Network Security Groups (NSG) are great for securing devices and networks in Azure. But a strict policy can hinder fluent management of your resources. Just in time access provides a reasonable compromise.
Network Security Groups: None shall pass!
RDP and SSH are popular attack vectors for hackers and script kiddies. That’s why it’s a best practice to limit access to these protocols. Especially when your VM is open to the internet.
One way to do this is by setting your NSG in such a way that only the strictly necessary locations have access. All other traffic should be blocked.
As a technician, I rarely work at one location. Frequently a customer asks for an intervention when I’m connected to a public network. Or maybe I’m at work at another customers office. Adjusting a locked down NSG can be a bit cumbersome. Also, forgetting to set the NSG back to the safe position is easy.
Just In Time access can provide some more secure flexibility.
How to use Just in Time Access
Nice and safe… and very impractical!
Deny all rdp
Prerequisites:
- Standard tier of Security center
- A virtual machine and an applicable NSG
Enable Just in Time
- Open “Security Center” in Azure.
- Go to “Recommendations“.
- Select “Apply a Just-In-Time network access control“.
- Select your virtual machine and click “Enable JIT on 1 VM“.
How to request Just-in-Time access
Now you can just request access when and where needed.
- Open “Security Center” in Azure again.
- Scroll down to “ADVANCED CLOUD DEFENSE” and select “Just in time VM access”.
- Select your VM using the checkmark and click “Request access“.
- Select your desired ports and time range.
- Give it 2 minutes and connect.
- Work until your time runs out.
Advanced features
Of course, you might need some additional ports open. You can always finetune your settings. More information and updates can be found on the Microsoft website.
Compute safely!
