SSH access to Linux VMSS without using NAT Inbound Rules/Ports

Question

I have a Linux VMSS and I'm able to access its VMs using inbound NAT rules defined on the load balancer.

Now, I have new security requirements that is preventing me from using certain ports. Therefore, I can no longer use the NAT ports (I currently use the pattern 5000*, so ports will look like 50000, 50001, etc). What I would like to do, is to be able to SSH using port 22, so instead of doing something like ssh -p 50000 myuser@PIP, do ssh myuser@PIP.

I tried accomplishing this using by adding a load balancer rule (thought it could work similarly to how a load balancer can distribute web traffic on port 80 without the need to specify a port). I created the rule like this:

az network lb rule create   --resource-group MyResourceGroup   --name MyLBRuleName   --lb-name MyLBName   --backend-pool-name MyBackendPoolName   --backend-port 22   --frontend-ip-name loadBalancerFrontEnd   --frontend-port 22   --protocol tcp

That did not work.

So, how can I SSH without using the NAT ports?

Answer 1

In default, when you create the VMSS and select to create a new load balancer for it, then Azure will create inbound NAT rules for all the VMSS instances. So that you can access the VMSS instances via the public IP of the Load Balancer with the map port, such as 50000. In this way, you can SSH to the special instance as you want.

From the question, you want to SSH to the instances without using NAT rules. Of course, it's possible. You can create the probe for the port 22 and then create the load balancer rules for the port 22 with 22 backend port. In this way, you can also SSH to the VMSS instances. But here is a problem when you use this way. There is only one load balancer rule. If you have multiple instances, the rule will balance the inbound traffic to all the instances. But for the SSH, when you first connect to one of the VMSS instances, it will add the host key for the instance in the file ~/.ssh/know_hosts. When the balancer rule balance the traffic to another instance, it will fail to verify the host key. It means you can only SSH into one instance unless you remove the host key in the file ~/.ssh/know_hosts.

According to above situation, I recommend you use the inbound NAT rules when you want to SSH into the special instance.