Workaround for connecting SSH “source IP”-protected VM from Azure Cloud Shell

Cloud Shell Bash sessions are Linux Azure Virtual Machines, created, allocated and bounded dynamically to users requesting a cloud shell session. The VMs are managed by Azure and created outside subscriber’s Virtual Networks. From them is often impossible to SSH user’s VMs if Network Security Groups rules do not permit SSH from the Internet. A workaround is to create a dedicated NSG rule to allow the SSH connections from the VM currently assigned. At the beginning of the session, the rule must be updated with the currently assigned IP address and activated (“allow”). At the end of the session the rule should be “denied”. A couple of scripts can help setting the rule. In the example, “SSH_FromCloudShell” is the rule the script will modify. The Cloudshellallow.sh script use https://ifconfig.co to get the current public IP address.

Cloudshellallow.sh

echo --- START ---
myPubIP=$(curl https://ifconfig.co)
read -p "The publis IP address is:  $myPubIP   Press enter to continue"
echo "Updating NSG rule. Please wait..."
az network nsg rule update \
   --nsg-name "my_nsg_rule_name" \
   --resource-group "my_res_group" \
   --name "SSH_FromCloudShell" \
   --source-address-prefix $myPubIP \
   --access Allow
echo --- THE END ---

Cloudshelldeny.sh

echo --- START ---
echo "Updating NSG rule. Please wait..."
az network nsg rule update \
   --nsg-name "my_nsg_rule_name" \
   --resource-group "my_res_group" \
   --name "SSH_FromCloudShell" \
   --access Deny
echo --- THE END ---