= Use Azure Bastion to RDP over SSH =

**Summary**: This wiki page shows how to use Azure Bastion to RDP to Azure VMs over SSH. \\
**Date**: 1 March 2025 \\
{{tag>azure desktop}}

This page is a follow-up on [[k8s-lens]] in which I explain on how to use a bastion and a jumpbox VM to connect to a private AKS cluster. Now, the last step there is to use the azure CLI to create a ssh tunnel,  over which Lens can connect to the cluster. But what if you also have some Windows VMs in that same network? In that case, it's quite easy to extend the existing ssh tunnel so that you can also RDP to those VMs over the same tunnel.

== Recap of What we Already Have ==

Basically, what we already have is the following commands. We login to Azure, set the subscription and then create a ssh tunnel to the jumpbox VM through the bastion:

<code bash>
# Login to Azure
az config set core.login_experience_v2=off
az config set core.enable_broker_on_windows=false
az login --tenant 7e4an71d-a123-a123-a123-abcd12345678
# Set the subscription to the bastion subscription
az account set --subscription aa123456-a123-a123-a123-abcd12345678
# Create a ssh tunnel to the jumpbox through the bastion
az network bastion ssh --name bas-001 --resource-group "rg-bastion" --target-resource-id /subscriptions/aa123456-a123-a123-a123-abcd12345678/resourceGroups/rg-cluster/providers/Microsoft.Compute/virtualMachines/vm-jumpbox --auth-type AAD -- -L 6443:aks-privatecluster-m8k6low2.privatelink.westeurope.azmk8s.io:443
</code>

== Extend the SSH Tunnel for RDP ==

Now, to also use the same ssh tunnel for RDP towards some of the VMs we have in Azure, we can simply add some additional port forwarding rules to the ssh tunnel command. In th example below, I added additional port forwarding rules for 2 VMs. For easy reference, I also added some Write-Host statements to show which port corresponds to which VM:

<code powershell>
"Write-Host 'Start ssh client tunnel to Jumpbox (vm-jumpbox)' -ForegroundColor Red;",
"Write-Host '   6443:aks-euw-vtx-prd-privatecluster' -ForegroundColor Red;",
"Write-Host '   vm-app1.getshifting.local: mstsc /v:127.0.0.1:19001' -ForegroundColor Red;",
"Write-Host '   vm-app2.getshifting.local: mstsc /v:127.0.0.1:19002' -ForegroundColor Red;",
"az network bastion ssh --name bas-001 --resource-group rg-bastion --target-resource-id /subscriptions/aa123456-a123-a123-a123-abcd12345678/resourceGroups/rg-cluster/providers/Microsoft.Compute/virtualMachines/vm-jumpbox --auth-type AAD -- -L 6443:aks-privatecluster-m8k6low2.privatelink.westeurope.azmk8s.io:443:443 -L 19001:vm-app1.getshifting.local:3389 -L 19002:vm-app2.getshifting.local:3389;"
</code>

You can now use RDP towards the VMs using an alternate localhost port, for example {{{mstsc /v:127.0.0.1:19001}}} for vm-app1 and {{{mstsc /v:127.0.0.1:19002}}} for vm-app2.

//This wiki has been made possible by://

<HTML>
<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8613096447910897"
     crossorigin="anonymous"></script>
<!-- Wiki End of Page -->
<ins class="adsbygoogle"
     style="display:block"
     data-ad-client="ca-pub-8613096447910897"
     data-ad-slot="6221699236"
     data-ad-format="auto"
     data-full-width-responsive="true"></ins>
<script>
     (adsbygoogle = window.adsbygoogle || []).push({});
</script>
</HTML>