Introduction
You have a Ubuntu instance running in an Azure Virtual Machine. You connect to this instance via SSH. One day you decide to enable the UFW firewall and your SSH connection drops. You cannot reconnect.
Problem
Enabling the UFW firewall blocked SSH access.
Solution
This article shows two methods of solving this problem.
- Use the Azure CLI to execute a command on the virtual machine.
- Run a command in the Azure Portal.
- Connect to the virtual machine serial console and disable the UFW firewall.
Each of these methods has benefits and drawbacks. The simplest is method #2 which uses the Azure Portal. I prefer method #1 which uses the CLI so that I can save and/or parse the output. Method #3 is more complicated but is very useful when you need to repair a virtual machine and/or need an interactive command environment similar to ssh.
Requirements
Methods #1 and #2
These methods run a command on the virtual machine. This requires the permission Microsoft.Compute/virtualMachines/runCommand/action. The role Virtual Machine Contributor or higher has this permission.
Method #3
This method uses the Azure Portal to access the virtual machine serial console. I do not know the permission required, but the role Virtual Machine Contributor or higher has permission. Permission is also required for the boot diagnostics storage account.
To access the Serial Console on your VM or virtual machine scale set instance, you will need the following [source]:
- Boot diagnostics must be enabled for the VM
- A user account that uses password authentication must exist within the VM. You can create a password-based user with the reset password function of the VM access extension. Select Reset password from the Support + troubleshooting section.
- The Azure account accessing Serial Console must have the Virtual Machine Contributor role for both the VM and the boot diagnostics storage account
- Classic deployments aren’t supported. Your VM or virtual machine scale set instance must use the Azure Resource Manager deployment model.
Restrictions
Methods #1 and #2
The following restrictions apply when you’re using Run Command [source]:
- Output is limited to the last 4,096 bytes.
- The minimum time to run a script is about 20 seconds.
- Scripts run by default as an elevated user on Linux.
- You can run one script at a time.
- Scripts that prompt for information (interactive mode) are not supported.
- You can’t cancel a running script.
- The maximum time a script can run is 90 minutes. After that, the script will time out.
- Outbound connectivity from the VM is required to return the results of the script.
Method #3
- Serial Console is currently incompatible with a managed boot diagnostics storage account.
Method 1: Use the Azure CLI to execute a command on the virtual machine
This method disables the UFW firewall. Optionally you can leave the UFW firewall enabled and only enable SSH access.
You will need the Azure Resource Group name and Virtual Machine name.
Step 1:
Authenticate the Azure CLI.
1 |
az login |
Step 2:
This step uses the Azure CLI to execute a remote command on the virtual machine.
Note: replace the text REPLACE_ME with values for your account. To only enable SSH, replace the command ufw disable with ufw enable ssh.
Command to run on a Windows system:
1 2 3 4 5 6 7 8 |
@set RESOURCE_GROUP=REPLACE_ME @set VM_NAME=REPLACE_ME az vm run-command invoke ^ --resource-group %RESOURCE_GROUP% ^ --name %VM_NAME% ^ --command-id RunShellScript ^ --scripts "ufw disable" |
Command to run on a Linux system:
1 2 3 4 5 6 7 8 |
RESOURCE_GROUP=REPLACE_ME VM_NAME=REPLACE_ME az vm run-command invoke \ --resource-group $RESOURCE_GROUP \ --name $VM_NAME \ --command-id RunShellScript \ --scripts "ufw disable" |
You should now be able to connect to the VM instance normally using SSH.
Method 2: Run a command in the Azure Portal
This method uses the Azure Portal to enter a command to execute on the virtual machine.
- Login into the Azure Portal.
- Go to Virtual Machines.
- Click on the virtual machine.
- Under Operations click on Run command.
- Under Name click on RunShellScript.
- Enter ufw disable or ufw allow ssh.
- Click the Run button.
- Wait for the command to execute.
- Review the returned command output.
Method 3: Connect to the serial console and disable the UFW firewall
STEP 1:
This step creates a recovery user with a password.
Note: normally you do not want password-based logins. SSH key pairs are more secure.
- Login into the Azure Portal.
- Go to Virtual Machines.
- Click on the virtual machine.
- Under Help click on Reset password.
- Under Mode, select Reset password.
- Enter a username.
- Enter a secure password
- Save your changes.
Step 2:
This step verified that the boot diagnostics is set correctly to enable starting the serial console.
- Login into the Azure Portal.
- Go to Virtual Machines.
- Click on the virtual machine.
- Under Help click on Boot diagnostics.
- Click Settings.
- Verify that Enable with custom storage account is selected.
- Save your changes.
STEP 3:
This step starts the Virtual Machine serial console.
- Login into the Azure Portal.
- Go to Virtual Machines.
- Click on the instance.
- Under Help click on Serial console.
- The serial console should start.
- You should see a login prompt. If not click on the window and press the ENTER key.
- Log in with the username and password created in step 1.
- You are now logged into the VM instance.
- Switch to the root user: At the Linux shell prompt enter the command: sudo bash
STEP 4:
This step disables the UFW firewall.
- At the Linux shell prompt enter the command: /usr/sbin/ufw disable
As an option, you can enable SSH access instead of disabling the UFW firewall.
- At the Linux shell prompt enter the command: /usr/sbin/ufw allow ssh
You should now be able to connect to the VM instance normally using SSH.
At the Linux shell prompt, logout. Enter the command exit twice. The first command exits the sudo bash command. The second command logs out of the serial console.
Photography Credits
I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Adam Kontor at Pexels.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
1 Pingback