Azure Just-in-Time VM Access is a great option to control when engineers need to work in their VM’s with RDP in to the system. Let’s assume they work 1 hour per day on servers. so, keeping port open for 24 hours is a risk.
Using Just-in-Time VM Access we can limit the time it keeps RDP ports open.
When Just-in-Time VM Access enabled, we can define what VM and what ports will be controlled. In most scenarios you do not need to control access to ports used by your applications or services. It will be more in to ports related to management tasks. This all done by using azure network security group rules.
Configuration
- Log in to Azure Portal using Global Administrator account.
- Go to Security Center > Just-In-Time VM Access (you may have to enable Azure Defender, if it’s not already).
3. From the Not configured tab, mark the VMs to protect with JIT and select Enable JIT on VMs.
The JIT VM access page opens listing the ports that Security Center recommends protecting:
22 – SSH
3389 – RDP
5985 – WinRM
5986 – WinRM
Cheers,
Greg