Connect to Azure VM using PowerShell

• Author
• Recent Posts

Mohamed Wali

Mohamed is a cloud infrastructure expert with experience in engineering and implementation in AWS and Azure. He currently works as a Cloud Infrastructure Architect at Amazon Web Services.

Latest posts by Mohamed Wali (see all)

• EC2 Image Builder: Build your golden VM images on AWS - Wed, Jan 19 2022
• Configuring DFS Namespaces for Amazon FSx for Windows file servers - Fri, Jan 7 2022
• AWS Systems Manager Session Manager: Securely connect EC2 instances - Wed, Dec 22 2021

Prerequisites

To connect to Azure VMs, make sure you fulfill the following prerequisites:

• Install the Azure Resource Manager (AzureRM) PowerShell module on the machine you want to use to connect to Azure VMs. You can do this with the following PowerShell cmdlet:

  Install-Module AzureRM

• Verify the WinRM service is running on your local machine. You can run it using the following cmdlet:

  Start-Service WinRM

• Add the VM's public IP address to the trusted hosts of the local machine using the following cmdlet:

  Set-Item WSMan:\localhost\Client\TrustedHosts -Value <Public IP address of the VM>

Open the ports in the network security group

First, you need to open the Windows Remote Management (WinRM) HTTP and HTTPS ports on the network security group (NSG) associated with the VM you want to access via PowerShell.

You can do this by running the following cmdlets:

Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5986 | Set-AzureRmNetworkSecurityGroup
Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps | Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTP -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 103 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 5985 | Set-AzureRmNetworkSecurityGroup

Every operation that adds a rule to the NSG consists of three cmdlets. Let's explain what each cmdlet does.

The following cmdlet retrieves the NSG to which you want to add rules, with the following parameters:

• Name: The name of the NSG
• ResourceGroupName: The name of the resource group within which this NSG exists

Get-AzureRmNetworkSecurityGroup -Name NSG -ResourceGroupName 4SysOps

Then we'll pipe the result of this cmdlet to the following cmdlet, where you have to specify the following parameters:

• Name: A descriptive name for the rule
• Description: A detailed description about the rule if you wish
• Access: Specify whether you are going to allow or deny access for this rule
• Protocol: Specify which service protocol you want to open the port for
• Direction: Specify whether it is an inbound or outbound rule; in this case, it is inbound for the VM
• Priority: You can prioritize the rules according to their importance and indicate which one to process first
• SourceAddressPrefix: In this case, it will be internet because you will be accessing the VM in Azure using PowerShell via the public internet
• SourcePortRange: You can specify the source port range via which you will connect; if you cannot specify it, you can specify *, which will accept access from all ports
• DestinationAddressPrefix: You can specify the IP address of the VM to access using PowerShell or you can select * if applying the NSG at the subnet level and you want to connect to all the VMs within this subnet.
• DestinationPortRange: Specify the port you want to access the VM through

Add-AzureRmNetworkSecurityRuleConfig -Name AllowingWinRMHTTPS -Description "To Enable PowerShell Remote Access" -Access Allow -Protocol Tcp -Direction Inbound -Priority 102 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix *  DestinationPortRange 5986

Finally, you need to save this rule in the NSG, and for that, we'll pipe the result to the following cmdlet:

Set-AzureRmNetworkSecurityGroup

Preparing to access the VM using PowerShell

The second step will prepare the VM for access via PowerShell. For this, you have to do the following:

• Enable WinRM on the VM
• Open the required WinRM firewall ports on the VM if the local Windows Firewall is activated

To this end, you can use a PowerShell script with these requirements and then push it to the Azure VM.

• Create an empty PowerShell script on your local machine using the following cmdlet:

  New-Item -ItemType File -Path C:\injectedscript.ps1

• Store the tasks you want to do on the VM in a variable:

  $Content = "winrm qc /force
  netsh advfirewall firewall add rule name= WinRMHTTP dir=in action=allow protocol=TCP localport=5985
  netsh advfirewall firewall add rule name= WinRMHTTPS dir=in action=allow protocol=TCP localport=5986"

• Add these tasks to the PowerShell script:

  Add-Content C:\injectedscript.ps1 $Content

• Run this script inside the VM using the VMRunCommand feature:

  Invoke-AzureRmVMRunCommand -ResourceGroupName 4SysOps -Name Demo -CommandId 'RunPowerShellScript' -ScriptPath C:\injectedscript.ps1
  

• Finally, you can remove the script you created locally (since you don't need it anymore) by running the following cmdlet:

  Remove-Item C:\injectedscript.ps1

Connect to the VM using PowerShell

Now you can connect to the VM using PowerShell by running the following cmdlet:

Enter-PSSession -ComputerName <The public IP address of the VM>

Remote PowerShell session with Azure VM

You are now connected and should be able to manage the VM as you wish using PowerShell.

Conclusion

In this article, I've covered how to connect to an Azure VM using PowerShell. To save time in preparing everything to connect to Azure VMs using PowerShell, you can use the PowerShell cmdlets provided in this article.