[enterprise-4.14] CNV -29929: Improve 'Connecting to VM consoles' and 'Connecting with SSH'

Signed-off-by: Avital Pinnick <apinnick@redhat.com>
2026-02-05 12:46:18 +01:00 · 2023-06-19 13:42:10 +03:00
parent 8a628d18c8
commit 78fc2236f9
27 changed files with 855 additions and 317 deletions
--- a/_topic_maps/_topic_map.yml
+++ b/_topic_maps/_topic_map.yml
@@ -3625,6 +3625,10 @@ Topics:
 ###VIRTUAL MACHINE CHESS SALAD (silly name to highlight that the commented out assemblies need to be checked against merged filenams)
  - Name: Creating virtual machines
    File: virt-create-vms
+  - Name: Connecting to VM consoles
+    File: virt-accessing-vm-consoles
+  - Name: Configuring SSH access to VMs
+    File: virt-accessing-vm-ssh
  - Name: Editing virtual machines
    File: virt-edit-vms
  - Name: Editing boot order
@@ -3637,8 +3641,6 @@ Topics:
    File: virt-manage-vmis
  - Name: Controlling virtual machine states
    File: virt-controlling-vm-states
-  - Name: Accessing virtual machine consoles
-    File: virt-accessing-vm-consoles
  - Name: Automating Windows installation with sysprep
    File: virt-automating-windows-sysprep
  - Name: Installing the QEMU guest agent and VirtIO drivers
--- a/modules/virt-about-services.adoc
+++ b/modules/virt-about-services.adoc
@@ -1,18 +1,17 @@
 // Module included in the following assemblies:
 //
 // * virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc

 :_content-type: CONCEPT
 [id="virt-about-services_{context}"]
 = About services

-A Kubernetes _service_ exposes network access for clients to an application running on a set of pods. Services offer abstraction, load balancing, and, in the case of NodePort and LoadBalancer, exposure to the outside world. 
+A Kubernetes service exposes network access for clients to an application running on a set of pods. Services offer abstraction, load balancing, and, in the case of the `NodePort` and `LoadBalancer` types, exposure to the outside world.

-Services can be exposed in the *VirtualMachine details* -> *Details* tab of the web console or by specifying a `spec.type` in the `Service` object:
+ClusterIP:: Exposes the service on an internal IP address and as a DNS name to other applications within the cluster. A single service can map to multiple virtual machines. When a client tries to connect to the service, the client's request is load balanced among available backends. `ClusterIP` is the default service type.

-ClusterIP:: Exposes the service on an internal IP address and as a DNS name to other applications within the cluster. A single service can map to multiple virtual machines. When a client tries to connect to the service, the client's request is load balanced among available backends. `ClusterIP` is the default service `type`.
-
-NodePort:: Exposes the service on the same port of each selected node in the cluster. `NodePort` makes a service accessible from outside the cluster.
+NodePort:: Exposes the service on the same port of each selected node in the cluster. `NodePort` makes a port accessible from outside the cluster, as long as the node itself is externally accessible to the client.

 LoadBalancer:: Creates an external load balancer in the current cloud (if supported) and assigns a fixed, external IP address to the service.

--- a/modules/virt-access-configuration-considerations.adoc
+++ b/modules/virt-access-configuration-considerations.adoc
@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: REFERENCE
+[id="virt-access-configuration-considerations_{context}"]
+= Access configuration considerations
+
+Each method for configuring access to a virtual machine (VM) has advantages and limitations, depending on the traffic load and client requirements.
+
+Services provide excellent performance and are recommended for applications that are accessed from outside the cluster.
+
+If the internal cluster network cannot handle the traffic load, you can configure a secondary network.
+
+`virtctl ssh` and `virtctl port-forwarding` commands::
+* Simple to configure.
+* Recommended for troubleshooting VMs.
+* `virtctl port-forwarding` recommended for automated configuration of VMs with Ansible.
+* Not recommended for high-traffic applications like Rsync or Remote Desktop Protocol because of the burden on the API server.
+* The API server must be able to handle the traffic load.
+* The clients must be able to access the API server.
+* The clients must have access credentials for the cluster.
+
+Cluster IP service::
+* The internal cluster network must be able to handle the traffic load.
+* The clients must be able to access an internal cluster IP address.
+
+Node port service::
+* The internal cluster network must be able to handle the traffic load.
+* The clients must be able to access at least one node.
+
+Load balancer service::
+* A load balancer must be configured.
+* Each node must be able to handle the traffic load of one or more load balancer services.
+
+Secondary network::
+* Excellent performance because traffic does not go through the internal cluster network.
+* Allows a flexible approach to network topology.
+* Guest operating system must be configured with appropriate security because the VM is exposed directly to the secondary network. If a VM is compromised, an intruder could gain access to the secondary network.
+
+
--- a/modules/virt-accessing-vmi-ssh.adoc
+++ b/modules/virt-accessing-vmi-ssh.adoc
@@ -1,89 +0,0 @@
-// Module included in the following assemblies:
-//
-// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
-
-:_content-type: PROCEDURE
-[id="virt-accessing-vmi-ssh_{context}"]
-= Accessing a virtual machine via SSH by using virtctl
-
-You can use the `virtctl ssh` command to forward SSH traffic to a virtual machine (VM) by using your local SSH client. If you have previously configured SSH key authentication with the VM, skip to step 2 of the procedure because step 1 is not required.
-
-[NOTE]
-====
-Heavy SSH traffic on the control plane can slow down the API server. If you regularly need a large number of connections, use a dedicated Kubernetes `Service` object to access the virtual machine.
-====
-
-
-.Prerequisites
-* You have installed the OpenShift CLI (`oc`).
-* You have installed the `virtctl` client.
-* The virtual machine you want to access is running.
-* You are in the same project as the VM.
-
-
-.Procedure
-
-. Configure SSH key authentication:
-.. Use the `ssh-keygen` command to generate an SSH public key pair:
-+
-[source,terminal]
----
-$ ssh-keygen -f <key_file> <1>
----
-<1> Specify the file in which to store the keys.
-
-.. Create an SSH authentication secret which contains the SSH public key to access the VM:
-+
-[source,terminal]
----
-$ oc create secret generic my-pub-key --from-file=key1=<key_file>.pub
----
-
-.. Add a reference to the secret in the `VirtualMachine` manifest. For example:
-+
-[source,yaml]
----
-apiVersion: kubevirt.io/v1
-kind: VirtualMachine
-metadata:
-  name: testvm
-spec:
-  running: true
-  template:
-    spec:
-      accessCredentials:
-      - sshPublicKey:
-          source:
-            secret:
-              secretName: my-pub-key <1>
-          propagationMethod:
-            configDrive: {} <2>
-# ...
----
-<1> Reference to the SSH authentication `Secret` object.
-<2> The SSH public key is injected into the VM as cloud-init metadata using the `configDrive` provider.
-
-.. Restart the VM to apply your changes.
-
-. Connect to the VM via SSH: 
-.. Run the following command to access the VM via SSH:
-+
-[source,terminal]
----
-$ virtctl ssh -i <key_file> <vm_username>@<vm_name>
----
-
-.. Optional: To securely transfer files to or from the VM, use the following commands:
-+
-
-.Copy a file from your machine to the VM
-[source,terminal]
----
-$ virtctl scp -i <key_file> <filename> <vm_username>@<vm_name>:
----
-+
-.Copy a file from the VM to your machine
-[source,terminal]
----
-$ virtctl scp -i <key_file> <vm_username@<vm_name>:<filename> .
----
--- a/modules/virt-adding-static-public-key-cli.adoc
+++ b/modules/virt-adding-static-public-key-cli.adoc
@@ -0,0 +1,151 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="virt-adding-static-public-key-cli_{context}"]
+= Adding an SSH key when creating a virtual machine by using the command line
+
+You can add a _static_ public SSH key when you create a virtual machine (VM) by using the command line. The key is added to the VM at startup.
+
+The SSH key is added to the VM as generated cloud-init metadata, by using a cloud-init configuration disk. This method separates the access credentials from the application data in the cloud-init user data. This method does not affect cloud-init user data.
+
+.Prerequisites
+
+* You generated an SSH key pair by running the `ssh-keygen` command.
+
+.Procedure
+
+. Create a manifest file for a `VirtualMachine` object and a `Secret` object:
+
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: example-vm
+  namespace: example-namespace
+spec:
+  dataVolumeTemplates:
+  - apiVersion: cdi.kubevirt.io/v1beta1
+    kind: DataVolume
+    metadata:
+      name: example-vm-disk
+    spec:
+      sourceRef:
+        kind: DataSource
+        name: rhel9
+        namespace: openshift-virtualization-os-images
+      storage:
+        resources:
+          requests:
+            storage: 30Gi
+  running: false
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: example-vm
+    spec:
+      domain:
+        cpu:
+          cores: 1
+          sockets: 2
+          threads: 1
+        devices:
+          disks:
+          - disk:
+              bus: virtio
+            name: rootdisk
+          - disk:
+              bus: virtio
+            name: cloudinitdisk
+          interfaces:
+          - masquerade: {}
+            name: default
+          rng: {}
+        features:
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi: {}
+        resources:
+          requests:
+            memory: 8Gi
+      evictionStrategy: LiveMigrate
+      networks:
+      - name: default
+        pod: {}
+      volumes:
+      - dataVolume:
+          name: example-volume
+        name: example-vm-disk
+        - cloudInitConfigDrive: <1>
+            userData: |-
+              #cloud-config
+              user: cloud-user
+              password: <password>
+              chpasswd: { expire: False }
+          name: cloudinitdisk
+      accessCredentials:
+        - sshPublicKey:
+            propagationMethod:
+              configDrive: {}
+            source:
+              secret:
+                secretName: authorized-keys <2>
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: authorized-keys
+data:
+  key:  |
+      MIIEpQIBAAKCAQEAulqb/Y... <3>
+----
+<1> Specify `cloudInitConfigDrive` to create a configuration drive.
+<2> Specify the `Secret` object name.
+<3> Paste the public SSH key.
+
+. Create the `VirtualMachine` and `Secret` objects:
+
+[source,terminal]
+----
+$ oc create -f <manifest_file>.yaml
+----
+
+. Start the VM:
+
+[source,terminal]
+----
+$ virtctl start vm example-vm
+----
+
+.Verification
+. Get the VM configuration:
+
+[source,terminal]
+----
+$ oc describe vm example-vm -n example-namespace
+----
+
+.Example output
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: example-vm
+  namespace: example-namespace
+spec:
+  template:
+    spec:
+      accessCredentials:
+        - sshPublicKey:
+            propagationMethod:
+              configDrive: {}
+            source:
+              secret:
+                secretName: authorized-keys
+----
+
--- a/modules/virt-adding-static-public-key-project-web.adoc
+++ b/modules/virt-adding-static-public-key-project-web.adoc
@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="adding-static-public-key-project-web_{context}"]
+= Adding an SSH key to a project by using the web console
+
+You can add a _static_ public SSH key to a project by using the {product-title} web console. Afterwards, this key is added to the virtual machines (VMs) that you create in the project.
+
+A static public key is added to a VM at startup as cloud-init metadata. This method does not affect cloud-init user data.
+
+.Prerequisites
+
+* You generated an SSH key pair by running the `ssh-keygen` command.
+
+.Procedure
+
+. Navigate to *Virtualization* -> *Overview* in the web console.
+. On the *Settings* tab, click the *User* tab.
+. Expand *Manage SSH keys*.
+. Select a project from the *Project* list and click the edit icon.
+. Select an SSH key option:
+
+* *Use existing*: Select a secret from the secrets list.
+* *Add new*:
+.. Browse to the public SSH key file or paste the file in the key field.
+.. Enter the secret name.
+
+. Click *Save*.
+
+.Verification
+. Create a VM in the same project as the SSH key.
+. Click the VM to view the *VirtualMachine details* page.
+. Click the *Scripts* tab on the *Configuration* tab.
+
+The secret name is displayed in the *Authorized SSH key* section.
--- a/modules/virt-adding-static-public-key-vm-web.adoc
+++ b/modules/virt-adding-static-public-key-vm-web.adoc
@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="adding-static-public-key-vm-web_{context}"]
+= Adding an SSH key when creating a virtual machine by using the web console
+
+You can add a _static_ public SSH key when you create a virtual machine (VM) by using the {product-title} web console.
+
+The key is added at startup as cloud-init metadata. This method does not affect cloud-init user data.
+
+.Prerequisites
+
+* You generated an SSH key pair by running the `ssh-keygen` command.
+
+.Procedure
+
+. Navigate to *Virtualization* -> *Catalog* in the web console.
+. Click a template tile.
+. Click *Customize VirtualMachine*.
+. Click *Next*.
+. On the *Scripts* tab, click the edit icon beside *Authorized SSH key*.
+. Select an SSH key option:
+
+* *Use existing*: Select a secret from the secrets list.
+* *Add new*:
+.. Browse to the public SSH key file or paste the file in the key field.
+.. Enter the secret name.
+.. Optional: Select *Automatically apply this key to any new VirtualMachine you create in this project*.
+
+. Click *Save*.
+. Click *Create VirtualMachine*.
+
+The *VirtualMachine details* page displays the progress of the VM creation.
+
+.Verification
+. Click the *Scripts* tab on the *Configuration* tab.
+
+The secret name is displayed in the *Authorized SSH key* section.
--- a/modules/virt-connecting-secondary-network-ssh.adoc
+++ b/modules/virt-connecting-secondary-network-ssh.adoc
@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="virt-connecting-secondary-network-ssh_{context}"]
+= Connecting to a virtual machine attached to a secondary network by using SSH
+
+You can connect to a virtual machine (VM) attached to a secondary network by using SSH.
+
+.Prerequisites
+
+* You attached a VM to a secondary network with a DHCP server.
+* You have an SSH client installed.
+
+.Procedure
+
+. Obtain the IP address of the VM by running the following command:
+
+[source,terminal]
+----
+$ oc describe vm <vm_name>
+----
+
+.Example output
+----
+# ...
+Interfaces:
+  Interface Name:  eth0
+  Ip Address:      10.244.0.37/24
+  Ip Addresses:
+    10.244.0.37/24
+    fe80::858:aff:fef4:25/64
+  Mac:             0a:58:0a:f4:00:25
+  Name:            default
+# ...
+----
+
+. Connect to the VM by running the following command:
+
+[source,terminal]
+----
+$ ssh <user_name>@<ip_address> -i <ssh_key>
+----
+
+.Example
+[source,terminal]
+----
+$ ssh cloud-user@10.244.0.37 -i ~/.ssh/id_rsa_cloud-user
+----
--- a/modules/virt-connecting-service-ssh.adoc
+++ b/modules/virt-connecting-service-ssh.adoc
@@ -0,0 +1,26 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+// * virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc
+
+:_content-type: PROCEDURE
+[id="virt-connecting-service-ssh_{context}"]
+= Connecting to a virtual machine by using SSH and a service
+
+You can connect to a virtual machine (VM) by using SSH and a service.
+
+.Prerequisites
+
+* You created a service to expose a VM.
+* You have an SSH client installed.
+* You are logged in to the cluster.
+
+.Procedure
+
+* Run the following command to access the VM:
+
+[source,terminal]
+----
+$ ssh <user_name>@<ip_address> -p <port> <1>
+----
+<1> Specify the cluster IP for a cluster IP service, the node IP for a node port service, or the external IP address for a load balancer service.
--- a/modules/virt-connecting-to-vm-console-web.adoc
+++ b/modules/virt-connecting-to-vm-console-web.adoc
@@ -0,0 +1,79 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
+
+ifeval::["{context}" == "vnc-console"]
+:vnc-console:
+:console: VNC console
+:console-menu: VNC console
+endif::[]
+ifeval::["{context}" == "serial-console"]
+:serial-console:
+:console: serial console
+:console-menu: Serial console
+endif::[]
+ifeval::["{context}" == "desktop-viewer"]
+:desktop-viewer:
+:console: desktop viewer
+:console-menu: Desktop viewer
+endif::[]
+
+:_content-type: PROCEDURE
+[id="virt-connecting-to-vm-console-web_{context}"]
+= Connecting to the {console} by using the web console
+
+ifdef::vnc-console,serial-console[]
+You can connect to the {console} of a virtual machine (VM) by using the {product-title} web console.
+endif::[]
+ifdef::desktop-viewer[]
+You can connect to the {console} of a Windows virtual machine (VM) by using the {product-title} web console.
+endif::[]
+
+ifdef::vnc-console[]
+[NOTE]
+====
+If you connect to a Windows VM with a vGPU assigned as a mediated device, you can switch between the default display and the vGPU display.
+====
+endif::[]
+
+ifdef::desktop-viewer[]
+.Prerequisites
+
+* You installed the QEMU guest agent on the Windows VM.
+* You have an RDP client installed.
+endif::[]
+
+.Procedure
+
+. On the *Virtualization* -> *VirtualMachines* page, click a VM to open the *VirtualMachine details* page.
+. Click the *Console* tab. The VNC console session starts automatically.
+ifdef::desktop-viewer,serial-console[]
+. Click *Disconnect* to end the VNC console session. Otherwise, the VNC console session continues to run in the background.
+. Select *{console-menu}* from the console list.
+endif::[]
+ifdef::desktop-viewer[]
+. Click *Create RDP Service* to open the *RDP Service* dialog.
+. Select *Expose RDP Service* and click *Save* to create a node port service.
+. Click *Launch Remote Desktop* to download an `.rdp` file and launch the {console}.
+endif::[]
+ifdef::vnc-console[]
+. Optional: To switch to the vGPU display of a Windows VM, select *Ctl + Alt + 2* from the *Send key* list.
+
+* Select *Ctl + Alt + 1* from the *Send key* list to restore the default display.
+endif::[]
+ifdef::vnc-console,serial-console[]
+. To end the console session, click outside the console pane and then click *Disconnect*.
+endif::[]
+
+ifeval::["{context}" == "vnc-console"]
+:console!:
+:console-menu!:
+endif::[]
+ifeval::["{context}" == "serial-console"]
+:console!:
+:console-menu!:
+endif::[]
+ifeval::["{context}" == "desktop-viewer"]
+:console!:
+:console-menu!:
+endif::[]
--- a/modules/virt-connecting-vm-virtctl.adoc
+++ b/modules/virt-connecting-vm-virtctl.adoc
@@ -0,0 +1,63 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
+
+ifeval::["{context}" == "vnc-console"]
+:vnc-console:
+:console: VNC console
+endif::[]
+ifeval::["{context}" == "serial-console"]
+:serial-console:
+:console: serial console
+endif::[]
+
+:_content-type: PROCEDURE
+[id="virt-connecting-vm-virtctl_{context}"]
+= Connecting to the {console} by using virtctl
+
+You can use the `virtctl` command line tool to connect to the {console} of a running virtual machine.
+
+ifdef::vnc-console[]
+[NOTE]
+====
+If you run the `virtctl vnc` command on a remote machine over an SSH connection, you must forward the X session to your local machine by running the `ssh` command with the `-X` or `-Y` flags.
+====
+
+.Prerequisites
+
+* You must install the `virt-viewer` package.
+endif::[]
+
+.Procedure
+
+. Run the following command to start the console session:
+
+ifdef::serial-console[]
+[source,terminal]
+----
+$ virtctl console <vm_name>
+----
+
+. Press `Ctrl+]` to end the console session.
+endif::[]
+ifdef::vnc-console[]
+[source,terminal]
+----
+$ virtctl vnc <vm_name>
+----
+
+. If the connection fails, run the following command to collect
+troubleshooting information:
+
+[source,terminal]
+----
+$ virtctl vnc <vm_name> -v 4
+----
+endif::[]
+
+ifeval::["{context}" == "vnc-console"]
+:!console:
+endif::[]
+ifeval::["{context}" == "serial-console"]
+:!console:
+endif::[]
--- a/modules/virt-copying-the-ssh-command.adoc
+++ b/modules/virt-copying-the-ssh-command.adoc
@@ -1,18 +0,0 @@
-// Module included in the following assemblies:
-//
-// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
-
-:_content-type: PROCEDURE
-[id="virt-copying-the-ssh-command_{context}"]
-= Copying the SSH command using the web console
-
-Copy the command to connect to a virtual machine (VM) terminal via SSH.
-
-
-.Procedure
-
-. In the {product-title} console, click *Virtualization* -> *VirtualMachines* from the side menu.
-
-. Click the *Options* menu {kebab} for your virtual machine and select *Copy SSH command*.
-
-. Paste it in the terminal to access the VM.
--- a/modules/virt-creating-a-service-from-a-virtual-machine.adoc
+++ b/modules/virt-creating-a-service-from-a-virtual-machine.adoc
@@ -1,122 +0,0 @@
-// Module included in the following assemblies:
-//
-// * virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc
-
-:_content-type: PROCEDURE
-[id="virt-creating-a-service-from-a-virtual-machine_{context}"]
-
-= Exposing a virtual machine as a service
-
-Create a `ClusterIP`, `NodePort`, or `LoadBalancer` service to connect to a running virtual machine (VM) from within or outside the cluster.
-
-.Procedure
-
-. Edit the `VirtualMachine` manifest to add the label for service creation:
-+
-[source,yaml]
----
-apiVersion: kubevirt.io/v1
-kind: VirtualMachine
-metadata:
-  name: vm-ephemeral
-  namespace: example-namespace
-spec:
-  running: false
-  template:
-    metadata:
-      labels:
-        special: key <1>
-# ...
----
-<1> Add the label `special: key` in the `spec.template.metadata.labels` section.
-+
-
-[NOTE]
-====
-Labels on a virtual machine are passed through to the pod. The `special: key` label must match the label in the `spec.selector` attribute of the `Service` manifest.
-====
-
-. Save the `VirtualMachine` manifest file to apply your changes.
-
-. Create a `Service` manifest to expose the VM:
-+
-[source,yaml]
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: vmservice <1>
-  namespace: example-namespace <2>
-spec:
-  externalTrafficPolicy: Cluster <3>
-  ports:
-  - nodePort: 30000 <4>
-    port: 27017
-    protocol: TCP
-    targetPort: 22 <5>
-  selector:
-    special: key <6>
-  type: NodePort <7>
----
-<1> The name of the `Service` object.
-<2> The namespace where the `Service` object resides. This must match the `metadata.namespace` field of the `VirtualMachine` manifest.
-<3> Optional: Specifies how the nodes distribute service traffic that is received on external IP addresses. This only applies to `NodePort` and `LoadBalancer` service types. The default value is `Cluster` which routes traffic evenly to all cluster endpoints.
-<4> Optional: When set, the `nodePort` value must be unique across all services. If not specified, a value in the range above `30000` is dynamically allocated.
-<5> Optional: The VM port to be exposed by the service. It must reference an open port if a port list is defined in the VM manifest. If `targetPort` is not specified, it takes the same value as `port`.
-<6> The reference to the label that you added in the `spec.template.metadata.labels` stanza of the `VirtualMachine` manifest.
-<7> The type of service.  Possible values are `ClusterIP`, `NodePort` and `LoadBalancer`.
-
-. Save the `Service` manifest file.
-. Create the service by running the following command:
-+
-[source,terminal]
----
-$ oc create -f <service_name>.yaml
----
-
-. Start the VM. If the VM is already running, restart it.
-
-.Verification
-. Query the `Service` object to verify that it is available:
-+
-[source,terminal]
----
-$ oc get service -n example-namespace
----
-+
-.Example output for `ClusterIP` service
-[source,terminal]
----
-NAME        TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)     AGE
-vmservice   ClusterIP   172.30.3.149   <none>        27017/TCP   2m
----
-+
-.Example output for `NodePort` service
-[source,terminal]
----
-NAME        TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)            AGE
-vmservice   NodePort    172.30.232.73   <none>       27017:30000/TCP    5m
----
-+
-.Example output for `LoadBalancer` service
-[source,terminal]
----
-NAME        TYPE            CLUSTER-IP     EXTERNAL-IP                    PORT(S)           AGE
-vmservice   LoadBalancer    172.30.27.5   172.29.10.235,172.29.10.235     27017:31829/TCP   5s
----
-
-. Choose the appropriate method to connect to the virtual machine:
-+
-* For a `ClusterIP` service, connect to the VM from within the cluster by using the service IP address and the service port. For example:
-+
-[source,terminal]
----
-$ ssh fedora@172.30.3.149 -p 27017
----
-* For a `NodePort` service, connect to the VM by specifying the node IP address and the node port outside the cluster network. For example:
-+
-[source,terminal]
----
-$ ssh fedora@$NODE_IP -p 30000
----
-* For a `LoadBalancer` service, use the `vinagre` client to connect to your virtual machine by using the public IP address and port. External ports are dynamically allocated.
--- a/modules/virt-creating-service-cli.adoc
+++ b/modules/virt-creating-service-cli.adoc
@@ -0,0 +1,79 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="virt-creating-service-cli_{context}"]
+= Creating a service by using the command line
+
+You can create a service and associate it with a virtual machine (VM) by using the command line.
+
+.Prerequisites
+
+* You configured the cluster network to support the service.
+
+.Procedure
+
+. Edit the `VirtualMachine` manifest to add the label for service creation:
+
+[source,yaml]
+----
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: example-vm
+  namespace: example-namespace
+spec:
+  running: false
+  template:
+    metadata:
+      labels:
+        special: key <1>
+# ...
+----
+<1> Add `special: key` to the `spec.template.metadata.labels` stanza.
+
+[NOTE]
+====
+Labels on a virtual machine are passed through to the pod. The `special: key` label must match the label in the `spec.selector` attribute of the `Service` manifest.
+====
+
+. Save the `VirtualMachine` manifest file to apply your changes.
+
+. Create a `Service` manifest to expose the VM:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Service
+metadata:
+  name: example-service
+  namespace: example-namespace
+spec:
+# ...
+  selector:
+    special: key <1>
+  type: NodePort <2>
+----
+<1> Specify the label that you added to the `spec.template.metadata.labels` stanza of the `VirtualMachine` manifest.
+<2> Specify `ClusterIP`, `NodePort`, or `LoadBalancer`.
+
+. Save the `Service` manifest file.
+. Create the service by running the following command:
+
+[source,terminal]
+----
+$ oc create -f example-service.yaml
+----
+
+. Restart the VM to apply the changes.
+
+.Verification
+
+* Query the `Service` object to verify that it is available:
+
+[source,terminal]
+----
+$ oc get service -n example-namespace
+----
--- a/modules/virt-creating-service-virtctl.adoc
+++ b/modules/virt-creating-service-virtctl.adoc
@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="virt-creating-service-virtctl_{context}"]
+= Creating a service by using virtctl
+
+You can create a service for a virtual machine (VM) by using the `virtctl` command line tool.
+
+.Prerequisites
+
+* You installed the `virtctl` command line tool.
+* You configured the cluster network to support the service.
+* The environment where you installed `virtctl` has the cluster permissions required to access the VM. For example, you ran `oc login` or you set the `KUBECONFIG` environment variable.
+
+.Procedure
+
+* Create a service by running the following command:
+
+[source,terminal]
+----
+$ virtctl expose vm <vm_name> --name <service_name> --type <service_type> --port <port> <1>
+----
+<1> Specify the `ClusterIP`, `NodePort`, or `LoadBalancer` service type.
+
+.Example
+
+[source,terminal]
+----
+$ virtctl expose vm example-vm --name example-service --type NodePort --port 22
+----
+
+.Verification
+
+* Verify the service by running the following command:
+
+[source,terminal]
+----
+$ oc get service
+----
--- a/modules/virt-creating-service-web.adoc
+++ b/modules/virt-creating-service-web.adoc
@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="virt-creating-service-web_{context}"]
+= Creating a node port or load balancer service by using the web console
+
+You can create a node port or load balancer service for a virtual machine (VM) by using the {product-title} web console.
+
+.Prerequisites
+
+* You configured the cluster network to support either a load balancer or a node port.
+
+.Procedure
+
+. For a load balancer service, enable the creation of load balancer services:
+
+.. Navigate to *Virtualization* -> *Overview*.
+.. On the *Settings* tab, click *Cluster*.
+.. Expand *LoadBalancer service* and select *Enable the creation of LoadBalancer services for SSH connections to VirtualMachines*.
+
+. Navigate to *VirtualMachines* and select a virtual machine to view the *VirtualMachine details* page.
+. On the *Details* tab, select *SSH over LoadBalancer* or *SSH over NodePort* from the *SSH service type* list.
+. Optional: Click the copy icon to copy the `SSH` command to your clipboard.
+
+.Verification
+
+* Check the *Services* pane on the *Details* tab for the new service.
--- a/modules/virt-creating-vm-template.adoc
+++ b/modules/virt-creating-vm-template.adoc
@@ -10,7 +10,7 @@ You can create a virtual machine (VM) from a template with an available boot sou

 .Procedure

-. Click *Virtualization* -> *Catalog* in the side menu.
+. Navigate to *Virtualization* -> *Catalog* in the web console.

 . Click *Boot source available* to filter templates with boot sources.
 +
@@ -20,10 +20,12 @@ The catalog displays the default templates. Click *All Items* to view all availa

 . Click *Quick create VirtualMachine* to create a VM from the template.
 +
-Optional: Update parameters such as the VM name or disk source:
+Optional: Update template or VM parameters:

 .. Click *Customize VirtualMachine*.
-.. Edit the parameters and click *Next*.
+.. Edit template parameters such as the disk source or VM name.
+.. Click *Next*.
+.. Edit VM parameters such as network interfaces or disks.
 .. Click *Create VirtualMachine*.
 +
 The *VirtualMachine details* page displays the provisioning status.
--- a/modules/virt-running-virtctl-ssh-command.adoc
+++ b/modules/virt-running-virtctl-ssh-command.adoc
@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc
+
+:_content-type: PROCEDURE
+[id="virt-running-virtctl-ssh-command_{context}"]
+= Running the virtctl ssh command
+
+You can access a running virtual machine (VM) by using the `virtcl ssh` command.
+
+.Prerequisites
+
+* You installed the `virtctl` command line tool.
+* You added a public SSH key to the VM.
+* You have an SSH client installed.
+* The environment where you installed the `virtctl` tool has the cluster permissions required to access the VM. For example, you ran `oc login` or you set the `KUBECONFIG` environment variable.
+
+.Procedure
+
+* Run the `virtctl ssh` command:
+
+[source,terminal]
+----
+$ virtctl -n <namespace> ssh <username>@example-vm -i <ssh_key> <1>
+----
+<1> Specify the namespace, user name, and the SSH private key. The default SSH key location is `/home/user/.ssh`. If you save the key in a different location, you must specify the path.
+
+.Example
+[source,terminal]
+----
+$ virtctl -n my-namespace ssh cloud-user@example-vm -i my-key
+----
--- a/modules/virt-switching-displays.adoc
+++ b/modules/virt-switching-displays.adoc
@@ -1,24 +0,0 @@
-// Module included in the following assemblies:
-//
-// * virt/virtual_machines/virt-accessing-vm-consoles.adoc
-
-:_content-type: PROCEDURE
-[id="virt-switching-displays_{context}"]
-= Switching between virtual machine displays
-
-If your Windows virtual machine (VM) has a vGPU attached, you can switch between the default display and the vGPU display by using the web console.
-
-.Prerequisites
-
-* The mediated device is configured in the `HyperConverged` custom resource and assigned to the VM.
-* The VM is running.
-
-.Procedure
-
-. In the {product-title} console, click *Virtualization* -> *VirtualMachines*
-. Select a Windows virtual machine to open the *Overview* screen.
-. Click the *Console* tab.
-. From the list of consoles, select *VNC console*.
-. Choose the appropriate key combination from the *Send Key* list:
-.. To access the default VM display, select `Ctl + Alt+ 1`.
-.. To access the vGPU display, select `Ctl + Alt + 2`.
--- a/modules/virt-using-openssh-and-virtctl-port-forward.adoc
+++ b/modules/virt-using-openssh-and-virtctl-port-forward.adoc
@@ -1,6 +1,6 @@
 // Module included in the following assemblies:
 //
-// * virt/virtual_machines/virt-using-openssh-and-virtctl-port-forward.adoc
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc

 :_content-type: PROCEDURE
 [id="virt-using-openssh-and-virtctl-port-forward_{context}"]
--- a/modules/virt-virtctl-commands.adoc
+++ b/modules/virt-virtctl-commands.adoc
@@ -113,9 +113,11 @@ You use `virtctl` connection commands to expose ports and connect to VMs and VMI
 |`virtctl console <vm_name>`
 |Connect to the serial console of a VM.

-|`virtctl expose <vm_name>`
+|`virtctl expose vm <vm_name> --name <service_name> --type <ClusterIP\|NodePort\|LoadBalancer> --port <port>`
 |Create a service that forwards a designated port of a VM and expose the service on the specified port of the node.

+Example: `virtctl expose vm rhel9_vm --name rhel9-ssh --type NodePort --port 22`
+
 |`virtctl scp -i <ssh_key> <file_name> <user_name>@<vm_name>`
 |Copy a file from your machine to a VM. This command uses the private key of an SSH key pair. The VM must be configured with the public key.

@@ -125,15 +127,15 @@ You use `virtctl` connection commands to expose ports and connect to VMs and VMI
 |`virtctl ssh -i <ssh_key> <user_name>@<vm_name>`
 |Open an SSH connection with a VM. This command uses the private key of an SSH key pair. The VM must be configured with the public key.

-|`virtctl vnc --kubeconfig=$KUBECONFIG <vm_name>`
+|`virtctl vnc <vm_name>`
 |Connect to the VNC console of a VM.

-Accessing the graphical console of a VM through VNC requires a remote viewer on your local machine.
+You must have `virt-viewer` installed.

-|`virtctl vnc --kubeconfig=$KUBECONFIG --proxy-only=true <vm_name>`
+|`virtctl vnc --proxy-only=true <vm_name>`
 |Display the port number and connect manually to a VM by using any viewer through the VNC connection.

-|`virtctl vnc --kubeconfig=$KUBECONFIG --port=<port-number> <vm_name>`
+|`virtctl vnc --port=<port-number> <vm_name>`
 |Specify a port number to run the proxy on the specified port, if that port is available.

 If a port number is not specified, the proxy runs on a random port.
--- a/modules/virt-vm-creating-nic-web.adoc
+++ b/modules/virt-vm-creating-nic-web.adoc
@@ -1,23 +1,24 @@
 // Module included in the following assemblies:
 //
 // * virt/virtual_machines/vm_networking/virt-attaching-vm-multiple-networks.adoc
+// * virt/virtual_machines/virt-accessing-vm-ssh.adoc

 :_content-type: PROCEDURE
 [id="virt-vm-creating-nic-web_{context}"]
-= Creating a NIC for a virtual machine in the web console
+= Configuring a network interface for a virtual machine by using the web console

-Create and attach additional NICs to a virtual machine from the web console.
+You can configure a network interface for a virtual machine (VM) by using the {product-title} web console.

 .Prerequisites

-* A network attachment definition must be available.
+* You created a network attachment definition for the network.

 .Procedure

-. In the correct project in the {product-title} console, click *Virtualization* -> *VirtualMachines* from the side menu.
-. Select a virtual machine to open the *VirtualMachine details* page.
-. Click *Configuration* -> *Network interfaces* to view the NICs already attached to the virtual machine.
-. Click *Add Network Interface* to create a new slot in the list.
-. Select a network attachment definition from the *Network* list for the additional network.
-. Fill in the *Name*, *Model*, *Type*, and *MAC Address* for the new NIC.
-. Click *Save* to save and attach the NIC to the virtual machine.
+. Navigate to *Virtualization* -> *VirtualMachines*.
+. Click a VM to view the *VirtualMachine details* page.
+. On the *Configuration* tab, click the *Network interfaces* tab.
+. Click *Add network interface*.
+. Enter the interface name and select the network attachment definition from the *Network* list.
+. Click *Save*.
+. Restart the VM to apply the changes.
--- a/virt/getting_started/virt-getting-started.adoc
+++ b/virt/getting_started/virt-getting-started.adoc
@@ -49,9 +49,9 @@ include::snippets/technology-preview.adoc[]

 Connect to VMs:

-* Connect to the xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#virt-vm-serial-console-web_virt-accessing-vm-consoles[serial console] or xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#virt-connecting-vnc-console_virt-accessing-vm-consoles[VNC console] of a VM by using the web console.
-* xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#virt-accessing-vmi-ssh_virt-accessing-vm-consoles[Connect to a VM by using SSH].
-* xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#virt-vm-rdp-console-web_virt-accessing-vm-consoles[Connect to a Windows VM by using RDP].
+* Connect to the xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#serial-console_virt-accessing-vm-consoles[serial console] or xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#vnc-console_virt-accessing-vm-consoles[VNC console] of a VM.
+* xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#virt-accessing-vm-ssh[Connect to a VM by using SSH].
+* xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#desktop-viewer_virt-accessing-vm-consoles[Connect to the desktop viewer for Windows VMs].

 Manage VMs:

--- a/virt/support/virt-collecting-virt-data.adoc
+++ b/virt/support/virt-collecting-virt-data.adoc
@@ -50,7 +50,7 @@ Collecting data about malfunctioning virtual machines (VMs) minimizes the time r
 ** Record the Windows patch update details.
 ** link:https://access.redhat.com/solutions/6957701[Install the latest VirtIO drivers].
 ** xref:../../virt/virtual_machines/virt-installing-qemu-guest-agent.adoc#virt-installing-virtio-drivers-existing-windows_virt-installing-qemu-guest-agent[Install the latest QEMU guest agent].
-** If Remote Desktop Protocol (RDP) is enabled, try to connect to the VMs with RDP by using the xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#virt-vm-rdp-console-web_virt-accessing-vm-consoles[web console] or the xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#virt-accessing-rdp-console_virt-accessing-vm-consoles[command line] to determine whether there is a problem with the connection software.
+** If Remote Desktop Protocol (RDP) is enabled, connect by using the xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#desktop-viewer_virt-accessing-vm-consoles[desktop viewer] to determine whether there is a problem with the connection software.

 .Procedure

--- a/virt/virtual_machines/virt-accessing-vm-consoles.adoc
+++ b/virt/virtual_machines/virt-accessing-vm-consoles.adoc
@@ -1,51 +1,44 @@
 :_content-type: ASSEMBLY
 [id="virt-accessing-vm-consoles"]
-= Accessing virtual machine consoles
+= Connecting to virtual machine consoles
 include::_attributes/common-attributes.adoc[]
 :context: virt-accessing-vm-consoles
+:virt-accessing-vm-consoles:

 toc::[]

-{VirtProductName} provides different virtual machine consoles that you can
-use to accomplish different product tasks. You can access these consoles through
-the {product-title} web console and by using CLI commands.
+You can connect to the following consoles to access running virtual machines (VMs):

-[id="virt-accessing-vm-consoles-web"]
-== Accessing virtual machine consoles in the {product-title} web console
+* xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#vnc-console_virt-accessing-vm-consoles[VNC console]

-You can connect to virtual machines by using the serial console or the VNC console in the {product-title} web console.
+* xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#serial-console_virt-accessing-vm-consoles[Serial console]
+* xref:../../virt/virtual_machines/virt-accessing-vm-consoles.adoc#desktop-viewer_virt-accessing-vm-consoles[Desktop viewer for Windows VMs]

-You can connect to Windows virtual machines by using the desktop viewer console, which uses RDP (remote desktop protocol), in the {product-title} web console.
+[id="vnc-console_virt-accessing-vm-consoles"]
+== Connecting to the VNC console

-include::modules/virt-vm-serial-console-web.adoc[leveloffset=+2]
+You can connect to the VNC console of a virtual machine by using the {product-title} web console or the `virtctl` command line tool.

-include::modules/virt-connecting-vnc-console.adoc[leveloffset=+2]
+:context: vnc-console
+include::modules/virt-connecting-to-vm-console-web.adoc[leveloffset=+2]
+include::modules/virt-connecting-vm-virtctl.adoc[leveloffset=+2]
+:!vnc-console:

-include::modules/virt-vm-rdp-console-web.adoc[leveloffset=+2]
+[id="serial-console_virt-accessing-vm-consoles"]
+== Connnecting to the serial console

-include::modules/virt-switching-displays.adoc[leveloffset=+2]
+You can connect to the serial console of a virtual machine by using the {product-title} web console or the `virtctl` command line tool.

-[role="_additional-resources"]
-.Additional resources
+:context: serial-console
+include::modules/virt-connecting-to-vm-console-web.adoc[leveloffset=+2]
+include::modules/virt-connecting-vm-virtctl.adoc[leveloffset=+2]
+:!serial-console:

-* xref:../../virt/virtual_machines/advanced_vm_management/virt-configuring-mediated-devices.adoc#virt-configuring-mediated-devices[Configuring mediated devices]
+[id="desktop-viewer_virt-accessing-vm-consoles"]
+== Connecting to the desktop viewer

-include::modules/virt-copying-the-ssh-command.adoc[leveloffset=+2]
+You can connect to a Windows virtual machine (VM) by using the desktop viewer and the Remote Desktop Protocol (RDP).

-[id="virt-accessing-vm-consoles-cli"]
-== Accessing virtual machine consoles by using CLI commands
-
-include::modules/virt-accessing-vmi-ssh.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-.Additional resources
-* xref:../../virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc#virt-creating-service-vm[Creating a service to expose a virtual machine]
-* xref:../../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-about_nodes-pods-secrets[Understanding secrets]
-
-include::modules/virt-using-openssh-and-virtctl-port-forward.adoc[leveloffset=+2]
-
-include::modules/virt-accessing-serial-console.adoc[leveloffset=+2]
-
-include::modules/virt-accessing-vnc-console.adoc[leveloffset=+2]
-
-include::modules/virt-accessing-rdp-console.adoc[leveloffset=+2]
+:context: desktop-viewer
+include::modules/virt-connecting-to-vm-console-web.adoc[leveloffset=+2]
+:!desktop-viewer:
--- a/virt/virtual_machines/virt-accessing-vm-ssh.adoc
+++ b/virt/virtual_machines/virt-accessing-vm-ssh.adoc
@@ -0,0 +1,123 @@
+:_content-type: ASSEMBLY
+[id="virt-accessing-vm-ssh"]
+= Configuring SSH access to virtual machines
+include::_attributes/common-attributes.adoc[]
+:context: virt-accessing-vm-ssh
+:toclevels: 3
+
+toc::[]
+
+You can configure SSH access to virtual machines (VMs) by using the following methods:
+
+* xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#using-virtctl-ssh_virt-accessing-vm-ssh[`virtctl ssh` command]
+
+You create an SSH key pair, add the public key to a VM, and connect to the VM by running the `virtctl ssh` command with the private key.
+
+* xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#virt-using-openssh-and-virtctl-port-forward_virt-accessing-vm-ssh[`virtctl port-forward` command]
+
+You add the `virtctl port-foward` command to your `.ssh/config` file and connect to the VM by using OpenSSH.
+
+* xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#using-services-ssh_virt-accessing-vm-ssh[Service]
+
+You create a service, associate the service with the VM, and connect to the IP address and port exposed by the service.
+
+* xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#using-secondary-networks-ssh_virt-accessing-vm-ssh[Secondary network]
+
+You configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address.
+
+include::modules/virt-access-configuration-considerations.adoc[leveloffset=+1]
+
+[id="using-virtctl-ssh_virt-accessing-vm-ssh"]
+== Using virtctl ssh
+
+You can add a public SSH key to a virtual machine (VM) and connect to the VM by running the `virtctl ssh` command.
+
+This method is simple to configure. However, it is not recommended for high traffic loads because it places a burden on the API server.
+
+[id="adding-public-keys-vm_virt-accessing-vm-ssh"]
+=== Adding an SSH key to a virtual machine
+
+You can add a _static_ or _dynamic_ public SSH key to a virtual machine (VM) by using the {product-title} web console or the command line.
+
+Static key::
+* Added to the VM at startup.
+* Uses the cloud-init configuration drive and does not affect cloud-init user data.
+* Can be added when you create a VM by using the xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#adding-static-public-key-vm-web_virt-accessing-vm-ssh[web console] or the xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#adding-static-public-key-project-web_virt-accessing-vm-ssh[command line].
+* Can be added to a xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#adding-static-public-key-project-web_virt-accessing-vm-ssh[project] by using the web console. Afterwards, the key is automatically added to the VMs that you create in this project.
+
+Dynamic key::
+* Can be added or revoked while the VM is running.
+* Can be disabled for security reasons. If the setting is disabled, the VM inherits the key setting of the image from which it was created.
+* Uses the QEMU guest agent.
+* Only supported by {op-system-base-full} 9.
+
+include::modules/virt-adding-static-public-key-vm-web.adoc[leveloffset=+3]
+
+include::modules/virt-adding-static-public-key-cli.adoc[leveloffset=+3]
+
+include::modules/virt-adding-static-public-key-project-web.adoc[leveloffset=+3]
+
+// dynamic ssh key configuration will go here
+
+include::modules/virt-running-virtctl-ssh-command.adoc[leveloffset=+2]
+
+[TIP]
+====
+You can copy the `virtctl ssh` command in the web console by selecting *Copy SSH command* from the options {kebab} menu beside a VM on the xref:../../virt/getting_started/virt-web-console-overview.adoc#virtualmachines-page_virt-web-console-overview[*VirtualMachines* page].
+====
+
+include::modules/virt-using-openssh-and-virtctl-port-forward.adoc[leveloffset=+1]
+
+[id="using-services-ssh_virt-accessing-vm-ssh"]
+== Using a service for SSH access
+
+You can create a service for a virtual machine (VM) and connect to the IP address and port exposed by the service.
+
+Services provide excellent performance and are recommended for applications that are accessed from outside the cluster or within the cluster. Ingress traffic is protected by firewalls.
+
+If the cluster network cannot handle the traffic load, consider using a secondary network for VM access.
+
+include::modules/virt-about-services.adoc[leveloffset=+2]
+
+[id="creating-services-ssh_virt-accessing-vm-ssh"]
+=== Creating a service
+
+You can create a service to expose a virtual machine (VM) by using the {product-title} web console, `virtctl` command line tool, or a YAML file.
+
+include::modules/virt-creating-service-web.adoc[leveloffset=+3]
+
+include::modules/virt-creating-service-virtctl.adoc[leveloffset=+3]
+
+.Next steps
+
+After you create a service with `virtctl`, you must add `special: key` to the `spec.template.metadata.labels` stanza of the `VirtualMachine` manifest. See xref:../../virt/virtual_machines/virt-accessing-vm-ssh.adoc#virt-creating-service-cli_virt-accessing-vm-ssh[Creating a service by using the command line].
+
+include::modules/virt-creating-service-cli.adoc[leveloffset=+3]
+
+include::modules/virt-connecting-service-ssh.adoc[leveloffset=+2]
+
+[id="using-secondary-networks-ssh_virt-accessing-vm-ssh"]
+== Using a secondary network for SSH access
+
+You can configure a secondary network, attach a virtual machine (VM) to the secondary network interface, and connect to the DHCP-allocated IP address by using SSH.
+
+[IMPORTANT]
+====
+Secondary networks provide excellent performance because the traffic is not handled by the cluster network stack. However, the VMs are exposed directly to the secondary network and are not protected by firewalls. If a VM is compromised, an intruder could gain access to the secondary network. You must configure appropriate security within the operating system of the VM if you use this method.
+====
+
+See the link:https://access.redhat.com/articles/6994974#networking-multus[Multus] and link:https://access.redhat.com/articles/6994974#networking-sriov[SR-IOV] documentation in the link:https://access.redhat.com/articles/6994974[{VirtProductName} Tuning & Scaling Guide] for additional information about networking options.
+
+.Prerequisites
+
+* You configured a secondary network such as xref:../../virt/virtual_machines/vm_networking/virt-attaching-vm-multiple-networks.adoc#virt-attaching-vm-multiple-networks[Linux bridge] or xref:../../virt/virtual_machines/vm_networking/virt-attaching-vm-to-sriov-network.adoc#virt-attaching-vm-to-sriov-network[SR-IOV].
+* You created a network attachment definition for a xref:../../virt/virtual_machines/vm_networking/virt-attaching-vm-multiple-networks.adoc#virt-creating-linux-bridge-nad-web_virt-attaching-vm-multiple-networks[Linux bridge network] or the SR-IOV Network Operator created a xref:../../virt/virtual_machines/vm_networking/virt-attaching-vm-to-sriov-network.adoc#nw-sriov-network-attachment_virt-attaching-vm-to-sriov-network[network attachment definition] when you created an `SriovNetwork` object.
+
+include::modules/virt-vm-creating-nic-web.adoc[leveloffset=+2]
+
+include::modules/virt-connecting-secondary-network-ssh.adoc[leveloffset=+2]
+
+[NOTE]
+====
+You can also xref:../../virt/virtual_machines/vm_networking/virt-accessing-vm-secondary-network-fqdn.adoc#virt-accessing-vm-secondary-network-fqdn[access a VM attached to a secondary network interface by using the cluster FQDN].
+====
--- a/virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc
+++ b/virt/virtual_machines/vm_networking/virt-creating-service-vm.adoc
@@ -17,7 +17,8 @@ include::modules/virt-about-services.adoc[leveloffset=+1]

 include::modules/virt-dual-stack-support-services.adoc[leveloffset=+1]

-include::modules/virt-creating-a-service-from-a-virtual-machine.adoc[leveloffset=+1]
+include::modules/virt-creating-service-cli.adoc[leveloffset=+1]
+include::modules/virt-connecting-service-ssh.adoc[leveloffset=+1]

 [role="_additional-resources"]
 [id="additional-resources_creating-service-vm"]