Merge pull request #203884 from erik-ha-msft/erikha-aks-rdp

v-MarkAllen · web-flow · commit a6ef3b2cccc0 · 2022-07-07T15:44:39.000-04:00
[AKS - Update RDP and add Azure Bastion steps
diff --git a/articles/aks/rdp.md b/articles/aks/rdp.md
@@ -4,15 +4,17 @@ titleSuffix: Azure Kubernetes Service
 description: Learn how to create an RDP connection with Azure Kubernetes Service (AKS) cluster Windows Server nodes for troubleshooting and maintenance tasks.
 services: container-service
 ms.topic: article
-ms.date: 06/04/2019
+ms.date: 07/06/2022
 
 
 #Customer intent: As a cluster operator, I want to learn how to use RDP to connect to nodes in an AKS cluster to perform maintenance or troubleshoot a problem.
 ---
 
 # Connect with RDP to Azure Kubernetes Service (AKS) cluster Windows Server nodes for maintenance or troubleshooting
 
-Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS Windows Server node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access the AKS Windows Server nodes using RDP. Alternatively, if you want to use SSH to access the AKS Windows Server nodes and you have access to the same keypair that was used during cluster creation, you can follow the steps in [SSH into Azure Kubernetes Service (AKS) cluster nodes][ssh-steps]. For security purposes, the AKS nodes are not exposed to the internet.
+Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS Windows Server node. This access could be for maintenance, log collection, or other troubleshooting operations. You can access the AKS Windows Server nodes using RDP. For security purposes, the AKS nodes aren't exposed to the internet.
+
+Alternatively, if you want to SSH to your AKS Windows Server nodes, you'll need access to the same key-pair that was used during cluster creation. Follow the steps in [SSH into Azure Kubernetes Service (AKS) cluster nodes][ssh-steps]. 
 
 This article shows you how to create an RDP connection with an AKS node using their private IP addresses.
 
@@ -22,13 +24,13 @@ This article shows you how to create an RDP connection with an AKS node using th
 
 This article assumes that you have an existing AKS cluster with a Windows Server node. If you need an AKS cluster, see the article on [creating an AKS cluster with a Windows container using the Azure CLI][aks-quickstart-windows-cli]. You need the Windows administrator username and password for the Windows Server node you want to troubleshoot. You also need an RDP client such as [Microsoft Remote Desktop][rdp-mac].
 
-If you need to reset the password you can use `az aks update` to change the password.
+If you need to reset the password, use `az aks update` to change the password.
 
 ```azurecli-interactive
 az aks update -g myResourceGroup -n myAKSCluster --windows-admin-password $WINDOWS_ADMIN_PASSWORD
 ```
 
-If you need to reset both the username and password, see [Reset Remote Desktop Services or its administrator password in a Windows VM
+If you need to reset the username and password, see [Reset Remote Desktop Services or its administrator password in a Windows VM
 ](/troubleshoot/azure/virtual-machines/reset-rdp).
 
 You also need the Azure CLI version 2.0.61 or later installed and configured. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][install-azure-cli].
@@ -37,15 +39,15 @@ You also need the Azure CLI version 2.0.61 or later installed and configured. Ru
 
 This article assumes that you have an existing AKS cluster with a Windows Server node. If you need an AKS cluster, see the article on [creating an AKS cluster with a Windows container using the Azure PowerShell][aks-quickstart-windows-powershell]. You need the Windows administrator username and password for the Windows Server node you want to troubleshoot. You also need an RDP client such as [Microsoft Remote Desktop][rdp-mac].
 
-If you need to reset the password you can use `Set-AzAksCluster` to change the password.
+If you need to reset the password, use `Set-AzAksCluster` to change the password.
 
 ```azurepowershell-interactive
 $cluster = Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster
 $cluster.WindowsProfile.AdminPassword = $WINDOWS_ADMIN_PASSWORD
 $cluster | Set-AzAksCluster
 ```
 
-If you need to reset both the username and password, see [Reset Remote Desktop Services or its administrator password in a Windows VM
+If you need to reset the username and password, see [Reset Remote Desktop Services or its administrator password in a Windows VM
 ](/troubleshoot/azure/virtual-machines/reset-rdp).
 
 You also need the Azure PowerShell version 7.5.0 or later installed and configured. Run `Get-InstalledModule -Name Az` to find the version. If you need to install or upgrade, see [Install Azure PowerShell][install-azure-powershell].
@@ -60,7 +62,11 @@ The following example creates a virtual machine named *myVM* in the *myResourceG
 
 ### [Azure CLI](#tab/azure-cli)
 
-First, get the subnet used by your Windows Server node pool. To get the subnet ID, you need the name of the subnet. To get the name of the subnet, you need the name of the VNet. Get the VNet name by querying your cluster for its list of networks. To query the cluster, you need its name. You can get all of these by running the following in the Azure Cloud Shell:
+You'll need to get the subnet ID used by your Windows Server node pool. The commands below will query for the following information:
+* The cluster's node resource group
+* The virtual network
+* The subnet's name
+* The subnet ID
 
 ```azurecli-interactive
 CLUSTER_RG=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
@@ -69,16 +75,22 @@ SUBNET_NAME=$(az network vnet subnet list -g $CLUSTER_RG --vnet-name $VNET_NAME
 SUBNET_ID=$(az network vnet subnet show -g $CLUSTER_RG --vnet-name $VNET_NAME --name $SUBNET_NAME --query id -o tsv)
 ```
 
-Now that you have the SUBNET_ID, run the following command in the same Azure Cloud Shell window to create the VM:
+Now that you've the SUBNET_ID, run the following command in the same Azure Cloud Shell window to create the VM:
 
 ```azurecli-interactive
+PUBLIC_IP_ADDRESS="myVMPublicIP"
+
 az vm create \
     --resource-group myResourceGroup \
     --name myVM \
     --image win2019datacenter \
     --admin-username azureuser \
-    --admin-password myP@ssw0rd12 \
+    --admin-password {admin-password} \
     --subnet $SUBNET_ID \
+    --nic-delete-option delete \
+    --os-disk-delete-option delete \
+    --nsg "" \
+    --public-ip-address $PUBLIC_IP_ADDRESS \
     --query publicIpAddress -o tsv
 ```
 
@@ -88,11 +100,15 @@ The following example output shows the VM has been successfully created and disp
 13.62.204.18
 ```
 
-Record the public IP address of the virtual machine. You will use this address in a later step.
+Record the public IP address of the virtual machine. You'll use this address in a later step.
 
 ### [Azure PowerShell](#tab/azure-powershell)
 
-First, get the subnet used by your Windows Server node pool. You need the name of the subnet and its address prefix. To get the name of the subnet, you need the name of the VNet. Get the VNet name by querying your cluster for its list of networks. To query the cluster, you need its name. You can get all of these by running the following in the Azure Cloud Shell:
+You'll need to get the subnet ID used by your Windows Server node pool. The commands below will query for the following information:
+* The cluster's node resource group
+* The virtual network
+* The subnet's name and address prefix
+* The subnet ID
 
 ```azurepowershell-interactive
 $CLUSTER_RG = (Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster).nodeResourceGroup  
@@ -115,15 +131,18 @@ $ipParams = @{
 New-AzPublicIpAddress @ipParams
 
 $vmParams = @{
-    ResourceGroupName   = 'myResourceGroup'
-    Name                = 'myVM'
-    Image               = 'win2019datacenter'
-    Credential          = Get-Credential azureuser
-    VirtualNetworkName  = $VNET_NAME
-    AddressPrefix       = $ADDRESS_PREFIX
-    SubnetName          = $SUBNET_NAME
-    SubnetAddressPrefix = $SUBNET_ADDRESS_PREFIX
-    PublicIpAddressName = 'myPublicIP'
+    ResourceGroupName            = 'myResourceGroup'
+    Name                         = 'myVM'
+    Image                        = 'win2019datacenter'
+    Credential                   = Get-Credential azureuser
+    VirtualNetworkName           = $VNET_NAME
+    AddressPrefix                = $ADDRESS_PREFIX
+    SubnetName                   = $SUBNET_NAME
+    SubnetAddressPrefix          = $SUBNET_ADDRESS_PREFIX
+    PublicIpAddressName          = 'myPublicIP'
+    OSDiskDeleteOption           = 'Delete'
+    NetworkInterfaceDeleteOption = 'Delete'
+    DataDiskDeleteOption         = 'Delete'
 }
 New-AzVM @vmParams
 
@@ -136,7 +155,7 @@ The following example output shows the VM has been successfully created and disp
 13.62.204.18
 ```
 
-Record the public IP address of the virtual machine. You will use this address in a later step.
+Record the public IP address of the virtual machine. You'll use this address in a later step.
 
 ---
 
@@ -146,7 +165,6 @@ AKS node pool subnets are protected with NSGs (Network Security Groups) by defau
 
 > [!NOTE]
 > The NSGs are controlled by the AKS service. Any change you make to the NSG will be overwritten at any time by the control plane.
->
 
 ### [Azure CLI](#tab/azure-cli)
 
@@ -160,7 +178,14 @@ NSG_NAME=$(az network nsg list -g $CLUSTER_RG --query [].name -o tsv)
 Then, create the NSG rule:
 
 ```azurecli-interactive
-az network nsg rule create --name tempRDPAccess --resource-group $CLUSTER_RG --nsg-name $NSG_NAME --priority 100 --destination-port-range 3389 --protocol Tcp --description "Temporary RDP access to Windows nodes"
+az network nsg rule create \
+ --name tempRDPAccess \
+ --resource-group $CLUSTER_RG \
+ --nsg-name $NSG_NAME \
+ --priority 100 \
+ --destination-port-range 3389 \
+ --protocol Tcp \
+ --description "Temporary RDP access to Windows nodes"
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
@@ -239,7 +264,7 @@ aks-nodepool1-42485177-vmss000000   Ready    agent   18h   v1.12.7   10.240.0.4
 aksnpwin000000                      Ready    agent   13h   v1.12.7   10.240.0.67   <none>        Windows Server Datacenter   10.0.17763.437
 ```
 
-Record the internal IP address of the Windows Server node you wish to troubleshoot. You will use this address in a later step.
+Record the internal IP address of the Windows Server node you wish to troubleshoot. You'll use this address in a later step.
 
 ## Connect to the virtual machine and node
 
@@ -251,7 +276,7 @@ After you've connected to your virtual machine, connect to the *internal IP addr
 
 ![Image of connecting to the Windows Server node using an RDP client](media/rdp/node-rdp.png)
 
-You are now connected to your Windows Server node.
+You're now connected to your Windows Server node.
 
 ![Image of cmd window in the Windows Server node](media/rdp/node-session.png)
 
@@ -264,18 +289,29 @@ You can now run any troubleshooting commands in the *cmd* window. Since Windows
 When done, exit the RDP connection to the Windows Server node then exit the RDP session to the virtual machine. After you exit both RDP sessions, delete the virtual machine with the [az vm delete][az-vm-delete] command:
 
 ```azurecli-interactive
-az vm delete --resource-group myResourceGroup --name myVM
+# Delete the virtual machine
+az vm delete \
+ --resource-group myResourceGroup \
+ --name myVM
 ```
 
-And the NSG rule:
+Delete the public IP associated with the virtual machine:
 
 ```azurecli-interactive
-CLUSTER_RG=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
-NSG_NAME=$(az network nsg list -g $CLUSTER_RG --query [].name -o tsv)
-```
+az network public-ip delete \
+ --resource-group myResourceGroup \
+ --name $PUBLIC_IP_ADDRESS
+ ```
+
+Delete the NSG rule:
 
 ```azurecli-interactive
-az network nsg rule delete --resource-group $CLUSTER_RG --nsg-name $NSG_NAME --name tempRDPAccess
+CLUSTER_RG=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
+NSG_NAME=$(az network nsg list -g $CLUSTER_RG --query [].name -o tsv)
+az network nsg rule delete \
+ --resource-group $CLUSTER_RG \
+ --nsg-name $NSG_NAME \
+ --name tempRDPAccess
 ```
 
 ### [Azure PowerShell](#tab/azure-powershell)
@@ -286,22 +322,80 @@ When done, exit the RDP connection to the Windows Server node then exit the RDP
 Remove-AzVM -ResourceGroupName myResourceGroup -Name myVM
 ```
 
-And the NSG rule:
+Delete the public IP associated with the virtual machine:
+
+```azurepowershell-interactive
+Remove-AzPublicIpAddress -ResourceGroupName myResourceGroup -Name myPublicIP
+```
+
+Delete the NSG rule:
 
 ```azurepowershell-interactive
 $CLUSTER_RG = (Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster).nodeResourceGroup
 $NSG_NAME = (Get-AzNetworkSecurityGroup -ResourceGroupName $CLUSTER_RG).Name
+
+Get-AzNetworkSecurityGroup -Name $NSG_NAME -ResourceGroupName $CLUSTER_RG | Remove-AzNetworkSecurityRuleConfig -Name tempRDPAccess | Set-AzNetworkSecurityGroup
 ```
 
+Delete the NSG created by default from New-AzVM:
+
 ```azurepowershell-interactive
-Get-AzNetworkSecurityGroup -Name $NSG_NAME -ResourceGroupName $CLUSTER_RG | Remove-AzNetworkSecurityRuleConfig -Name tempRDPAccess | Set-AzNetworkSecurityGroup
+Remove-AzNetworkSecurityGroup -ResourceGroupName myResourceGroup -Name myVM
 ```
 
 ---
 
+## Connect with Azure Bastion
+
+Alternatively, you can use [Azure Bastion][azure-bastion] to connect to your Windows Server node.
+
+### Deploy Azure Bastion
+
+To deploy Azure Bastion, you'll need to find the virtual network your AKS cluster is connected to. 
+
+1. In the Azure portal, go to **Virtual networks**. Select the virtual network your AKS cluster is connected to.
+1. Under **Settings**, select **Bastion**, then select **Deploy Bastion**. Wait until the process is finished before going to the next step.
+
+### Connect to your Windows Server nodes using Azure Bastion
+
+Go to the node resource group of the AKS cluster. Run the command below in the Azure Cloud Shell to get the name of your node resource group:
+
+#### [Azure CLI](#tab/azure-cli)
+
+```azurecli-interactive
+az aks show -n myAKSCluster -g myResourceGroup --query 'nodeResourceGroup' -o tsv
+```
+
+#### [Azure PowerShell](#tab/azure-powershell)
+
+```azurepowershell-interactive
+(Get-AzAksCluster -ResourceGroupName myResourceGroup -Name myAKSCluster).nodeResourceGroup  
+```
+
+---
+
+1. Select **Overview**, and select your Windows node pool virtual machine scale set.
+1. Under **Settings**, select **Instances**. Select a Windows server node that you'd like to connect to.
+1. Under **Support + troubleshooting**, select **Bastion**.
+1. Enter the credentials you set up when the AKS cluster was created. Select **Connect**.
+
+You can now run any troubleshooting commands in the *cmd* window. Since Windows Server nodes use Windows Server Core, there's not a full GUI or other GUI tools when you connect to a Windows Server node over RDP.
+
+> [!NOTE]
+> If you close out of the terminal window, press **CTRL + ALT + End**, select **Task Manager**, select **More details**, select **File**, select **Run new task**, and enter **cmd.exe** to open another terminal. You can also logout and re-connect with Bastion.
+
+### Remove Bastion access
+
+When you're finished, exit the Bastion session and remove the Bastion resource.
+
+1. In the Azure portal, go to **Bastion** and select the Bastion resource you created.
+1. At the top of the page, select **Delete**. Wait until the process is complete before proceeding to the next step.
+1. In the Azure portal, go to **Virtual networks**. Select the virtual network that your AKS cluster is connected to. 
+1. Under **Settings**, select **Subnet**, and delete the **AzureBastionSubnet** subnet that was created for the Bastion resource.
+
 ## Next steps
 
-If you need additional troubleshooting data, you can [view the Kubernetes master node logs][view-master-logs] or [Azure Monitor][azure-monitor-containers].
+If you need more troubleshooting data, you can [view the Kubernetes primary node logs][view-primary-logs] or [Azure Monitor][azure-monitor-containers].
 
 <!-- EXTERNAL LINKS -->
 [kubectl]: https://kubernetes.io/docs/user-guide/kubectl/
@@ -321,4 +415,5 @@ If you need additional troubleshooting data, you can [view the Kubernetes master
 [install-azure-cli]: /cli/azure/install-azure-cli
 [install-azure-powershell]: /powershell/azure/install-az-ps
 [ssh-steps]: ssh.md
-[view-master-logs]: view-master-logs.md
+[view-primary-logs]: ../azure-monitor/containers/container-insights-log-query.md#resource-logs
+[azure-bastion]: ../bastion/bastion-overview.md  
