cloud computing security

Trigger Actions On-Premises from Azure Automation

Q: Can I trigger actions on-premises from Azure Automation?

A: Azure Automation is essentially PowerShell Workflows running in Azure, which means any endpoint that's accessible from PowerShell via the Internet could be triggered from an Azure Automation. However, triggering something on-premises means that the endpoint is accessible from the Internet, which is typically a concern. The question really should be whether a secure way exists to trigger actions on-premises from Azure Automation.

Azure Automation doesn't currently support the leveraging of any site-to-site VPN capabilities you might have in place from Azure to on-premises, which means exposing an endpoint to the Internet directly. Instead of opening up the WinRM endpoint of every box you want to manage from Azure Automation to the Internet, a better option is to open up a single virtual machine on-premises to Azure Automation, through which other management would be performed, like a gateway for management purposes. This minimizes the exposed surface to the Internet, and you can focus your monitoring and protection on a specific virtual machine. Using this approach also has the advantage of a single instance that requires all the necessary PowerShell modules to be installed.

You would typically enable CredSSP authentication on the gateway virtual machine to allow credentials to pass through to the integration modules you're calling. For an example calling into a remote virtual machine in Azure from a runbook, see the Microsoft article "How to use a PS Command on a remote Azure VM from a Runbook."

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.