15 september 2024
Protect your Azure VMs with Just-In-Time (JIT): Security and automation for your DevOps pipelines
The security of virtual machines in the cloud is not something you can postpone. Just-In-Time (JIT) access to virtual machines in Azure significantly reduces the risk of unauthorized access by granting access only when necessary and only for a limited time. In this article, we’ll dive deep into how to effectively use JIT in Azure, configure access via the Azure portal and Azure PowerShell, open specific ports on demand, and integrate the entire process into Azure DevOps pipelines to ensure maximum automation and security.
What is JIT and why is it essential?
Just-In-Time (JIT) is an Azure Security Center feature designed to control access to virtual machines by allowing ports to be opened for a limited period and only on demand. The main aim of JIT is to minimize the attack surface by closing all ports that are not normally in constant use, such as RDP (3389) and SSH (22). When JIT access is enabled, ports are opened only after explicit approval of the request, and are automatically closed after a specified time.
Unlike permanent port opening (the standard approach), JIT access considerably reduces the risk of brute-force attacks or zero-day vulnerabilities. Instead of always-open access, you get a system that only provides access when it's really needed, thus minimizing risk.
JIT configuration via Azure Portal and PowerShell
Prerequisites:
You need a Microsoft Defender for Cloud level Defender for Servers Plan 2 subscription to use JIT. Find out more here.
Creating a JIT policy
Azure Portal
Azure PowerShell:
To automate this operation, you can use the Set-AzJitNetworkAccessPolicy Azure PowerShell cmdlet. For example:
Just-In-Time (JIT) is an Azure Security Center feature designed to control access to virtual machines by allowing ports to be opened for a limited period and only on demand. The main aim of JIT is to minimize the attack surface by closing all ports that are not normally in constant use, such as RDP (3389) and SSH (22). When JIT access is enabled, ports are opened only after explicit approval of the request, and are automatically closed after a specified time.
Unlike permanent port opening (the standard approach), JIT access considerably reduces the risk of brute-force attacks or zero-day vulnerabilities. Instead of always-open access, you get a system that only provides access when it's really needed, thus minimizing risk.
JIT configuration via Azure Portal and PowerShell
Prerequisites:
You need a Microsoft Defender for Cloud level Defender for Servers Plan 2 subscription to use JIT. Find out more here.
Creating a JIT policy
Azure Portal
- In the Azure portal, go to “Microsoft Defender for Cloud”.
- In the side menu, select “Workload protections” → “Just-in-time VM access”.
- Select the “Configured” or “Unconfigured” tab to display the available virtual machines.
- Select a virtual machine and click on “Enable JIT”.
- Specify the ports to be opened on request and the maximum duration of authorization.
- Click on “Save” to apply the policy.
Azure PowerShell:
To automate this operation, you can use the Set-AzJitNetworkAccessPolicy Azure PowerShell cmdlet. For example:
$JitPolicy = (@{
id="/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>";
ports=(@{
number=22;
protocol="*";
allowedSourceAddressPrefix=@("*");
maxRequestAccessDuration="PT3H"},
@{
number=3389;
protocol="TCP";
allowedSourceAddressPrefix=@("*");
maxRequestAccessDuration="PT3H"})})
$JitPolicyArr=@($JitPolicy)
Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "<LOCATION>" -Name "default" -ResourceGroupName "<RESOURCE_GROUP>" -VirtualMachine $JitPolicyArr
id="/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>";
ports=(@{
number=22;
protocol="*";
allowedSourceAddressPrefix=@("*");
maxRequestAccessDuration="PT3H"},
@{
number=3389;
protocol="TCP";
allowedSourceAddressPrefix=@("*");
maxRequestAccessDuration="PT3H"})})
$JitPolicyArr=@($JitPolicy)
Set-AzJitNetworkAccessPolicy -Kind "Basic" -Location "<LOCATION>" -Name "default" -ResourceGroupName "<RESOURCE_GROUP>" -VirtualMachine $JitPolicyArr
This script enables just-in-time access to a specific VM with the following rules:
These policies will close ports by default, and you will need to explicitly request port opening to access virtual machines.
Open ports when connectivity is required.
Azure portal:
- Close ports 22 and 3389
- Set a maximum time window of 3 hours for each of them, so that they can be opened by approved request
- Allow the user requesting access to control source IP addresses
- Allow the user requesting access to establish a successful session on an approved just-in-time access request.
These policies will close ports by default, and you will need to explicitly request port opening to access virtual machines.
Open ports when connectivity is required.
Azure portal:
$JitPolicyVm1 = (@{
id="/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>";
ports=(@{
number=22;
endTimeUtc="2020-07-15T17:00:00.3658798Z";
allowedSourceAddressPrefix=@("IPV4ADDRESS")})})
$JitPolicyArr=@($JitPolicyVm1)
Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Security/locations/<LOCATION>/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
id="/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>";
ports=(@{
number=22;
endTimeUtc="2020-07-15T17:00:00.3658798Z";
allowedSourceAddressPrefix=@("IPV4ADDRESS")})})
$JitPolicyArr=@($JitPolicyVm1)
Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Security/locations/<LOCATION>/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
This script allows you to open a just-in-time access request to a specific VM for port 22, for a specific IP address and for a specific duration.
Integrating JIT into Azure DevOps pipelines
And perhaps most importantly. Often, we need to work in virtual machines protected by JIT access from Azure DevOps Pipelines. To this end, we can use the AzurePowerShell task to open a connection to a virtual machine:
Integrating JIT into Azure DevOps pipelines
And perhaps most importantly. Often, we need to work in virtual machines protected by JIT access from Azure DevOps Pipelines. To this end, we can use the AzurePowerShell task to open a connection to a virtual machine:
- task: AzurePowerShell@5
inputs:
azureSubscription: 'ваша Azure-подписка'
ScriptType: 'InlineScript'
Inline: |
$JitPolicyVm1 = (@{ id="/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>";
ports=(@{
number=22;
endTimeUtc=[DateTime]::UtcNow.AddMinutes(10);
allowedSourceAddressPrefix=@("*")})})
$JitPolicyArr=@($JitPolicyVm1)
Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Security/locations/<LOCATION>/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
inputs:
azureSubscription: 'ваша Azure-подписка'
ScriptType: 'InlineScript'
Inline: |
$JitPolicyVm1 = (@{ id="/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Compute/virtualMachines/<VM_NAME>";
ports=(@{
number=22;
endTimeUtc=[DateTime]::UtcNow.AddMinutes(10);
allowedSourceAddressPrefix=@("*")})})
$JitPolicyArr=@($JitPolicyVm1)
Start-AzJitNetworkAccessPolicy -ResourceId "/subscriptions/SUBSCRIPTIONID/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.Security/locations/<LOCATION>/jitNetworkAccessPolicies/default" -VirtualMachine $JitPolicyArr
This example opens access to port 22 to the virtual machine from any address for 10 minutes from the moment this task is executed.
This allows access to be opened dynamically only during the build or deployment phase, offering a high level of security.
This allows access to be opened dynamically only during the build or deployment phase, offering a high level of security.