Following on from A Quick Look at Azure Just-in-Time Virtual Machine Access (JIT), I promised to cover the implementation of JIT.
In this post, I will focus on configuring JIT access within the Azure Security Center.
Remember that JIT is only available with Security Center Standard Tier. You can compare the Free Tier and Standard Tier on the Security Center pricing page.
Configuring JIT access within the Azure Security Center
Open the Security Center dashboard and select Just in time VM access under Advance Cloud Defence in the left-hand menu.
The Just in time VM access panel will show your virtual machines under three tabs. Configured, Recommended and No recommendations.
The Configured tab, as shown above, shows servers that are already configured with JIT.
The third tab, No recommendation, shows VMs that JIT is not available for – either they are Classic VMs, have no associated NSG, or JIT policy is turned off on their scope.
The Recommend tab, below, shows servers that JIT can (and probably should) be turned on for. Simply select the servers you wish to configure and click Enable JIT which will bring up the JIT VM Access configuration panel.
From the JIT VM access configuration panel one could just press save and move on (especially if you’re feeling lazy) – and often one will. This will enable JIT with the default ports recommended by Azure Security Center:
- 22 – SSH
- 3389 – RDP
- 5985 – WinRM
- 5986 – WinRM
However, if you wish to add a rule for another port, you can click Add, or if you wish to edit one of the standard ports then click it to open the Add port configuration panel.
As seen above, whether adding or editing, in the Add port configuration panel you can specify the port, protocol, which IP address can connect as well as the maximum connection time.
Requesting JIT access via Security Center
Under the configured tab you can select the VMs you wish to grant access to and then click Request access
The Request access window will open:
Under Request access, for the requested VMs you can configure the ports that you want to open by selecting On. You will then specify the IP address or range from which the port will be accessible and how long the port will be open.
My IP is the IP address of the user requesting access and automatically filled. IP Range needs to be added as a single IP address or a CIDR range such as 192.168.0.0/24.
Next up tomorrow, we will look at the same process but directly from the VM page.