I’ve been there: you hit Connect, and your VM just won’t let you in. RDP times out, SSH hangs, Bastion won’t help, and you start wondering if you’ve bricked the thing. The good news? In Azure, the “right” way out of most lock-out situations is the Serial Console. It bypasses the network entirely and drops you straight onto the VM’s console, so you can fix whatever broke—firewall rules, SSH/RDP configs, NIC settings, you name it.
Below is exactly how I use it—what it is, where to find it, and step-by-step fixes once you’re in.
Why the Serial Console is the move
- No network needed. It works even when the NIC, routing, or firewall is misconfigured.
- Direct access. You’re interacting with the VM’s console like a local screen/keyboard.
- Fast recovery. Perfect for “I changed one setting and now nothing connects.”
Prerequisites (quick checklist)
Before you open Serial Console, make sure:
- The VM is Running (not Stopped/deallocated).
- Boot diagnostics is On for the VM. (If it’s Off, you can enable it from the VM page—no reboot needed in most cases.)
- You have permissions such as Virtual Machine Contributor (or equivalent) on the VM/resource group/subscription.
Tip: For custom images, ensure the OS is configured to expose a serial TTY/COM port (Azure Marketplace images already are).
Where to find the Serial Console in the Azure portal
Option 1 — From the VM blade (left menu)
- Azure portal → Virtual machines → choose your VM
- In the left menu, under Support + troubleshooting, click Serial console
Option 2 — From the Connect menu
- Azure portal → Virtual machines → choose your VM
- Click Connect, then select Serial console (if shown in your portal layout)
If the button is greyed out, check that the VM is running and Boot diagnostics is enabled.
Logging in (Linux vs. Windows)
Linux VMs
- Open Serial console.
- Press Enter once or twice to wake the console. You should see a login prompt.
- Log in with a local user on the VM.
If you’ve disabled password auth for SSH and don’t have a local password, use the VM’s Reset password blade (under “Support + troubleshooting”) to temporarily set one, then come back here and log in.
Common Linux fixes once you’re in
Check network quickly:
|
1 2 3 4 |
ip a ip route resolvectl status # or: cat /etc/resolv.conf on older distros |
Fix an over-strict firewall that locked out SSH:
|
1 2 3 4 5 6 |
sudo iptables -S sudo iptables -F # careful: flushes rules (quick test) # or with firewalld sudo firewall-cmd --state sudo systemctl stop firewalld |
Repair SSH config and restart:
|
1 2 3 |
sudo nano /etc/ssh/sshd_config sudo systemctl restart sshd # or "ssh" on some distros |
Re-enable password login temporarily (if needed to get back in):
|
1 2 3 4 5 6 |
# In /etc/ssh/sshd_config PasswordAuthentication yes # Then restart the service sudo systemctl restart sshd |
Cloud-init hiccups?
|
1 2 3 |
sudo cloud-init status --long sudo journalctl -u cloud-init -b |
When you’re done, try SSH again from your machine. If it works, revert any temporary relaxations (like re-enabling password auth or disabling the firewall).
Windows VMs
Windows uses the Special Administration Console (SAC) behind the scenes.
- Open Serial console.
- Press Enter to wake SAC. If you see a
SAC>prompt, you’re in. - Create a command channel and switch to it:
|
1 2 3 |
SAC> cmd SAC> ch -si 1 |
You should now see a regular C:\> prompt.
Common Windows fixes once you’re in
Check IP and gateway:
|
1 2 |
ipconfig /all |
If RDP was disabled, re-enable it:
|
1 2 |
sconfig |
Use the menu to enable Remote Desktop (or, if you prefer commands, enable via PowerShell/registry—SAC lets you run powershell too in modern images).
Reset a local admin password:
|
1 2 |
net user <YourAdminUser> <NewStrongPassword> |
Firewall being over-zealous? As a temporary test:
|
1 2 |
netsh advfirewall set allprofiles state off |
(Turn it back on once RDP is healthy.)
Once you can RDP again, undo any temporary lockdown relaxations.
What if Serial Console still won’t open?
- Boot diagnostics Off → turn it On (VM → “Boot diagnostics”), then retry.
- VM Stopped/deallocated → start it, then retry.
- Role/permission issues → you’ll need adequate access (ask your admin to grant VM/resource group permissions).
- Custom images not wired for a serial port → check OS settings or rebuild with the right kernel/driver options.
A quick recovery playbook I actually use
- Open Serial console from the VM page.
- Log in (Linux: local user; Windows: SAC →
cmd). - Fix the obvious: network config, SSH/RDP settings, firewall.
- Test connectivity (SSH/RDP).
- Revert any temporary loosening of security.
Final thought
When a VM locks you out, don’t panic and don’t immediately rebuild. Azure Serial Console is your “back door” for exactly these moments. It’s fast, it’s built-in, and once you get comfortable with it, you’ll wonder how you ever troubleshot without it.
