Last Update: Sep 04, 2024 | Published: Aug 28, 2017
In this post, I will explain how JIT access to Azure virtual machines enables you to further secure virtual network deployments and enable on-demand access to the machines.
How often do you enable NAT rules in your on-premises firewall to allow RDP or SSH access to on-premises machines from the Internet? I bet, or should I say that I hope, that you never do that. If you need remote access to servers for remote troubleshooting, then you have secure solutions, such as VPN, DirectAccess, or similar.
So why do we do things differently in Azure? Most of the machines that I see in Azure have NAT rules or direct public IP connections with accompanying Network Security Group (NSG or Azure firewall) rules that allow SSH or RDP access from the Internet to the machines. Some companies “solve” this public-access issue in a few ways, including:
Both of those solutions create a permanent hole. Even filtering that hole to IP addresses is not that secure.
Azure Security Center includes a service (in the paid-for Standard tier only) called JIT VM Access. With this service, we can increase the security of remote access to one or more virtual machines. The solution works as follows:
Notes:
You can enable JIT access as follows.
The first step should be to edit your existing NSG(s) and remove the allow rules for remote access. Do not worry; JIT VM Access will re-create these rules very nicely when you require access.
Log into the Azure Portal and open Security Center. Navigate to Just In Time VM Access and then click either Recommended or No Recommendation to find the virtual machine(s) that you want to configure. Select the virtual machine(s) and click the button called Enable JIT.
A new blade called JIT VM Access Configuration appears. By default, 4 possible remote-access methods are available:
You can accept these defaults, remove one, remove some, or add more. You can also edit a policy by selecting it. You can modify:
Click Save when you are happy with the policy for the virtual machines. Security Center completes the configuration after a few moments. The most noticeable change is that the NSG(s) for the selected virtual machine(s) is updated to block the selected remote-access protocols.
Now it is impossible to remotely access those virtual machines unless someone, with admin rights in Security Center, enables remote access for me. To do so, open Just In Time VM Access in Security Center, select the required machine that someone requires access to, and click Request Access.
In the below example, I am requesting access to a virtual machine via SSH from a specific IP address. Note that SSH is toggled to On.
Once I click Open Ports, Security Center will update the required NSG to allow SSH access to just that virtual machine, from the entered public IP address only, and for just 3 hours.
When the agreed time has expired, JIT VM Access will automatically remove the allow rule and re-lock down the environment.