I have two Azure VMs, i need to connect to them via WinRM from my local computer and deploy IIS website on VMs via PowerShell script. The main problem is that I do not understand how to connect to VMs from the local computer via WinRM, since the machines do not have a public IP address, and the connection to them goes through a public address from LoadBalancer.
• I would suggest you use a custom script extension with your Virtual machines and execute a powershell script that will help you to connect to the VM using the certificate stored in the key vault and further ensure that the ‘WinRM’ service is running successfully on the VM as below to connect through the Windows Remote Management service to the VM for executing a certain script: -
Enable-PSRemoting -Force
Get-Service WinRM
You can use the below powershell script to create an Azure keyvault, create a certificate store in it, generate a secret URL for it and connect to the VM using this configuration: -
$vm = New-AzVMConfig -VMName "<VM name>" -VMSize "<VM Size>"
$credential = Get-Credential
$secretURL = (Get-AzKeyVaultSecret -VaultName "<vault name>" -Name "<secret name>").Id
$vm = Set-AzVMOperatingSystem -VM $vm -Windows -ComputerName "<Computer Name>" -Credential $credential -WinRMHttp -WinRMHttps -ProvisionVMAgent -WinRMCertificateUrl $secretURL
$sourceVaultId = (Get-AzKeyVault -ResourceGroupName "<Resource Group name>" -VaultName "<Vault Name>").ResourceId
$CertificateStore = "My"
$vm = Add-AzVMSecret -VM $vm -SourceVaultId $sourceVaultId -CertificateStore $CertificateStore -CertificateUrl $secretURL
Please find the below link for more clarification in this regard: -
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/connect-winrm
• Ensure that ports 5985 for WinRM HTTP and 5986 for WinRM HTTPS as well as port 80 and 443 for the respective WinRM HTTP and HTTPS connections to be made are allowed through the load balancer for inbound as well as outbound connections for WinRM service.
• Also, you can connect to your VMs configured with a private IP address through a jump VM that is configured with a public IP address, but you still will have to enable custom script extension to execute a powershell command remotely on them. If these VMs are joined to a domain, then ensure that the below group policies are not applied on them as these will not enable WinRM services to be executed successfully on them as well as the ‘WinRM’ service is started and the respective group policy is enabled successfully on these VMs: -
Computer Configuration --> Policies --> Administrative Templates: Policy definitions --> Windows Components --> Windows Remote Management (WinRM) --> WinRM Service --> Allow remote server management through WinRM --> Enabled
Please find the below link for more clarification in this regard: -