4 min. Read
The most common attack we see today is an attack on an RDP / SSH management port (brute force attack), and Microsoft offers you the option that you don’t even have to open those ports for legitimate administrative purposes. These ports do not need to be open, the Azure Security Center allows you to make these ports available for management purposes on your virtual machines only when they are needed.
Some time ago I wrote about a blog how to automate a Just In Time VM access request with PowerShell. Just-in-time VM Access is one of the many features included in the Azure Security Center, which is something you should consider for your virtual machines that are in front of the public. You can specify rules for how users can connect to virtual machines. If necessary, access can be requested from the Azure Security Center or through PowerShell. As long as the request complies with the rules, access will only be granted automatically at the requested time.
Last week, Microsoft announced that Just-in-time VM access can now also be used with Azure Firewalldespite recent ones public preview announcement for the new Azure Bastion whose feature is currently incomplete, Azure Bastion does not replace the need for Just-In-Time (JIT) VM Access.
In this article, I will show you how to configure Just-In-Time (JIT) VM Access for Azure Firewall in the Azure Security Center.
For more information on Just-In-Time (JIT) VM licenses, check next article. Just as JIT is in Network Security Groups (NSG) when Just-In-Time is used with Azure Firewall, Azure Security Center allows inbound traffic to Azure virtual machines only for a verified request by creating an Azure Firewall NAT rule (if necessary – in addition in accordance with NSG rules). If you are new to Azure Firewall, check with Microsoft documentation here.
When the user request access virtual machine, Azure Security Center checks that the user has Role Based Access Control (RBAC) the permissions that allow them to succeed request access To the VM. If the request is accepted, the Azure Security Center automatically configures the Azure Firewall (and NSGs) to allow incoming traffic to the selected ports and requested source IP addresses or domains for the specified time. At the end of the time, Azure Security Center will restore the firewalls and NSGs to their previous states. However, already established (connected) connections are not interrupted. In addition, Azure Security Center provides the correct contact information for your virtual machine when requesting access.
To use Just-In-Time (JIT) VM Access with Azure Firewall, you must first configure and install Azure Firewall. Microsoft has a great tutorial how to enable and configure Azure Firewall using the Azure portal.
Once you have configured Azure Firewall and you allowed Just-In-Time access to your virtual machine, you can then perform the following easy steps:
- Open Azure portaland then go Security Center, alla Just in time to access the virtual machine, choose Specified.
- Below VMs, select the virtual machine for which you want to request access just in time, and then select Request access.
- Below Request access, for each selected virtual machine, specify the ports you want to open and the source IP addresses where the port will be opened, as well as the time window for which the port is open. Note that access can only be requested to the ports that have been configured on time policy. Each gate has a maximum time allowed based on the just-in-time policy. choose Open the gates.
- IconContact informationThe ‘column indicates whether JIT is enabled in NSG or FW. If it is enabled on both, only the firewall icon will be displayed. ”Contact informationThe ‘column contains the correct information needed to connect the virtual machine, as well as the open ports. In this example, because we are using Azure Firewall with JIT, the firewall icon only appears.
- Finally, in order to connect to your virtual machine, you only need to use the public IP address of the firewall and the connected port provided by Azure Security Center, such as ”Contact informationcolumn as shown in the screenshot above. In this example, it is 184.108.40.206:13389
- Copy ‘Contact information‘Azure Security Center, and then press Windows key and R key at the same time, it opens Run the command type the following command: mstsc / v followed byContact information‘to connect to your virtual machine directly.
When request access is approved, the Azure Security Center creates a high-priority NAT rule in the Azure Firewall that allows inbound traffic through open ports to the requested source IP addresses, as shown in the following screenshot.
As I mentioned at the beginning of this article, Microsoft announced a public preview of the new Azure Bastion. Azure Bastion is a new managed PaaS service that provides a secure and seamless RDP / SSH connection to your virtual machines directly on the Azure portal via SSL and without a public IP address on your virtual machines.
Note that Azure Bastion and Just-In-Time (JIT) operating system license can not used together. In other words, if you enable Azure Bastion on a virtual network (VNET) while the current JIT virtual machine is running, the Bastion server will not connect to the target machine. You will receive the following message.
The network connection to the Bastion host appears unstable.
Up-to-date use of the virtual machine is a great feature because Azure administrators don’t have to go to change Azure Firewall rules and Network Security Group (NSG) settings every time, and this allows tool, the automation of this process is even faster. Please note that the Just-in-time VM license will incur additional charges for your Azure subscription as part of Azure Security Center (Azure Defender for Servers). For more information on Azure Security Center pricing levels, check with Microsoft pricing documents here.
Until then … Stay safe with Just in Time and Azure Firewall!
Thanks for locking my blog.
If you have any questions or feedback, please leave a comment.