I've been doing quite a lot of work recently with Azure VMs and PowerShell. I've written some scripts to create a VM and to automate some common management functions on those Azure VMs (like re-size the VM, etc). I'm slowly posting the actual scripts to my PowerShell scripts blog (http://pshscripts.blogspot.co.uk). In the work I'm doing and in conversations with customers, many of the Azure VMs being created are stand alone. I see this as a great on-ramp to Azure, allowing the customer to dip their toe into the Azure water, for pretty minor costs. Once they are happy, they can move on to linking their on-premises infrastructure to the Azure Cloud. But in the meantime, those Azure VMs need to be managed – and of course, that means using PowerShell!
One of the first scripts I wrote was to create a simple, stand-alone VM in Azure. It took me quite a while, mainly because Azure is different to on-premises Hyper-V. I had to go through a small Azure learning curve. The first thing I want to do after creating an Azure VM is to manage it with PowerShell using remoting. You can do that, but there are a few barriers in the way (that would largely be absent in an on-premises Kerberos based authentication model!).
When you create an Azure VM, Azure creates a PowerShell endpoint to enable PowerShell management. Since the Azure VM is not in your on premises AD, you can certainly use Ntlanman authentication. (and authenticate against the in-VM user database). You need to provide a PowerShell credential object when logging into the remote session. But you know how to do that!!
The second issue is, since the VM is in a different secuity realm, the need to do mutual authentication upon creating the PowerShell session. For non-domain joined systems, this means using SSL. Yes there are ways around this or to simplify things, but there are security risks in doing so – so I'll stick with SSL. To use SSL, you need to trust the SSL certificate offered up by, in this case, the Azure VM.
When you create an Azure VM, you can either provide a certificate (e.g. issued by a CA you trust), or Azure can create a VM self signed certificate. To use the self signed cert, you need to trust the cert. To do this, you just Import the VM's defaul cert into your local host's trusted root store. Once in place, your system will trust the VM and complete authentication successfully
I've automated the task of importing the Cert with the the Install-WinRmAzureVmCert function, which I posted tonight on my scripts blog. This script defines a function that takes an Azure VM name and Azure service name, and installs the VM's default self signed cert into the local host's Trusted
$Vmname = 'CookhamLO.CloudApp.Net'
# Get the relevant Azure Subscription and set it
$SubscriptionName = (Get-AzureSubscription)[1].subscriptionname
Select-AzureSubscription $SubscriptionName
# And now install the cert
Install-WinRMAzureVMCert -CloudServiceName Cookhamlo -VMName Cookhamlo
And once that is done, I just get the credential (I'll leave that up to the reader!), get the remote management end point to get the TCP port number to use for PowerShell remoting then call Enter-PsSession. Like this:
As you can see at the bottom of the screenshot, I just use Enter-PsSession and am able to access the remote VM.
This is all pretty easy, albeit complicated by the security architecture of Windows and Azure. It's nice to know one can create a very secure remoting tunnel to your Azure VMs and manage them simply – just using PowerShell.
0 Comments