Azure Bastion Guide - bcgov/common-service-showcase GitHub Wiki

Azure Bastion and Azure OpenAI Interaction Guide

This guide explains how to use Azure Bastion to securely access a virtual machine and interact with Azure OpenAI services through an SSH tunnel.

Usage Workflow

  1. First, create the SSH tunnel using the az network bastion tunnel command
  2. Then either:
    • Connect via SSH using the az network bastion ssh command to run commands directly on the VM
    • Or use the tunnel to send requests through your local machine to the VM and on to Azure OpenAI
  3. If using the tunnel for Azure Search, run the socat command on the VM to enable proper HTTPS forwarding

Enabling SSH Tunnel for Azure Services

To properly forward HTTPS traffic through the SSH tunnel, run this command on the VM:

sudo socat TCP-LISTEN:443,fork,reuseaddr TCP:<search-service-name>.search.windows.net:443

NOTE: This command needs to be run each time you establish a new SSH session. Consider setting up a service or startup script for persistent tunneling.

Azure Bastion Commands

Creating an SSH Tunnel

az network bastion tunnel --name <bastion-name> \
  --resource-group <resource-group> \
  --target-resource-id <vm-resource-id> \
  --port <local-port> \
  --resource-port <remote-port>

This command establishes an SSH tunnel through Azure Bastion to the target VM:

  • --name: Specifies the Bastion resource name
  • --resource-group: Specifies the resource group containing the Bastion service
  • --target-resource-id: Full resource ID of the target VM
  • --port: Local port on your machine where the tunnel will be accessible
  • --resource-port: Remote port on the VM to connect to (typically 443)

Direct SSH Connection

az network bastion ssh \
  --name <bastion-name> \
  --resource-group <resource-group> \
  --target-resource-id <vm-resource-id> \
  --auth-type ssh-key \
  --username <username> \
  --ssh-key <path-to-ssh-key>

This command establishes a direct SSH connection through Azure Bastion:

  • --auth-type: Authentication method (ssh-key)
  • --username: VM login username
  • --ssh-key: Path to the SSH private key file

Azure OpenAI Interaction

Direct API Call from VM

When connected via SSH to the VM, you can call Azure OpenAI directly:

curl "https://<openai-endpoint>.openai.azure.com/openai/deployments/<deployment-name>/chat/completions?api-version=<api-version>" \
  -H "Content-Type: application/json" \
  -H "api-key: <your-api-key>" \
  -d '{"messages": [{"role": "user", "content": "Hello, who are you?"}],"max_tokens": 50}'

API Call Through SSH Tunnel

Using the established tunnel, you can call the API from your local machine:

curl -vk "https://localhost:<local-port>/openai/deployments/<deployment-name>/chat/completions?api-version=<api-version>" \
  --resolve <openai-endpoint>.openai.azure.com:443:127.0.0.1 \
  -H "Host: <openai-endpoint>.openai.azure.com" \
  -H "Content-Type: application/json" \
  -H "api-key: <your-api-key>" \
  -d '{"messages": [{"role": "user", "content": "Hello, who are you?"}],"max_tokens": 50}'

Notable parameters:

  • -vk: Verbose output and allow insecure connections
  • --resolve: DNS override to direct requests to localhost
  • -H "Host:": Sets the HTTP Host header to the expected endpoint

Azure Search Interaction

Direct API Call from VM

When connected via SSH to the VM, you can call Azure Search directly:

curl -X POST "https://<search-service-name>.search.windows.net/indexes/<index-name>/docs/search?api-version=2023-07-01-Preview" \
  -H "Content-Type: application/json" \
  -H "api-key: <your-search-api-key>" \
  -d '{"search": "water", "top": 5}'

API Call Through SSH Tunnel

Using the established tunnel, you can call the Azure Search API from your local machine:

curl -vk "https://localhost:<local-port>/indexes/<index-name>/docs/search?api-version=2023-07-01-Preview" \
  --resolve <search-service-name>.search.windows.net:443:127.0.0.1 \
  -H "Host: <search-service-name>.search.windows.net" \
  -H "Content-Type: application/json" \
  -H "api-key: <your-search-api-key>" \
  -d '{"search": "water", "top": 5}'

Common Parameters

  • <bastion-name>: The name of your Azure Bastion resource
  • <resource-group>: The resource group containing your Bastion and VM resources
  • <vm-resource-id>: The full resource ID path to your virtual machine
  • <local-port>: Local port to use for the tunnel (e.g., 8083)
  • <remote-port>: The port on the remote VM (typically 443 for HTTPS)
  • <username>: VM login username (typically "azureuser")
  • <path-to-ssh-key>: Path to your private SSH key file (.pem)
  • <openai-endpoint>: Your Azure OpenAI resource name
  • <deployment-name>: The name of your OpenAI model deployment
  • <api-version>: Azure OpenAI API version (e.g., "2025-01-01-preview")
  • <your-api-key>: Your Azure OpenAI API key
  • <search-service-name>: Your Azure Search service name
  • <index-name>: Name of your search index
  • <your-search-api-key>: Your Azure Search API key

Return Home

⚠️ **GitHub.com Fallback** ⚠️