Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.
A dive into requirements and inner-workings of Just-in-time VM access in Azure.
Q. Do I have to manually manage any rules when using Just In Time (JIT) access with Azure IaaS Virtual Machines?
A. Just-in-time (JIT) access enables the RDP/SSH rules only when requested, and for a limited duration. This ensures under normal circumstances the virtual machine is not accessible via its public IP address but can be connected to when needed. There are no manual management of rules required. Behind the scenes, the network security groups (NSGs) are automatically updated. The only requirement is an NSG must exist either directly on the vmNIC or at the subnet level. Apart from that everything is done automatically.
Q. Does Just-in-time access work if I have a NSG applied at the subnet level?
A. Yes. The just-in-time (JIT) works by creating the firewall exceptions in the NSG as required and then removing them. It will detect and create the exceptions:
- If the vmNIC has an NSG
- If the subnet has an NSG
- If the vmNIC and the subnet has an NSG
The service will detect where the temporary exceptions need to be created and act accordingly. The only requirement is that there IS an NSG either on the vmNIC or the subnet to which the required exceptions can be added as required. If there is no NSG then a warning is surfaced via Azure Security Center.
Q. If I have multiple VMs in the same subnet and enable just-in-time access would I be able to access all VMs in the subnet?
A. No. The temporary exceptions created are as specific as possible, namely they target the vmNIC of the VM that JIT is being enabled for. No other VM in the subnet would be accessible unless JIT is performed on other VMs.