Hello Folks, Welcome to the second part of the series. Previously, we discussed the fundamentals of session monitoring and management for Azure Bastion and how to get the active session and terminate the session using the REST API. In this article, we will talk about the PowerShell Function that we will use to manage the sessions. Let's get into it.
🌱Scaffolding the PowerShell Function
The Function name will be Remove-AzBastionActiveSessions and it will have the following parameters:
- BastionHostNames (Array)
- VMNames (Array)
- SubscriptionId (String)
I tried to keep the parameters as simple as possible. The Function will have the following logic:
- Iterates through the Bastion Hosts
- Gets the active sessions for each Bastion Host
- Filters the sessions based on the VM Names
- Terminates the sessions
💻 The PowerShell Function
Function Remove-AzBastionActiveSessions {
<#
.SYNOPSIS
Author: Hasan Gural - Azure VMP
Version: BETA
.DESCRIPTION
There is no way for terminating the active sessions for the Bastion Host in the Azure PowerShell module. This function will hit the REST API directly to terminate the active sessions.
.NOTES
This function won't enable the shareable link feature for the Bastion Host. This needs to be done manually or see previous article on how to do this.
.EXAMPLE
Remove-AzBastionActiveSessions -VMNames @("vm-01", "vm-03", "vm-02") -BastionNames @("bastion-vnt-0001","bastion-vnt-0003") -SubscriptionId $subscriptionId
Function will support multiple VMs and Bastion Hosts. Just pass in the names of the VMs and Bastion Hosts and the subscription ID.
You can run the script multiple for removing the shareable links. Existing links will remain intact.
#>
[CmdletBinding()]
param (
[Parameter()]
[array]
$VMNames,
[Parameter()]
[array]
$BastionNames,
[Parameter()]
$SubscriptionId
)
$links = @() # Array to store deleted links
$header = @{
"Content-Type" = "application/json"
Authorization = ("Bearer " + (Get-AzAccessToken).Token)
}
ForEach ($bastion in $BastionNames) {
$getBastion = Get-AzBastion -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq $bastion }
if ($getBastion.ProvisioningState -eq "Succeeded") {
$ResourceGroupName = $getBastion.ResourceGroupName
$Location = $getBastion.Location
$SubscriptionId = $getBastion.Id.Split('/')[2]
$Name = $getBastion.Name
Write-Output "[INFO] - ---------------------------------"
Write-Output "[INFO] - Bastion Host Name: $bastion "
Write-Output "[INFO] - Resource Group: $ResourceGroupName"
Write-Output "[INFO] - Subscription: $SubscriptionId"
Write-Output "[INFO] - Location: $Location"
Write-Output "[INFO] - ---------------------------------"
$uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.Network/bastionHosts/$($Name)/getActiveSessions?api-version=2022-07-01"
$getOperationActiveSessions = (Invoke-WebRequest -Method Post -Uri $uri -Headers $header).Headers.Location[0]
Start-Sleep -Seconds 5 # Wait for retrieving the active sessions.
$getActiveSession = (Invoke-WebRequest -Method Get -Uri $getOperationActiveSessions -Headers $header).Content | ConvertFrom-Json
if ($getActiveSession) {
ForEach ($vm in $VMNames) {
$getVM = Get-AzVM -ResourceGroupName $ResourceGroupName -Name $vm -ErrorAction SilentlyContinue
$vmSessions = $getActiveSession | Where-Object { $_.targetHostName -eq $vm }
ForEach ($session in $vmSessions) {
$taskCount = 1 # Task counter
Write-Output "[TASK 1.$($taskCount)] - Retrieving the active sessions for $vm. Please wait."
if ($getVM.ProvisioningState -eq "Succeeded") {
if ($getVM.Name -eq $session.targetHostName) {
$requestBody = @{
"sessionIds" = @($session.sessionId)
}
$uri = "https://management.azure.com/subscriptions/$($SubscriptionId)/resourceGroups/$($ResourceGroupName)/providers/Microsoft.Network/bastionHosts/$($Name)/disconnectActiveSessions?api-version=2022-07-01"
$response = Invoke-WebRequest -Method Post -Uri $uri -Headers $header -Body (ConvertTo-Json $requestBody -Depth 10)
Write-Output "[TASK 1.$($taskCount)] - Terminating the active session for $vm. Please wait. This may take a while."
Start-Sleep -Seconds 5 # Wait for the link to be created. This is to avoid the error "The link is not ready yet. Please try again later."
}
else {
Write-Output "[Error] - Active Session does not exist for the Virtual Machine: $vm"
continue
}
}
else {
Write-Output "[Error] - Virtual Machine $vm does not exist. Please check the name and try again."
continue
}
}
}
}
else {
Write-Output "[Error] - There is no active session for the Bastion Host: $bastion"
}
}
else {
Write-Output "[Error] - Bastion Host $bastion does not exist. Please check the name and try again."
continue
}
}
}
🔌 Executing the Function
The Function will be executed as follows:
$params = @{
VMNames = @("vm-01", "vm-02") # Name of Virtual Machines that you want to terminate the sessions
BastionNames = @("bastion-vnt-0001") # Name of the Bastion Hosts
SubscriptionId = $subscriptionId
}
Remove-AzBastionActiveSessions @params
✨ Example Output
In the following example, we will terminate the active sessions for the Bastion Host bastion-vnt-0001 and the Virtual Machines vm-01 and vm-02. See the output below for active sessions before and after the execution of the Function.
I have executed the PowerShell Function below and you can see that it terminated the active sessions.
🚀 Conclusion
Imagine that you have a Bastion Host(s) that has multiple active sessions and you want to terminate them. You can use the PowerShell Function that I have shared in this article. You can also schedule this function to run periodically to terminate the active sessions. This will help you avoid running out of the Bastion Hosts.
Thanks for reading this through. For more improvements, please let me know. I will be happy to hear your feedback.