Accessing AKS private clusters with Azure Bastion and VS Code

Do you use AKS private clusters? Do you hate jump hosts? If the answer to both questions is “yes”, this blog post might be interesting for you.

Let’s set things straight: it is not that I “hate” jump hosts, it is more that I “love” the way I have setup my PC’s environment: I like my terminal: the colors, the fonts, the tabs, using tmux… And I like my Visual Studio Code environment even more, more specifically all my custom key shortcuts. However, whenever I need to access a private AKS cluster, I need to setup a jump VM in the same VNet as AKS, install all the tools, and go from there.

In a recent event when we were going through an AKS hack exercise, my esteemed colleague Oliver Lintner used this setup to interact with his team’s AKS private cluster, and I was blown away. So here I am, stealing his idea with pride and presenting it to you!

Using Bastion to access the jump host via SSH

First question: can I use my existing native client in my Windows Subsystem for Linux to connect to a Linux VM in Azure that does not have a public IP address? The answer is yes! (note that this feature was previously restricted to Windows OS and it didn’t work from WSL, you might need to upgrade your Azure CLI). Here the command I am using:

az network bastion ssh -n $bastion_name -g $rg \
   --auth-type ssh-key --username yourusername --ssh-key ~/.ssh/id_rsa \
   --target-resource-id $vm_id

And sure enough, I can still use my own terminal with my tabs, the fonts I love (Mononoki if you are wondering), my TMUX panels, and the Death Star watching over my shoulder. In the picture below, you can see in the bottom panel how I connected to the test VM in the VNet where the private cluster is located:

WSL with SSH session to remote VM over Azure Bastion

Spoiler alert: if you are wondering what is going on in the top tmux panel of the picture below, you will have to continue reading to the next section.

Using Bastion with VS Code

But we were talking about VS code, and all its good things. VS code also has an SSH client with its “Remote – SSH” extension, so how can we use it, and still leverage all the good things of VS Code? Easy, with Azure Bastion’s tunnel feature, we can “expose” the SSH port of our VM (which remember, has no public IP address) as a local port in our machine:

az network bastion tunnel -n $bastion_name -g $rg \   
    --target-resource-id $vm_id --resource-port 22 --port 2022

In VS Code you can now create a remote host, using the Remote SSH extension (make sure to install it if you hadn’t done that yet):

New SSH host in the Remote SSH extension

In the configuration file for the SSH targets you can specify additional parameters. Note that the IP address is localhost, the port is 2022 (what was configured with the az network bastion tunnel command). the important bit is that you can configure the SSH key to use for authentication (note that you need to escape Windows inverted backslashes):

  User yoursshusername
  Port 2022
  IdentityFile C:\\Users\\yourlocalusername\\.ssh\\id_rsa

After you have your host defined, you can connect to it with VS code, and use all the good things you are used to, like your extensions, your editing/executing panels, etc. I am leveraging the same code I use for my non-private AKS clusters here, which is the bit I really like (one difference is the az login command, which as far as I have tested you need to use with the --use-device-code flag):

VS Code with open remote accessing an AKS private cluster

In the Azure portal you can see that both sessions (the SSH and the tunnel) are shown as active:

Bastion sessions in Azure portal

And to finish, as reference here the configuration I have in my Azure Bastion, in case you want to repro this.

Bastion configuration

Happy VS Coding!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: