This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 69%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
We've set up Just-in-Time access to our VM's using Azure Security Center, and also use Bastion to access machines within a subnet.
I assumed everything was locked down securely. However for one public-facing VM, a connection was requested using "All configured IPs", then I saw a rule in NSG created by JIT that opens ports 22, 3389, 5985, 5986 to any IP address.
This appears to be the default behaviour for JIT access requests. Can anyone clarify this is the case please?
If I configure ports myself in the Security Center, are there any IP's used by Azure services (e.g. logs) that need to be accounted for? I'm nervous about being insecure, but mindful Azure itself needs to access the machine in my absense...
Thank you.
An Azure service that is used to provision Windows and Linux virtual machines.
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
Yes, if you don't configure the allowed source IP addresses then it all allow all by default.
Regarding allowing Azure services, unless you are putting in explicit deny rules on top of the default NSG configuration you should be OK.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 38%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDO%3C/text%3E%3C/svg%3E)
How is this ok for the default behavior of just in time to allow all IPs from the internet to attempt RDP.
This is infinitely worse than a static NSG rule. Note that most of my users are in countries where there public IP address changes daily.
Why is there no option to deny the behavior of allow all?
Can we get this obvious next step request added as a feature request on the roadmap or am I missing something?