Secure SSH Connection to a VM using Azure Bastion

Running a VM in Azure is simple. Create it and it just works.

But if you need an RDP or SSH connection to it, you have to know about the security implications.

Enabling RDP or SSH on a VM will open an inbound port for the communication. And this is an invitation for hackers to try to get in using these ports.

A temporary solution is creating a really difficult password/key to get in or changing the port number on which the SSH/ RDP service is listening. But still, this is ‘like playing with fire’. Smart hackers can work around this.

What we need is some kind of terminal session to the VM without opening inbound ports.

Luckily, Microsoft offers a few solutions for this.

First of all, you can make use of the serial console page of the VM instance (as seen in a previous blog).

This is a simple solution but the console form factor is not that great and sometimes random logging messages are written over your shell access which makes it hard to do actual, serious work in this pane.

Recently, Microsoft offers a new and better solution called Azure Bastion.

Bastion enables seamless secure RDP/SSH connectivity to Azure Virtual Machines in your Azure Virtual Networks directly in your web browser and without the need of public IP on your Virtual Machines.

The relationship with VMs looks like this:

VM’s are made part of a virtual network containing a subnet called ‘AzureBastionSubnet’. Next to the VMs this Azure Bastion resource is running and that one makes it possible to create a secure SSH connection.

Note: you need to create an Azure portal connection ‘as a second channel’.

Let’s see how this works.

Doorgaan met het lezen van “Secure SSH Connection to a VM using Azure Bastion”

Alternatives for the default IoT Edge VM based on Ubuntu 16.04

In a recent blog, I showed how to set up an Azure IoT Edge Virtual Machine. These VMs are great for testing your IoT platform with ‘actual’ gateways.

This default, recommended, Azure VM is based on 16.04 LTS version of Ubuntu:

This is still a great solution but just this month, Microsoft announced .Net Core 3.1. This is the next long-term supported (LTS) release.

The current IoT Edge is based on .Net Core 2.1, the current LTS version. That’s why sourcecode, specifically written in .Net Core 2.2, was not able to be used in the Module templates.

So it’s safe to assume, that in the near future IoT Edge will have an upgrade towards .Net Core 3.1.

The release blog came with this little note with a rather big impact:

Note: Please ensure that .NET Core 3.1 ARM64 deployments use Linux kernel 4.14 version or later. For example, Ubuntu 18.04 satisfies this requirement, but 16.04 does not.

So the current VM will not last very long anymore. You will need a new VM template, based on eg. Ubuntu 18.04.

Note: current IoT Edge Gateways rolled out with the Ubuntu 16.04 OS in test, acceptance or even production situations have te be upgraded soon to before the IoT Edge Runtime can be upgraded. So check the operating systems that come with the Industrial PCs you buy from your hardware vendor.

Let’s see how to start with Ubuntu 18.04 LTS on a VM.

Doorgaan met het lezen van “Alternatives for the default IoT Edge VM based on Ubuntu 16.04”