Azure just in time VM access

In this video we will discuss, Azure just in time VM access feature.

What is Just-in-time VM access

Hackers always scan the internet for open ports like RDP or SSH. If you have a port open all the time, it's a potential target for an attack. When one of the VM's in your network is breached, it can be used as the entry point to attack other servers and resources within your environment.

Just-in-time VM access reduces the attack surface area by opening the inbound ports just when you need them and are automatically closed after the specified duration has elapsed.

Enable Just-in-time VM access

You can enable JIT VM access from the VM itself or from Azure Security center.

Enable JIT VM access from an individual VM

In the Azure portal navigate to the VM

Click on the Configuration blade (Under Settings)

Click the button Enable just-in-time

When you enable JIT VM access, it adds deny inbound rule. This deny rule blocks all traffic to port 3389. If you need to access and remotely login to the VM, you need to request access.

What if you already have an inbound port rule that allows access to port 3389? Well, the priority of that exisiting rule will be modified automatically so it has a higher number than the deny rule. Rule with lower priority number wins.

azure jit vm access

Enable JIT VM access from Azure Security Center

  1. In Azure portal, navigate to Azure Security Center (You will find the link to Azure Security Center on the VM Configuragtion tab)
  2. On "Not Configured" tab, select the VMs and click Enable JIT on VMs button.

Request Access to VM

If you need to access the VM, you need to request it. You can do this either from the Connect tab on the VM itself or from the azure security center.

Request Access from the Connect tab

azure vm just in time access

Request Access from Azure Security Center

On the Configured tab, select the VMs for which you want to request access and then click Request Access button.

azure just in time access vm

This opens another page, where you configure an inbound port rule. 

azure just in time access

You specify

  1. Which port you want to open (in our case 3389)
  2. For which IP address you want to allow access. You can also specify a range if you want to. 
  3. The duration in hours for which you want this port to be open. After the specified duration has expired this inbound port rule will be automatically deleted and you will not have access.

Azure tutorial for beginners

© 2020 Pragimtech. All Rights Reserved.