Remote PowerShell to AzureRM Virtual Machines

2
votes

I have successfully deployed a number of Azure virtual machines to an Azure Resource Group. That is, I'm using the new Azure Resource Manager deployment model to deploy the virtual machines and the related resources from a JSON template.

My problem is how to do remote PowerShell scripting from my laptop computer against these VMs. I have combed through many articles already - but they all show how to do it with the classic virtual machines in Azure. This I already know and use with success.

Now, is remote PowerShell over SSL with a certificate enabled by default on Azure VMs created with the Azure Resource Manager? How do I connect with Enter-PSSession or Invoke-Command ?

2
powershellazurevirtual-machine
This isn't something I've actually used - but this might point you in the right direction - github.com/Azure/azure-quickstart-templates/tree/master/…Michael B
Thanks this looks very promising - will try it out!Lars Fastrup
Done - configuring WinRM over SSL with a certificate from Azure Key Vault works and looks like the right way to go. I can now do remote powershell against VMs provisioned with these options in the JSON template. This PS command now works from my laptop client: Invoke-Command -ComputerName <vmname>.westeurope.cloudapp.azure.com -Credential $cred -UseSSL -ScriptBlock $script -SessionOption (New-PSSessionOption -SkipCACheck -SkipRevocationCheck -SkipCNCheck)Lars Fastrup

2 Answers

4
votes

This is for an existing machine: make sure that your VM has a public IP through the NIC settings. Next, make sure that your firewall is open to public traffic if you're going to use your laptop. This can be done with a simple netsh command:

netsh advfirewall firewall add rule name="WinRM HTTP" dir=in action=allow protocol=TCP localport=5985 profile=public

Once you have a public IP and firewall open you can enter a WinRM session with: 

$username = '<admin-user>'
$pass = ConvertTo-SecureString -string '<password>' -AsPlainText -Force
$cred = New-Object -typename System.Management.Automation.PSCredential -argumentlist $username, $pass
Enter-PSSession -ComputerName <public-IP> -Credential $cred -SessionOption (New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck)

Note: by default, WinRM over HTTP and the listener should be set up and listening on your machines. HTTPS is not enabled since it's not clear where to get the certificate. However, WinRM uses message level encryption, so it's not completely in plaintext. You can verify with:

winrm e winrm/config/listener

Which should show you the listener with something like:

Listener [Source="GPO"]
    Address = *
    Transport = HTTP
    Port = 5985
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 1.1.1.1
0
votes

You can also use the quick start template located here: https://github.com/Azure/azure-quickstart-templates/tree/4b529b00eec1a48748e2f1ea0f305c0f07c87253/undefined . If the virtual machine already exists, you can manually copy some of the files and scripts from the same location. I added instructions here: http://blog.ricardovillalobos.com/?p=1871