Why does JIT open NSG ports to ANY IP address?

The Guy From Eleven 6 Reputation points

We've set up Just-in-Time access to our VM's using Azure Security Center, and also use Bastion to access machines within a subnet.

I assumed everything was locked down securely. However for one public-facing VM, a connection was requested using "All configured IPs", then I saw a rule in NSG created by JIT that opens ports 22, 3389, 5985, 5986 to any IP address.

This appears to be the default behaviour for JIT access requests. Can anyone clarify this is the case please?

If I configure ports myself in the Security Center, are there any IP's used by Azure services (e.g. logs) that need to be accounted for? I'm nervous about being insecure, but mindful Azure itself needs to access the machine in my absense...

Thank you.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
5,285 questions
Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
198 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
828 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Alan Kinane 16,591 Reputation points MVP

    Yes, if you don't configure the allowed source IP addresses then it all allow all by default.

    Regarding allowing Azure services, unless you are putting in explicit deny rules on top of the default NSG configuration you should be OK.

    1 person found this answer helpful.
    0 comments No comments