Install SSH Access
Connect P0 to your Azure VMs by installing SSH access.
This final step connects P0's SSH integration to your Azure subscription enabling SSH access requests to Virtual Machines.
Complete Configure bastion host integration before starting this step. SSH access requires the Bastion host configuration from the previous step.
How SSH subscription filtering works
When you configure SSH access, P0 only shows Azure subscriptions that already have a Bastion host configured. If your subscription does not appear in the list, verify that the Bastion host component is installed for that subscription.
Virtual machine requirements
Any virtual machine you want to connect to via SSH through P0 must meet the following requirements.
AADSSHLoginForLinux extension
Must be installed on each Linux VM. VMs without this extension do not appear in the P0 inventory. See Microsoft documentation for installation instructions.
Network connectivity
VMs must be in a virtual network that is either: the same virtual network as the Bastion host, or a peered virtual network connected to the Bastion's virtual network.
Virtual network peering
P0 automatically manages virtual network (VNet) peering between the Bastion host's network and the target VM's network when they are in different virtual networks.
Session start: If the Bastion host and the target VM are in different VNets, P0 creates bidirectional VNet peering between them. If they share the same VNet, no peering is needed.
Session end: When an SSH session ends, P0 removes the VNet peering — but only if no other active SSH sessions depend on that same peering.
This ensures that VNet peering exists only while SSH sessions are active, and that concurrent sessions sharing the same peering are not disrupted.
Permissions
During setup, P0 creates a custom Azure role scoped to the target subscription. This role grants P0 the permissions needed to manage VM access and VNet peering during SSH sessions.
Role name: P0 Virtual Machine Management - {subscriptionId}
Required permissions:
Microsoft.Compute/virtualMachines/read
Read VM metadata
Microsoft.Compute/virtualMachines/extensions/read
Check for required VM extensions
Microsoft.Network/networkInterfaces/read
Read VM network interface details
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read
Read existing VNet peering
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Create VNet peering for SSH sessions
Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete
Remove VNet peering after sessions end
Microsoft.Network/virtualNetworks/peer/action
Authorize VNet peering operations
Microsoft.Network/bastionHosts/getactivesessions/action
Query active Bastion sessions
If you enable sudo access, the role also includes Microsoft.Compute/virtualMachines/loginAsAdmin/action in addition to the standard Microsoft.Compute/virtualMachines/login/action.
Setup steps
In P0, open Integrations → SSH.
Click Add account.
Select the Azure subscription you added during IAM management setup. Only subscriptions with a Bastion host configured appear in this list.
Run the install commands.
Optional settings
Grouping tag: specify a tag to enable group SSH access requests
Allow sudo: toggle whether users can request sudo on target nodes
If you enable sudo, run the additional Shell steps shown to configure sudo access.
When these steps are complete, SSH access is installed. You can now request SSH access to Azure VMs through P0.
Last updated