PowerShell has many ways to run commands against remote computers – PowerShell remoting. It enables you to manage remote computers by running commands as if they were being run locally on your computer. You can use PowerShell Remoting to manage computers running Windows operating systems.
Why should you then configure PowerShell remoting on Azure Virtual Machines?
If you are working from terminal and don’t have Azure SDK/CLI tools installed or you don’t want or need to use GUI, but still want to have the ability to execute PowerShell cmdlets on remote machine, Enter-PsSession is your friend.
Enter-PsSession is a cmdlet which enables you to do so-called one to one remoting. It starts an interactive session with a single remote computer. During the session, the commands that you type run on the remote computer just as if you were typing directly on the remote computer. You can even start an interactive session using Secure Shell (SSH), if SSH is configured on the remote computer (for example Linux box with SSH enabled).
Steps to make it work on Azure VM
When VM is created inbound access to VM is controlled via NSG (Network Security Group). How to create Azure VM you can follow along with this tutorial.
To be able to access it outside virtual network, we need to configure access and add network rules to be able to access the VM.
First let’s find the NSG we need to modify.
If you already know the name of NSG or group, you can use the following PowerShell query to get all security network groups. In our case that is vm-pwsh-remote-nsg.
If you don’t know and you only know resource group name and/or VM, you can get that by using this script.
Result is as expected above:
Now that we know how to get the NSG, let’s add security rules to be able to access VM from the outside world. As we will work remotely with virtual machines, we need to enable WinRM access to the machine. More about that here.
WinRM listens on port 5986. Let’s add that port to the NSG.
We need the NSG object – using the code above – we need to store it in a variable
$networkSecurityGroup=Get-AzNetworkSecurityGroup | Where-Object -Property Id -EQ $nic.NetworkSecurityGroup.Id
Then we need to define rule with properties and update the security group (don’t forget to update the security group with latest settings):
Now we need to configure the client machine (from which we will execute remote calls) to “trust the remote machine”. We can use PowerShell provider wsman to do the trick (change the name of the computer name to the appropriate name of the Azure Virtual Machine):
Set-Item wsman:\localhost\Client\TrustedHosts -value <ComputerName>
After confirming the host, we need to enable the remote PS on the Azure VM. The easiest way to do so is through custom script extension on Azure Virtual Machine or via Run command via PowerShell.
We need to execute this script, which essentially enable remote powershell execution, adds to security system on host machine the firewall rule to allow WinRM connections and creates new self-signed certificate for auth purposes.
To execute I will use Run command via Azure PowerShell:
Result should be a success.
Now that we have that we can connect to the Azure VM via PowerShell remoting.
Setting the SkipCaCheck flag bypasses the requirement to import a certificate to the VM when you start the session. You need to provide IP of the VM and then you provide credentials to login to the VM.
When finished, you get PWSH and you can perform whatever you need to do in that machine.
When working from PowerShell it makes sense to create access to remotely connect to VM. If you have multiple machines, you can then leverage the option to execute command, cmdlets, managements on multiple machines at once, easing the management and execution of desired operation.
It is not easy, but not so complex if you follow a few simple steps. I do think reward of having one tool to rule them all very beneficial and time efficient.