Microsoft recently announced the preview of Azure Virtual Machine Serial Console which is a very handy tool that can be used by customers and Microsoft Support Services team to troubleshoot any issues with the Azure VMs.
Let us know first define this before we go any further. The virtual machine serial console on Azure provides access to a text-based console for Linux and Windows virtual machines.
This has been one of the long-standing features that the customers have been asking from Microsoft. For eg: If a Virtual Machine does not come up, there is no way to know what state it is in if you cannot RDP/SSH into the VM. You can still get screenshot, console logs but there has been no bidirectional capability to connect to these VMs.
The cool thing is that it does not use Hyper-V console as you would expect as this would be a major security flaw but it uses a serial connection to the COM1 serial port of the virtual machine and provides access to the virtual machine and are not related to virtual machine’s network / operating system state.
Prerequisites to use Azure Virtual Machine Serial Console
- The VM must have been deployed using the Resource Management Deployment model. Classic deployments are not supported.
- The Virtual machine MUST have boot diagnostics enabled
- The account using the serial console must have Contributor role for VM and the boot diagnostics storage account.
How do I connect to the Azure Virtual Machine Serial Console?
As of today, you can access the Serial Console only using the Azure Portal. To access the Azure Virtual Machine Serial Console, select the VM in question, scroll down to the Support + Troubleshooting section and click on serial console (Preview) option.
This will open a serial connection to the COM1 port and the below screen to appear. You can type the question mark (?) to see what options are available.
As you can see from the above screen, these are very low-level operations that you can perform on the Azure VM.
Secure Administrator Console (SAC) is actually implemented as a kernel mode driver inside the Windows VM.
I can open a command prompt if I want to, display the IP Address associated with the VM, crash the VM so a dump can be collected for debugging purposes, etc.
How secure is the Azure Virtual Machine Serial Console?
- By default, users who have VM Contributors or above access to the virtual machine.
- All the data between the Azure Portal UI and the VM is encrypted on the wire. Imagine a proxy sitting between you and the Azure VM which is allowing you to access the serial console and everything is encrypted.
- Anything that you perform on the serial console is logged in the Boot Diagnostics logs of the Azure VM and can be easily tracked.
How do I disable the Azure Virtual Machine Serial Console?
This feature is enabled by default on every Azure VM that has the boot diagnostic configured. To disable serial console, you need to disable VM’s boot diagnostics setting. This is a trade-off that you will have to do. This may change in the future until Microsoft figures out another way to do this.
Most of the Linux VMs that you create from the marketplace will have this feature enabled except for RedHat VMs for which can you find the steps here.
There are some extra steps required for VMs that are created in Azure using uploaded images as I have described here, let me know and I can write up about the changes to be made so that Serial Console can be used.
I hope this has been informative and thank you for reading!