> For the complete documentation index, see [llms.txt](https://docs.bluerock.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.bluerock.io/deployment-guides/azure-deployments/azure-deployment-with-cli.md). # Azure Deployment with CLI This guide provides the necessary technical steps to install the Microsoft Azure CLI, configure your project environment, and deploy BlueRock-hardened instances on Microsoft Azure. ### Prerequisites * Microsoft Azure CLI tools (`az`), for installation refer to the official [Microsoft Azure CLI installation guide](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest). * BlueRock images: BlueRock provides pre-packaged images of BlueRock Ubuntu 2404 Linux Distribution - (Free or Full version), contact | Version | OS | Kernel Version | Image Name | Description | | ------- | ------------ | -------------- | ------------------------------------------------ | ------------------------------------------------------------------------------------------------------- | | Free | Ubuntu 24.04 | 6.12.63 | bluerock-release-26-08-0-ubuntu2404-6.12.63-free | Loads default policy in observe mode and policy changes are not allowed. | | Full | Ubuntu 24.04 | 6.12.63 | bluerock-release-26-08-0-ubuntu2404-6.12.63 | Provides full policy configuration control. Allow switching policy action from observe to enforce mode. | ### Procedure To deploy the BlueRock-hardened instances on Microsoft Azure with CLI following is the procedure: 1. [Instance Deployment](#instance-deployment) 2. [Create Storage Container](#create-a-storage-container) 3. [Instance Configuration](#bluerock-instance-configuration) 4. [Updating Configuration Source](#updating-configuration-source) 5. [OTEL Event Collection](#otel-event-collection-setup) 6. [View Logs in Azure](#view-logs-in-azure) 7. [Configuring Remote Project Workspace in Claude Desktop IDE](#configuring-remote-project-workspace-in-claude-desktop-ide) ### Instance Deployment To deploy a BlueRock VM in a Customer (Target) Azure Account using the Golden Image hosted in the BlueRock Production Account, cross-tenant authentication must be established. A Service Principal authorized in both the source and target tenants is required to facilitate this deployment. Execute the following Azure CLI script to authenticate the Service Principal across both tenants, generate the User Assigned Managed Identity, and provision the virtual machine. Modify the variables at the top of the script to match the target environment details: {% code overflow="wrap" %} ```shellscript # Define environment variables $ tenant1="" $ tenant2="" $ appid="" $ secret="" $ image_id="" $ rg_name="" $ uami_name="" $ location="" $ ssh_pubkey_path="" # Authenticate against the BlueRock Production tenant $ az login --service-principal -u "${appid}" -p "${secret}" --tenant "${tenant1}" $ az account get-access-token # Authenticate against the Customer target tenant $ az login --service-principal -u "${appid}" -p "${secret}" --tenant "${tenant2}" $ az account get-access-token # Create Managed Identity $ az identity create --resource-group "${rg_name}" --name "${uami_name}" --location "${location}" $ uami_id=$(az identity show --resource-group "${rg_name}" --name "${uami_name}" --query id -o tsv) # Provision the BlueRock VM in the target environment $ az vm create \ --resource-group "${rg_name}" \ --name bluerock-ubuntu-vm \ --image "${image_id}" \ --admin-username ubuntu \ --ssh-key-values @"${ssh_pubkey_path}" \ --size Standard_D2s_v3 \ --assign-identity "${uami_id}" ``` {% endcode %} `az vm create` parameters table: | **Parameter** | **Description** | **Value in Your Command** | | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | `--resource-group` | The logical container in Azure where the VM and its associated resources (disk, network, etc.) will be stored. | `` | | `--name` | The unique name assigned to your virtual machine within the resource group. | `bluerock-ubuntu-vm` | | `--image` |

The Operating System image to install. In this case, you're using a variable ($image\_id) which likely points to the BlueRock Node AMI.

| `$image_id` | | `--admin-username` | The name of the primary administrator account created on the VM. | `ubuntu` | | `--ssh-key-values` | The path to your SSH public key for secure, passwordless authentication. The `@` symbol tells the CLI to read the content of the file at that path. | `@` | | `--size` | The hardware profile (SKU) of the VM. `Standard_D2s_v3` provides a balanced 2 vCPUs and 8 GiB of memory. | `Standard_D2s_v3` | | `--location` | The Azure region (datacenter) where the VM will be physically hosted. | `eastus` | | `--assign-identity` | Associates a Managed Identity (such as a User-Assigned Managed Identity) with the virtual machine to allow secure, credential-free access to other Azure resources. | `$uami_id` | The required variable values are sourced from a combination of the BlueRock administrative team and the target Customer's Azure environment. Below is a breakdown of where each specific value is retrieved: | **Variable** | **Description & Source** | | ----------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `tenant1` | BlueRock Production Tenant ID: Provided directly by BlueRock support. | | `tenant2` | Customer Tenant ID: Retrieved from the Customer's Azure environment. In the Azure Portal, navigate to Microsoft Entra ID > Overview. The value is listed as the Tenant ID. | | `appid` | Service Principal App ID: Provided by BlueRock support. This is the Application (client) ID of the Service Principal explicitly authorized to access the shared Golden Image. | | `secret` | Service Principal Secret: Provided securely by BlueRock support. This acts as the authentication password for the Service Principal. | | `image_id` | Golden Image Resource ID: Provided by BlueRock support. This is the full Azure Resource Manager (ARM) path to the specific BlueRock Ubuntu image (e.g., `/subscriptions/.../resourceGroups/.../providers/Microsoft.Compute/images/...`). | | `rg_name` | Customer Resource Group Name: The existing resource group in the Customer's Azure environment where the VM and Managed Identity will be provisioned. | | `uami_name` | Managed Identity Name: The desired name for the User Assigned Managed Identity (UAMI) created during the deployment. | | `location` | Azure Region: The specific Azure data center location where the resources will be deployed (e.g., `eastus`, `westeurope`). | | `ssh_pubkey_path` | SSH Public Key Path: The local file path to the SSH public key used for authenticating into the deployed VM (e.g., `~/.ssh/id_ed25519.pub`). | To validate the instance status: ```shellscript $ az vm show --resource-group --name --show-details --query "powerState" --output tsv ``` To connect with instance using SSH: ```shellscript $ ssh -i ubuntu@ ``` {% hint style="info" icon="notes-sticky" %} **Note:**\ SSH may give some warnings and prompts to generate an SSH key for the first time. While generating an SSH key leave the passphrase as empty by pressing Enter. It will automatically create the key and add the key permanently to the host. {% endhint %} ### Create a Storage Container Ensure to create an Azure Storage Container to save the Configuration file and Policy files as the BlueRock Instance picks these files from a separate container using config.source file that contains this Blob's URL/URI. Create Storage Account: ```shellscript $ az storage account create \ --name \ --resource-group \ --location eastus \ --sku Standard_LRS ``` Create Storage Container: ```shellscript $ az storage container create \ --name \ --account-name \ --auth-mode login ``` #### Identify the Managed Identity Authentication for a BlueRock instance without managed keys requires a Managed Identity, either System-assigned or User-defined. The following command retrieves the Principal ID (Object ID) of the managed identity used while creating the VM instance. Get the Object ID (Principal ID): ```shellscript $ az identity show \ --resource-group "my_resource_group" \ --name "managed_identity_name" \ --query principalId -o tsv ``` #### Authorize the BlueRock Instance (RBAC) Granting the **Storage Blob Data Contributor** role to the identified **Object ID** ensures the instance possesses authority to download policy and configuration artifacts during the startup verification process. UC performs policy signature verification during startup before loading the configuration. Create the Role Assignment: ```shellscript $ az role assignment create \ --assignee-object-id "object_id_from_previous_step" \ --assignee-principal-type ServicePrincipal \ --role "Storage Blob Data Contributor" \ --scope "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/" ``` ### BlueRock Instance Configuration BlueRock instances require a configuration file (`config.toml` or `config.yaml`) to define telemetry and policy settings. Create `config.toml` or `config.yaml` either one of them. {% tabs %} {% tab title="Free version" %} {% code title="config.yaml" overflow="wrap" lineNumbers="true" %} ```yaml event_format: "OTEL" event_url: "http://:4318" ucpcm: ``` {% endcode %} {% code title="config.toml" overflow="wrap" lineNumbers="true" %} ```toml event_format = "OTEL" event_url = "http://:4318" [ucpcm] ``` {% endcode %} {% endtab %} {% tab title="Full version" %} {% code title="config.yaml" overflow="wrap" lineNumbers="true" %} ```yaml event_format: "OTEL" event_url: "http://:4318" ucpcm: policy_url: "az:////" policy: "policy.json" policy_sig: "policy.json.sig" public_key: "az:////.pem" transport: transport_type: "azure" # Indicates Azure Blob Storage region: "eastus" ``` {% endcode %} {% code title="config.toml" overflow="wrap" lineNumbers="true" %} ```toml event_yformat = "OTEL" event_url = "http://:4318" [ucpcm] policy_url = "az:////" policy = "policy.json" policy_sig = "policy.json.sig" public_key = "az:////.pem" [ucpcm.transport] transport_type = "azure" # Indicates Azure Blob Storage region = "eastus" ``` {% endcode %} {% endtab %} {% endtabs %} | Parameter | Type | Description | | ---------------------- | --------- | ----------------------------------------------------------------------------------------------- | | `hostid` | String | A unique identifier for this specific machine or agent (e.g., bluerock). This flag is optional. | | `event_format` | String | The data schema used for logging/events. `OTEL` stands for OpenTelemetry. | | `event_url` | URL | The endpoint where the agent sends its telemetry data (usually an OTEL Collector). | | `ucpcm.policy_url` | Blob URI | The Azure Blob Storage path where the master policy file is stored. | | `ucpcm.policy` | File Name | The specific JSON file name that contains the configuration rules. | | `ucpcm.policy_sig` | File Name | The digital signature file used to verify that the `policy.json` hasn't been tampered with. | | `ucpcm.public_key` | Blob URI | The location of the public key used to validate the `policy_sig`. | | `ucpcm.transport_type` | String | The protocol used to fetch files. azure indicates Azure Blob Storage. | | `ucpcm.auth_method` | String | Authentication type. default uses the VM's attached Managed Identity. | | `ucpcm.region` | String | The Azure region where the storage resources are located. | {% hint style="info" icon="notes-sticky" %} **Note:** BlueRock Secure MCP Server enforces runtime security controls through configurable MCP Protection Policies. Refer to Policy Configuration guide to learn more about these policies. {% endhint %} #### Upload Configuration Files {% hint style="warning" icon="lightbulb-exclamation-on" %} **Important:** To securely copy and upload configuration files, the VM's Managed Identity must have the **Storage Blob Data Contributor** role assigned. If the active Azure account lacks the administrative privileges required to assign IAM roles, please request an Azure Cloud Administrator to grant this access to the instance. {% endhint %} Upload or copy files to the Azure VM: To enable `az copy`: 1. Retrieve Client ID for Authentication: \ Query the Azure Instance Metadata Service (IMDS) from inside the VM to fetch the Managed Identity's token and Client ID: 
$ curl 'http://169.254.169.254/metadata/identity/oauth2/token?resource=https://management.core.windows.net&api-version=2018-02-01' -H "Metadata: true" | jq .
\ Expected output: ```shellscript % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2286 100 2286 0 0 5720 0 --:--:-- --:--:-- --:--:-- 5715 { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IlUxc1g4WUZIUzdaNlZsN1ZITEl6VGVqYnZqMCIsImtpZCI6IlUxc1g4WUZIUzdaNlZsN1ZITEl6VGVqYnZqMCJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuY29yZS53aW5kb3dzLm5ldCIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2ZhMTVlMGRlLTU2MTItNDM1Ni04N2MzLWE4ZDE2NTZiODM5My8iLCJpYXQiOjE3NzcyOTUwMjUsIm5iZiI6MTc3NzI5NTAyNSwiZXhwIjoxNzc3MzgxNzI1LCJhaW8iOiJBV1FBbS84YkFBQUFLdjRoOTFaYnYybWgycmltVm9yWURDZkxPL0thQWtRRXhjazM1RHgvZGJETDVVMFN6ZUNRa2JlOE1OaEJCQkY5eXp3RnFjL3Z1OTN4a29WSE1mV3poeU5KTnR5Q3hmbDMwQ0dZS0pnTW52SFhldC95U1RPWUpoS09mcHhXZ3BNUyIsImFwcGlkIjoiNDBlZTZkMTctMjI3Yi00ODQ5LWEwZWYtOGIxMzFjODQwOWViIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvZmExNWUwZGUtNTYxMi00MzU2LTg3YzMtYThkMTY1NmI4MzkzLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNzJhZTU1NWEtYzFlMi00OTM3LTgyNDYtMDVhMmE2YzhhNmZmIiwicmgiOiIxLkFXOEEzdUFWLWhKV1ZrT0h3NmpSWld1RGswWklmM2tBdXRkUHVrUGF3ZmoyTUJNQUFBQnZBQS4iLCJzdWIiOiI3MmFlNTU1YS1jMWUyLTQ5MzctODI0Ni0wNWEyYTZjOGE2ZmYiLCJ0aWQiOiJmYTE1ZTBkZS01NjEyLTQzNTYtODdjMy1hOGQxNjU2YjgzOTMiLCJ1dGkiOiJlbFE0NWV5Y19VQy1mOE9ZV1J2WUFBIiwidmVyIjoiMS4wIiwid2lkcyI6WyIwOTk3YTFkMC0wZDFkLTRhY2ItYjQwOC1kNWNhNzMxMjFlOTAiXSwieG1zX2FjdF9mY3QiOiI5IDMiLCJ4bXNfZnRkIjoiQi0tblNPTXJHREIxNE5YY3lCczJmQ0pKdEl2cjFHalVrUDFVQ0w2enJNOEJkWE5sWVhOMExXUnpiWE0iLCJ4bXNfaWRyZWwiOiIyNiA3IiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMzkyZjAxODctMTBhNi00YTAwLWE0N2MtMjY4NmM0MTcxZTNjL3Jlc291cmNlZ3JvdXBzL3FhLWJsdWVyb2NrL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvcm0taW5zdGFuY2UtbmV3IiwieG1zX3JkIjoiMC5BVWtBdHY4S0JRZ0NFZ0Z2RWhRSUNSSVExWXRJWDExenFVU2FnY05QOUVraVV4SVVDQWdTRUVaSWYza0F1dGRQdWtQYXdmajJNQk1TRkFnTEVoQmptLV9BWGNRazM4RlZXWWpiSDRNciIsInhtc19zdWJfZmN0IjoiMyA5IiwieG1zX3RjZHQiOiIxNTk5NTkxNDgwIn0.lZYegQlxD-HLZ2yUHCJKOGrTgQABxWLff-jplWGX_PHVS742B5CTc2rssv2iZ3KYcELQlJ5CfIlNaALoKHiYZxrD6_7K81L1MA532R7ROHVD5oqx9tKmN46bT3sby9M9R4vfsAlLTeb615ArnfnhI327hj6d43gvl1_geCWUXiBD1RwcIl-trmnEiK6bnj4VGyp273eOJF_4tdLz7Bql4Gon-b7lgfCNeoCyHDgHDJkliebwNHJ_PKdfAKu_mWDXW_9dgDIc0zcQ-ihGb3cMJNOfrqHSOtAFb9Jce16MZEh0tY-atFNiByQ8f4DdYBFPFRKMhvhR-jrVEfwsYtaxFg", "client_id": "40ee6d17-227b-4849-a0ef-XXXXXXX", "expires_in": "86400", "expires_on": "1777381725", "ext_expires_in": "86399", "not_before": "1777295025", "resource": "https://management.core.windows.net", "token_type": "Bearer" } ``` \ Example `client_id` : 
"client_id": "40ee6d17-227b-4849-a0ef-XXXXXXX",
2. Login to Azure Storage Blob:\ Export the Managed Identity parameters as environment variables to authenticate the `azcopy` session (replace the `` placeholder with the Client ID retrieved from the previous step): ```shellscript $ export AZCOPY_AUTO_LOGIN_TYPE=MSI $ export AZCOPY_MSI_CLIENT_ID= ``` \ For example: 
$ export AZCOPY_AUTO_LOGIN_TYPE=MSI
   $ export AZCOPY_MSI_CLIENT_ID=40ee6d17-227b-4849-a0ef-XXXXXXX
#### BlueRock Free Edition: Default Policy Configuration The Free Edition utilizes default security policies. Configuration requires uploading the BlueRock configuration file to the specified Azure Storage container. Upload BlueRock configuration file [`config.toml`](#free-version): {% code overflow="wrap" %} ```shellscript $ azcopy copy "config.toml" "https://.blob.core.windows.net//config.toml" ``` {% endcode %} #### BlueRock Full Edition: Custom Policy Configuration The Full Edition facilitates custom policy enforcement via the TREX tool. This workflow includes environment activation, template generation, cryptographic signing, and artifact upload. 1. Activate TREX Environment\ Activation of the pre-created Python virtual environment on the BlueRock node is required: ```shellscript $ source /opt/bluerock/trex/py312/bin/activate ``` 2. Generate Policy Template\ Generation of a policy model file provides a template with default values: ```shellscript $ python trex/models/customerpolicymodel.py -d > bru_policy.json ``` Manual editing of the JSON file allows for the definition of specific rules, such as enabling or disabling MCP remediation. 3. Generate Signed Policy Blob\ The TREX tool processes the JSON file to generate a signed policy package in `.tar` format: ```shellscript $ python trex.py bru_policy.json ``` 4. Extract Policy Artifacts\ Extraction of the signed blob archive yields the specific files necessary for UC verification: ```shellscript $ tar xvf bru_policy.tar ``` 5. Upload BlueRock configuration\ Successful deployment requires uploading the configuration file, the extracted policy blob, and the public key to the cloud storage bucket: 
# 1. Upload the BlueRock configuration file
   $ azcopy copy "config.toml" "https://<storageaccountname>.blob.core.windows.net/<container-name>/config.toml"

   # 2. Upload the extracted policy blob
   $ azcopy copy "policy.json" "https://<storageaccountname>.blob.core.windows.net/<container-name>/policy.json"

   # 3. Upload the public key for verification
   $ azcopy copy "public_key.pem" "https://<storageaccountname>.blob.core.windows.net/<container-name>/public_key.pem"
{% hint style="info" icon="notes-sticky" %} **Note:** Upload only the public key for the digital signature so that the signed policy blob (`policy.json`) can be verified by the system using that key. {% endhint %} *** ### Updating Configuration Source To ensure BlueRock agent stays synchronized with the latest policies, link your local environment to the cloud-hosted configuration. This is done by updating the config.source file's parameter with the Azure Blob URI. To save the Azure URI in the config.source file: 1. Locate your file: \ Ensure your `config.toml` or `config.yaml` is uploaded to your Azure Container. 2. Get the URI: \ The address must use the `az://` prefix. Use either the short storage account name or the full FQDN (Fully Qualified Domain Name) format: 1. Short format: 
az://<storageaccountname>/<container-name>/config.toml
2. FQDN format: 
az://<storageaccountname>.blob.core.windows.net/<container-name>/config.toml
3. Navigate to `config.source` file at: 
$ cd /opt/bluerock/etc
4. Save the `config.source` file with the URI from the Azure Blob Storage. 
az://<storageaccountname>.blob.core.windows.net/<your-container-name>/config.toml

   # Bluerock Configuration
   #
   # config.source tells where to fetch the configuration file.
*** ### OTEL Event Collection Setup To forward OpenTelemetry (OTEL) events and agent telemetry, an Azure Log Analytics Workspace and an Application Insights component must be created and linked. 1. Create Azure Monitoring Resources\ Use the Azure CLI to provision the workspace, create the Application Insights component, and retrieve the required connection string:
# Create the Log Analytics Workspace with a 30-day retention policy
   $ az monitor log-analytics workspace create \
     --resource-group <rg-name> \
     --workspace-name <workspace-name> \
     --retention-time 30

   # Create the workspace-based Application Insights component
   $ az monitor app-insights component create \
     --app <app-name> \
     --location <region-name> \
     --resource-group <rg-name> \
     --workspace <workspace-resource-id>

   # Retrieve the connection string required for the OTEL collector
   $ az monitor app-insights component show \
     --app <app-name> \
     --resource-group <rg-name> \
     --query connectionString -o tsv
2. Configure the OTEL Collector\ Connect to the BlueRock VM and update the OTEL configuration file `otel-config.yaml` to include the retrieved connection string. Edit the Configuration File\ Navigate to the OTEL directory and edit the `otel-config.yaml` file: ```shellscript $ cd /opt/bluerock/otel $ sudo nano otel-config.yaml ``` Update the `azuremonitor` exporter section with your specific connection string: 
exporters:
     azuremonitor:
       connection_string: "<insert-connection-string-here>"
3. Restart and Verify the Collector\ Restart the OTEL Collector container to apply the updated configuration, and then verify that the container is actively running: ```shellscript $ sudo docker restart otel-collector $ sudo docker ps ``` 4. Check the Startup Logs\ Inspect the OTEL Collector container logs to ensure it started up cleanly without any configuration errors: ```shellscript $ sudo docker logs otel-collector ``` #### Service Startup & Policy Verification Once the configuration files are securely stored in Azure Blob Storage and telemetry routing is established, the core BlueRock agent services can be started. 1. Enable and Start the Service:\ Enable the BlueRock control plane to start automatically on boot, then initiate the service: 
$ sudo systemctl enable uc-docker.service
   $ sudo systemctl start uc-docker.service
   $ sudo systemctl status uc-docker.service
2. Verify Startup and Download Logs: \ Inspect the logs to confirm the agent successfully authenticated with the Managed Identity, downloaded the policy files from Azure Blob Storage, and validated the digital signature: 
# Check the primary service startup logs
   $ /opt/bluerock/bin/uc-docker.sh logs

   # Enter the Docker container to check the detailed policy download logs
   $ docker exec -it uc bash
   $ cd /var/log/uc
   $ cat bluerockd_rCURRENT.log
### View Logs in Azure Events generated by the BlueRock instance are forwarded to the **Azure Log Analytics Workspace** and can be queried using Kusto Query Language (KQL). Navigate to **Azure Log Analytics Workspace** > select an instance name > **Logs**. In the logs workspace change the **Simple mode** to **KQL mode** run the required query to view application traces.
Following is a sample KQL query: ```shellscript // Retrieve the 50 most recent application traces from the last 10 minutes AppTraces | where TimeGenerated > ago(10m) | project TimeGenerated, Message, SeverityLevel, Properties | order by TimeGenerated desc | take 50 ``` ### Configuring Remote Project Workspace in Claude Desktop IDE To allow AI-assisted development while maintaining BlueRock's telemetry tracking, a dedicated user session must be established for the Claude Desktop IDE. 1. Create the User Account and Configure SSH:\ Connect to the BlueRock Azure VM and execute the following commands in order to create a dedicated user and configure key-based SSH authentication: 1. Create the dedicated account First, create the new user account intended for the Claude Desktop IDE: ```shellscript $ sudo adduser claude_code_user ``` 2. Switch to the new user profile Change your current session to operate as the newly created user: ```shellscript $ sudo su - claude_code_user ``` 3. Generate an SSH keypair Run the `ssh-keygen` command. This will automatically create the `.ssh` directory with the correct permissions. ```shellscript $ ssh-keygen -t ed25519 -C "your_email@example.com" ```

Note:

When prompted, press Enter to accept the default file location, and press Enter again to leave the passphrase empty

4. Authorize the public key Finally, append the designated public key to the `authorized_keys` file to grant inbound access, and lock down the file's permissions: ```shellscript $ echo "" >> ~/.ssh/authorized_keys $ chmod 600 ~/.ssh/authorized_keys ``` 2. Configure the Claude Desktop IDE:\ In the Claude Desktop IDE interface, click the environment selector menu (typically labeled **Local** in the bottom corner) and select **+ Add SSH host...** from the dropdown list. \ ![](/files/Ji8P3qTQy8EtJcLmPvQC)\ In the Add SSH connection dialog box, populate the fields with the following parameters: 1. SSH Connection Name: `` 2. SSH Host: `claude_code_user@` 3. SSH Port: `22` (default) 4. Identity file: `` \ ![](/files/ZuUOW39o6da3pCsvnqTD) 3. Initialize the Remote Workspace: 1. Upon successful SSH connection to the remote VM, select the project folder. Either the default home directory (`/home/claude_code_user`) or a newly created subfolder (e.g., `project`) can be used. 2. The Claude code session initializes in the background on the remote VM. Code generation occurs directly within the remote workspace based on instructions provided in the IDE chat interface. 4. Telemetry and Event Tracking:\ The BlueRock agent actively monitors this remote workspace and generates OpenTelemetry (OTEL) events for all Claude code actions, including file operations and forked/executed processes. These events are automatically forwarded to the configured Azure Log Analytics workspace for security monitoring. {% hint style="info" icon="notes-sticky" %} **Note:** W*hen prompted, press Enter to accept the default file location, and press Enter again to leave the passphrase empty* {% endhint %} --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.bluerock.io/deployment-guides/azure-deployments/azure-deployment-with-cli.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.