Use VSTS task 'PowerShell on Target Machines' without public IP in Azure

Question

We are deploying tens of VMs into Azure with VSTS. We now need to execute some scripts on specific VMs. Unfortunately, we can't let out VMs have public IPs. Is it possible to use VSTS tasks that require WinRM and PowerShell on Target Machines without public IP? If not, would would be our best option?

Answer 1

Is it possible to use VSTS tasks that require WinRM and PowerShell on Target Machines without public IP?

It is not possible except you create a VPN tunnel. But it is not necessary and expensive.

For your scenario, you could use Azure VM Custom Script Extension.

The Custom Script Extension downloads and executes scripts on Azure virtual machines. This extension is useful for post deployment configuration, software installation, or any other configuration / management task. Scripts can be downloaded from Azure storage or GitHub, or provided to the Azure portal at extension run time.

If you use it, you don't need winrm your VMs.

The Set-AzureRmVMCustomScriptExtension command can be used to add the Custom Script extension to an existing virtual machine. For example:

Set-AzureRmVMCustomScriptExtension -ResourceGroupName myResourceGroup `
    -VMName myVM `
    -Location myLocation `
    -FileUri myURL `
    -Run 'myScript.ps1' `
    -Name DemoScriptExtension

Note: You could save your script on GitHub and Azure storage account.

Answer 2

You need to configure Azure networking so that your build infrastructure can route to the private IP addresses of those servers. If your build servers are also in Azure, it's just a matter of making sure they're all using the same Azure virtual network. If not, you'll need to set up an Azure VPN gateway.

The specific configuration is way too deep and variable to get into here.