Configure SSH for your Azure Arc-enabled Servers.


The lab environment in this hack allows you to have SSH access to the Windows and Linux on prem servers as they are open to the internet and ports 22 (SSH) and 3389 (RDP) are allowed through for your source IP addresses. This is useful for the hack so that we can do the onboarding, but in most environments you will be onboarding servers that are on private networks.

SSH for Azure Arc-enabled Servers enables RBAC controlled SSH based connectivity without public IPs or open ports and therefore reduces the attack surface whilst maintaining centralised management capabilities.


Enable SSH access to the on prem

  • Linux VMs using AAD credentials

  • Windows VMs using the onpremadmin account

    Ensure the azcmagent incoming connections are configured for ports 22 and 3389 on the Windows servers

Note that the Microsoft.HybridConnectivity provider has already been registered in the Azure Pass subscriptions.

Success criteria

Demonstrate to your proctors that you:

  • can connect to all hosts using either az ssh arc or Enter-AzVM


  • Which built-in RBAC role would be a good choice for a security group of Linux users?
  • How would you disable SSH access?


Next Steps

The endpoint you have created on your Windows on prem servers will also be used in the next lab where you will explore using Windows Admin Center.

Help us improve

Azure Citadel is a community site built on GitHub, please contribute and send a pull request

 Make a change