedscript.ps1 $Content
- Run this script inside the VM using the VMRunCommand feature:
Invoke-AzureRmVMRunCommand -ResourceGroupName 4SysOps -Name Demo -CommandId 'RunPowerShellScript' -ScriptPath C:\injectedscript.ps1
- Finally, you can remove the script you created locally (since you don't need it anymore) by running the following cmdlet:
Connect to the VM using PowerShell
Now you can connect to the VM using PowerShell by running the following cmdlet:
Enter-PSSession -ComputerName <The public IP address of the VM>
You are now connected and should be able to manage the VM as you wish using PowerShell.
Subscribe to 4sysops newsletter!
In this article, I've covered how to connect to an Azure VM using PowerShell. To save time in preparing everything to connect to Azure VMs using PowerShell, you can use the PowerShell cmdlets provided in this article.
Join the 4sysops PowerShell group!
Your question was not answered? Ask in the PowerShell forum!
Very nice blog, very useful. It really helped me to finish task. Nice Work, Really Appreciate.
Where you have:
You're missing the "-" character in a couple of places. So it should be:
Robert, thanks a lot for the hint! I fixed it.