Connecting to VM from Azure Automation Runbook

%3CLINGO-SUB%20id%3D%22lingo-sub-2196145%22%20slang%3D%22en-US%22%3EConnecting%20to%20VM%20from%20Azure%20Automation%20Runbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2196145%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20looking%20for%20some%20recommended%20solutions%20as%20to%20the%20best%20way%20forward%20here%2C%20or%20even%20if%20there%20is%20a%20way%20forward...!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasically%2C%20what%20we%20are%20trying%20to%20do%20is%20simply%20connect%20to%20domain%20joined%20VM's%20from%20an%20Azure%20Automation%20Runbook%2C%20once%20connected%20then%20we%20can%20do%20whatever%20we%20like%2C%20restart%20services%2C%20kill%20processes%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20working%20in%20a%20locked%20down%20environment%2C%20the%20creation%20of%20a%20Run-As-Account%20with%20Contributor%20rights%20to%20a%20subscription%20is%20never%20going%20to%20happen%20so%20I%20looked%20at%20alternatives.%3C%2FP%3E%3CP%3EI%20see%20there%20is%20an%20option%20to%20lock%20down%20the%20Service%20Principal%20after%20creation%20but%20this%20still%20looks%20like%20a%20world%20of%20pain%20to%20try%20and%20push%20out%20into%20a%20locked%20down%20environment.%3C%2FP%3E%3CP%3ETo%20get%20around%20this%20I've%20created%20literally%20a%20blank%20Automation%20Account%2C%20not%20connected%20to%20an%20LA%20Workspace%20nor%20does%20it%20have%20a%20RunAs%20Account.%3C%2FP%3E%3CP%3EI've%20created%20a%20credential%20under%20Automation%20Account%20%2F%20Credential.%20The%20Runbook%20is%20able%20to%20obtain%20that%20credential%20but%20I%20then%20hit%20the%20usual%20connection%20errors%20when%20trying%20to%20create%20a%20connection%20back%20to%20our%20domain%20joined%20Azure%20VMs.%20I%20think%20it%20is%20because%20I%20need%20to%20be%20using%20HTTPS%20at%20this%20point%20but%20presumably%20I%20need%20some%20sort%20of%20certificate%20to%20do%20that%20%3F%3C%2FP%3E%3CP%3EI%20see%20there%20is%20an%20option%20to%20create%20a%20Connection%20under%20the%20automation%20account%20but%20this%20is%20also%20asking%20for%20certificates.%3C%2FP%3E%3CP%3EWe%20have%20a%20Certificate%20authority%20here%20but%20I'm%20not%20sure%20what%20I%20need%20to%20be%20requesting%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2200580%22%20slang%3D%22en-US%22%3ERe%3A%20Connecting%20to%20VM%20from%20Azure%20Automation%20Runbook%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2200580%22%20slang%3D%22en-US%22%3EYou%20can%20absolutely%20automate%20processes%20inside%20your%20network%20with%20Azure%20Automation.%20But%20you%20cannot%20use%20the%20sandbox%20approach.%20By%20%22sandbox%22%20a%20mean%20using%20the%20default%20cloud%20workers.%20What%20you%20need%20is%20a%20Hybrid%20Worker%2C%20i.e.%2C%20a%20worker%20that%20runs%20your%20runbooks%20from%20your%20own%20VMs%20(either%20on-premises%20or%20in%20your%20Azure%20VNet).%20Please%2C%20see%20the%20documentation%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-hybrid-runbook-worker%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fautomation%2Fautomation-hybrid-runbook-worker%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

I'm looking for some recommended solutions as to the best way forward here, or even if there is a way forward...!

 

Basically, what we are trying to do is simply connect to domain joined VM's from an Azure Automation Runbook, once connected then we can do whatever we like, restart services, kill processes etc.

 

I'm working in a locked down environment, the creation of a Run-As-Account with Contributor rights to a subscription is never going to happen so I looked at alternatives.

I see there is an option to lock down the Service Principal after creation but this still looks like a world of pain to try and push out into a locked down environment.

To get around this I've created literally a blank Automation Account, not connected to an LA Workspace nor does it have a RunAs Account.

I've created a credential under Automation Account / Credential. The Runbook is able to obtain that credential but I then hit the usual connection errors when trying to create a connection back to our domain joined Azure VMs. I think it is because I need to be using HTTPS at this point but presumably I need some sort of certificate to do that ?

I see there is an option to create a Connection under the automation account but this is also asking for certificates.

We have a Certificate authority here but I'm not sure what I need to be requesting ?

 

 

1 Reply
You can absolutely automate processes inside your network with Azure Automation. But you cannot use the sandbox approach. By "sandbox" a mean using the default cloud workers. What you need is a Hybrid Worker, i.e., a worker that runs your runbooks from your own VMs (either on-premises or in your Azure VNet). Please, see the documentation below:

https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker