Azure just in time VM access
In this video we will discuss, Azure just in time VM access feature.
What is Just-in-time VM access
Hackers always scan the internet for open ports like RDP or SSH. If you have a port open all the time, it's a potential target for an attack. When one of the VM's in your network is breached, it can be used as the entry point to attack other servers and resources within your environment.
Just-in-time VM access reduces the attack surface area by opening the inbound ports just when you need them and are automatically closed after the specified duration has elapsed.
Enable Just-in-time VM access
You can enable JIT VM access from the VM itself or from Azure Security center.
Enable JIT VM access from an individual VM
In the Azure portal navigate to the VM
Click on the
Configuration blade (Under Settings)
Click the button
When you enable JIT VM access, it adds
deny inbound rule. This deny rule blocks all traffic to port 3389. If you need to access and remotely login to the VM, you need to request access.
What if you already have an inbound port rule that allows access to port 3389? Well, the priority of that exisiting rule will be modified automatically so it has a higher number than the deny rule. Rule with lower priority number wins.
Enable JIT VM access from Azure Security Center
- In Azure portal, navigate to
Azure Security Center(You will find the link to Azure Security Center on the VM Configuragtion tab)
"Not Configured"tab, select the VMs and click
Enable JIT on VMs button.
Request Access to VM
If you need to access the VM, you need to request it. You can do this either from the
Connect tab on the VM itself or from the
azure security center.
Request Access from the Connect tab
Request Access from Azure Security Center
Configured tab, select the VMs for which you want to request access and then click
Request Access button.
This opens another page, where you configure an inbound port rule.
- Which port you want to open (in our case 3389)
- For which IP address you want to allow access. You can also specify a range if you want to.
- The duration in hours for which you want this port to be open. After the specified duration has expired this inbound port rule will be automatically deleted and you will not have access.
© 2020 Pragimtech. All Rights Reserved.