This guide explains how to securely transfer files to Azure Virtual Machines that are behind Azure Bastion, which doesn't natively support file transfers.

This method creates a secure tunnel through Azure Bastion to your VM and uses SCP for file transfer.

First, establish an SSH tunnel using the Azure CLI:

az network bastion tunnel \
  --name d94cca-dev-vwan-spoke-bastion \
  --resource-group d94cca-dev-networking \
  --target-resource-id /subscriptions/56358ccd-64df-4586-98cc-f472e4c7323f/resourcegroups/d94cca-dev-networking/providers/Microsoft.Compute/virtualMachines/css-ai-dev-linux \
  --resource-port 22 \
  --port 50022

This command:

• Creates a tunnel through the specified Azure Bastion host
• Connects to the target VM identified by its resource ID
• Maps the VM's SSH port (22) to your local port 50022

Once the tunnel is active, use SCP to transfer files through it:

scp -i keys/<key />.pem -P 50022 <local_file> [email protected]:<remote_path>

Replace:

• <local_file> with the path to the file you want to upload
• <remote_path> with the destination path on the VM (e.g., /home/azureuser/)

To upload a configuration file to the VM's home directory:

scp -i keys/<key />.pem -P 50022 <local path to the file> [email protected]:/home/azureuser/

• Keep your SSH private key secure and never share it
• Consider using key rotation for better security
• The tunnel is only active while the az network bastion tunnel command is running
• All traffic is encrypted through the SSH tunnel

• If connection fails, verify the Bastion service is running
• Ensure your SSH key has the correct permissions (chmod 600 for the .pem file)
• Check that your user account has proper access to the VM
• Verify the target VM is running and accepts SSH connections