Azure Just In Time Virtual Machine Access
In this post, I will explain how JIT access to Azure virtual machines enables you to further secure virtual network deployments and enable on-demand access to the machines.
A Need for More Security
How often do you enable NAT rules in your on-premises firewall to allow RDP or SSH access to on-premises machines from the Internet? I bet, or should I say that I hope, that you never do that. If you need remote access to servers for remote troubleshooting, then you have secure solutions, such as VPN, DirectAccess, or similar.
![An overview of the required Azure load balancer solution [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2016/06/Azure-ARM-Load-Balancing-Overview.png)
So why do we do things differently in Azure? Most of the machines that I see in Azure have NAT rules or direct public IP connections with accompanying Network Security Group (NSG or Azure firewall) rules that allow SSH or RDP access from the Internet to the machines. Some companies “solve” this public-access issue in a few ways, including:
- Create a “jump box” or “bastion host” that is the only machine that can be remotely accessed. Admins log into this box from the Internet and then jump to other virtual machines over the virtual network (VNet) or a VNet peering.
- The company limits SSH or RDP access to the public IP address/range of its on-premises firewall.
![An RDP rule permanently opens RDP access to the subnet from the Internet [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/TraditionalRDPNSGRule.png)
Both of those solutions create a permanent hole. Even filtering that hole to IP addresses is not that secure.
JIT VM Access
Azure Security Center includes a service (in the paid-for Standard tier only) called JIT VM Access. With this service, we can increase the security of remote access to one or more virtual machines. The solution works as follows:
- You remove rules for RDP, SSH, PowerShell Remoting, and so on.
- You enable JIT access for selected Azure virtual machine(s). This policy creates possible access for selected protocols and for a specific amount of time. You can also filter access to a specific IP address or from the IP address of the access requestor (see later).
- The NSG(s) of the virtual machine(s) is updated with rules to block remote access.
- You use Azure Security Center to request access to a virtual machine using one of the protocols in the policy.
- The required NSG is updated to allow inbound access for that protocol.
- The admin can remote into the virtual machine.
- Security Center will remove the allow rule in the NSG after the predetermined amount of time that is specified in the policy.
Notes:
- You must switch Security Center to the Standard tier to use this feature.
- JIT VM Access is a preview feature and specific steps will likely change. The concepts will probably remain the same.
You can enable JIT access as follows.
The first step should be to edit your existing NSG(s) and remove the allow rules for remote access. Do not worry; JIT VM Access will re-create these rules very nicely when you require access.
Log into the Azure Portal and open Security Center. Navigate to Just In Time VM Access and then click either Recommended or No Recommendation to find the virtual machine(s) that you want to configure. Select the virtual machine(s) and click the button called Enable JIT.
![Enabling JIT VM Access in Azure Security Center [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/EnableJITVMAccess.png)
A new blade called JIT VM Access Configuration appears. By default, 4 possible remote-access methods are available:
- 22: Any protocol, enabling SSH access
- 3389: Any protocol, enabling RDP access
- 5985 and 5986: Any protocol, enabling PowerShell Remote access
![The default remote access protocols in JIT VM Access [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/JITVMAccessDefaultProtocols.png)
You can accept these defaults, remove one, remove some, or add more. You can also edit a policy by selecting it. You can modify:
- Port: The protocol port number
- Protocol: Any, TCP, or UDP
- Allowed Source IPs: Filter traffic to a specific IP address. This can be pre-entered or dynamically detected based on your IP address when you request access.
- Max Request Time: The time remote access be available for this protocol
![Modifying a JIT VM Access remote protocol configuration [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/ModifyJITVMAccessPortConfiguration.png)
Click Save when you are happy with the policy for the virtual machines. Security Center completes the configuration after a few moments. The most noticeable change is that the NSG(s) for the selected virtual machine(s) is updated to block the selected remote-access protocols.
![JIT VM Access blocks remote access in the NSG [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/JITVMAccessBlocksRemoteAccess.png)
Requesting Access to Virtual Machines
Now it is impossible to remotely access those virtual machines unless someone, with admin rights in Security Center, enables remote access for me. To do so, open Just In Time VM Access in Security Center, select the required machine that someone requires access to, and click Request Access.
In the below example, I am requesting access to a virtual machine via SSH from a specific IP address. Note that SSH is toggled to On.
![Requesting JIT VM Access for SSH [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/RequestJITVMAccess.png)
Once I click Open Ports, Security Center will update the required NSG to allow SSH access to just that virtual machine, from the entered public IP address only, and for just 3 hours.
![The NSG is updated to allow remote access to just the required virtual machine [Image Credit: Aidan Finn]](https://petri-media.s3.amazonaws.com/2017/08/JitVMAccessAllowsRemoteAccess.png)
When the agreed time has expired, JIT VM Access will automatically remove the allow rule and re-lock down the environment.