What is the difference between JIT and adding IPs to NSG manually?

Question

What is the difference between JIT and adding IPs to NSG manually?

Najam ul Saqib 400

Hi,I am trying to understand the efficacy of JIT, it looks like when I request access via JIT, it adds my IP (or the IP range I give to it) to the whitelist for a specific port on a VM and then you can access that VM for a specific time range, isn't that equivalent to, adding the IP to an NSG for allowing access and removing it after some time? I know there's some manual effort involved but is there anything additional that JIT offers that I am missing?

Accepted answer

0 additional answers

Your answer

Answer 1

KapilAnanth-MSFT 49,616 Microsoft Employee Moderator

@Najam ul Saqib ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to understand the advantages of Microsoft Defender for Cloud's just-in-time (JIT) over NSG.

In simple words, JIT is a combination of NSG + Azure role-based access control (Azure RBAC).

To address your question, the main benefit is less management overhead and control of who can actually raise a request to access the VM

One more point to note is that JIT also seamlessly integrates with Azure Firewall

With traditional NSG,

You have management overhead
A rule created is permanent unless a user explicitly deletes it
If you know the user's source IP and you are sure the IP will never change, you can use NSG rule as "Allow" for this IP
- However, if the source IP is not fixed, you have to manually create and delete rules every time the IP changes.

With JIT,

When a user requests access to a VM, Defender for Cloud checks that the user has Azure role-based access control (Azure RBAC) permissions for that VM.
If the request is approved, Defender for Cloud configures the NSGs and Azure Firewall to allow inbound traffic to the selected ports from the relevant IP address (or range), for the amount of time that was specified
This means, not everyone can request to get their IP Allowed in the NSG
See : How Defender for Cloud identifies which VMs should have JIT applied

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Najam ul Saqib 400 Reputation points

2024-08-14T11:45:02.7266667+00:00

Thank you @KapilAnanth-MSFT for explanation.

The only benefit apart from management overhead I see with JIT is that it checks for permissions in RBAC; otherwise if we have static IP for the user we can just add it to NSG.

For RBAC, what roles do you need to be eligible for VM access?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-08-15T09:08:12.1+00:00
@Najam ul Saqib You are welcome :)

Refer to JIT Prerequisites,

For a user to request JIT Access to a VM - one must have the below permissions

Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action

Microsoft.Security/locations/jitNetworkAccessPolicies/*/read

Microsoft.Compute/virtualMachines/read

Microsoft.Network/networkInterfaces/*/read

Microsoft.Network/publicIPAddresses/read

In the same document, you can find permissions for "Configure or edit a JIT policy for a VM" and "Read JIT policies"

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Najam ul Saqib 400 Reputation points

2024-08-15T16:59:59.16+00:00

Is this true? "The only benefit apart from management overhead I see with JIT is that it checks for permissions in RBAC; otherwise if we have static IP for the user we can just add it to NSG."
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2024-08-16T05:54:06.5+00:00

@Najam ul Saqib,

In simple words, yes, your statement is correct.

While Microsoft Defender for Cloud as a whole offers various services, the JIT feature of Defender is to automatically add NSG/Firewall Rules based on permissions.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.
Najam ul Saqib 400 Reputation points

2024-08-16T09:35:48.42+00:00

Thank you Kapil

Share via

What is the difference between JIT and adding IPs to NSG manually?

0 additional answers

Your answer