Network Security Groups (NSG) are great for securing devices and networks in Azure. But a strict policy can hinder fluent management of your resources. Just in time access provides a reasonable compromise.

Network Security Groups: None shall pass!

RDP and SSH are popular attack vectors for hackers and script kiddies. That’s why it’s a best practice to limit access to these protocols. Especially when your VM is open to the internet.

One way to do this is by setting your NSG in such a way that only the strictly necessary locations have access. All other traffic should be blocked.

As a technician, I rarely work at one location. Frequently a customer asks for an intervention when I’m connected to a public network. Or maybe I’m at work at another customers office. Adjusting a locked down NSG can be a bit cumbersome. Also, forgetting to set the NSG back to the safe position is easy.

Just In Time access can provide some more secure flexibility.

How to use Just in Time Access

Nice and safe… and very impractical!

default allow rdp inbound security rules

Deny all rdp

Prerequisites:

Enable Just in Time

  1. Open “Security Center” in Azure.security center azure resource group just in time access
  2. Go to “Recommendations“.security center overview recommendations just in time access
  3. Select “Apply a Just-In-Time network access control“.recommendations endpoint protection azure vm
  4. Select your virtual machine and click “Enable JIT on 1 VM“.apply a just in time vm access control

How to request Just-in-Time access

Now you can just request access when and where needed.

  1. Open “Security Center” in Azure again.
  2. Scroll down to “ADVANCED CLOUD DEFENSE” and select “Just in time VM access”.
  3. Select your VM using the checkmark and click “Request access“.request access virtual machine
  4. Select your desired ports and time range.request access just in time access
  5. Give it 2 minutes and connect.
  6. Work until your time runs out.

Advanced features

Of course, you might need some additional ports open. You can always finetune your settings. More information and updates can be found on the Microsoft website.

Compute safely!