Restrict SSH access to virtual machines in AKS enabled by Azure Arc (AKS on Azure Stack HCI 22H2)

Applies to: AKS on Azure Stack HCI 22H2, AKS on Windows Server

This article describes a new security feature in AKS Arc that restricts Secure Shell Protocol (SSH) access to underlying virtual machines (VMs). The feature limits access to only certain IP addresses, and restricts the set of commands that you can run over SSH.

Overview

Currently, anyone with administrator access to AKS enabled by Arc has access to VMs through SSH on any machine. In some scenarios, you might want to limit that access, because unlimited access makes it difficult to pass compliance.

Note

Currently, this capability is available only for a new installation of AKS Arc, and not for upgrades. Only a new installation of AKS Arc can pass the restricted IPs and restrict the commands that run over SSH.

Enable SSH restrictions

To enable SSH restrictions, perform the following steps:

1. Create an SSH configuration using the New-AksHciSSHConfiguration cmdlet, with the allowed source IP addresses or CIDR you want to permit access to the VMs:

   $ssh = New-AksHciSSHConfiguration -name sshConfig -cidr 172.16.0.0/24
   

   or

   $ssh = New-AksHciSSHConfiguration -name sshConfig -ipAddresses 4.4.4.4,8.8.8.8
   

   or, to restrict SSH access:

   $ssh = New-AksHciSSHConfiguration -name sshConfig –restrictSSHCommands 
   

   Note

   If the SSH keys are not passed, the management cluster SSH keys are reused.

2. Add the SSH configuration by running the Set-AksHciConfig cmdlet, passing in the SSH configuration you created in the previous step:

   Set-AksHciConfig -ssh $ssh
   

Validation: target cluster

Once you've created the cluster, you can manually validate that the SSH restriction has been added by trying to SSH into one of the VMs. For example:

ssh -i (get-MocConfig).sshPrivateKey clouduser@<vm-ipaddress>

You can perform this step within the list of IP addresses/CIDRs specified, or outside the list of IP addresses. The SSH from within the range of IP addresses/CIDRs has access. SSH attempts from outside the list do not have access.

You can also run commands directly from SSH. This command returns the date. Sudo commands do not work:

ssh -i (get-mocconfig).sshPrivateKey clouduser@<ip> date 

Validation: log collection

This command returns the VM logs such as cloudinit, lb logs, etc.

Get-AksHciLogs –virtualMachineLogs

Considerations

• Individual SSH configuration for workload clusters is now available. The configuration for workload clusters uses the New-AksHciSSHConfiguration PowerShell cmdlet.
• The restriction is only for Linux. Windows nodes do not have this restriction; you should be able to SSH successfully.
• You can only set the configuration during the installation phase of AKS Arc.
• You must perform a reinstall if you incorrectly configure any SSH settings.
• There is no support for upgrades.
• You can add CIDRs or IP addresses to which the SSH access can be restricted.
• The SSH setting you provide is reused for all target clusters. Individual SSH configuration for workload clusters isn't available.

Next steps

• Restrict SSH access (AKS on Azure Stack HCI 23H2)
• AKS on Windows Server overview