Do you use AKS private clusters? Do you hate jump hosts? If the answer to both questions is "yes", this blog post might be interesting for you.
Let's set things straight: it is not that I "hate" jump hosts, it is more that I "love" the way I have setup my PC's environment: I like my terminal: the colors, the fonts, the tabs, using tmux... And I like my Visual Studio Code environment even more, more specifically all my custom key shortcuts. However, whenever I need to access a private AKS cluster, I need to setup a jump VM in the same VNet as AKS, install all the tools, and go from there.
In a recent event when we were going through an AKS hack exercise, my esteemed colleague Oliver Lintner used this setup to interact with his team's AKS private cluster, and I was blown away. So here I am, stealing his idea with pride and presenting it to you!
Using Bastion to access the jump host via SSH
First question: can I use my existing native client in my Windows Subsystem for Linux to connect to a Linux VM in Azure that does not have a public IP address? The answer is yes! (note that this feature was previously restricted to Windows OS and it didn't work from WSL, you might need to upgrade your Azure CLI). Here the command I am using:
az network bastion ssh -n $bastion_name -g $rg \
--auth-type ssh-key --username yourusername --ssh-key ~/.ssh/id_rsa \
--target-resource-id $vm_id
And sure enough, I can still use my own terminal with my tabs, the fonts I love (Mononoki if you are wondering), my TMUX panels, and the Death Star watching over my shoulder. In the picture below, you can see in the bottom panel how I connected to the test VM in the VNet where the private cluster is located:
Using your WSL ssh client with Azure Bastion
Spoiler alert: if you are wondering what is going on in the top tmux panel of the picture below, you will have to continue reading to the next section.
Using Bastion with VS Code
But we were talking about VS code, and all its good things. VS code also has an SSH client with its “Remote – SSH” extension, so how can we use it, and still leverage all the good things of VS Code? Easy, with Azure Bastion’s tunnel feature, we can “expose” the SSH port of our VM (which remember, has no public IP address) as a local port in our machine:
az network bastion tunnel -n $bastion_name -g $rg \
--target-resource-id $vm_id --resource-port 22 --port 2022
In VS Code you can now create a remote host, using the Remote SSH extension (make sure to install it if you hadn’t done that yet):
In the configuration file for the SSH targets you can specify additional parameters. Note that the IP address is localhost, the port is 2022 (what was configured with the az network bastion tunnel command). the important bit is that you can configure the SSH key to use for authentication (note that you need to escape Windows inverted backslashes):
Host 127.0.0.1
HostName 127.0.0.1
User yoursshusername
Port 2022
IdentityFile C:\\Users\\yourlocalusername\\.ssh\\id_rsa
After you have your host defined, you can connect to it with VS code, and use all the good things you are used to, like your extensions, your editing/executing panels, etc. I am leveraging the same code I use for my non-private AKS clusters here, which is the bit I really like (one difference is the az login command, which as far as I have tested you need to use with the --use-device-code flag):
In the Azure portal you can see that both sessions (the SSH and the tunnel) are shown as active:
And to finish, as reference here the configuration I have in my Azure Bastion, in case you want to repro this.
Happy VS Coding!
Microsoft
