Can I use Just in time access without public IP?

Question

Can I use Just in time access without public IP?

Jay Sachapara 1

Hello.
I would like to implement Just in time access to my organization.
VM has private IP but no public IP.
Is it required to have public IP to the VM?

4 answers

Your answer

Answer 1

Hi @Jay Sachapara

Thanks for reaching out to Microsoft Q & A Platform .

To answer your question, Yes we can enable JIT access to the Private VM's as well who doesn't have the public ip associated to it .

Navigate to configuration tab and from menu and enable the JIT on the VM.
Once it is enabled you should be able to view the functional working also you should see the new NSG's which are created , For example check the following:

Hope this answers your question

Thanks,
Pradeep

---------------------------------------------------------------------------------------------

Please don't forget to "Accept the answer " or "Up-Vote" if this was helpful .

Answer 2

Jay Sachapara 1

Thank you for the response.
I have enabled JIT and requested access as well but when I download RDP file and tries to connect it give me an error.
This is a brand new tenant and I only have one VM with no public IP.

Pradeep Kommaraju 2,626 Reputation points

2022-01-20T00:23:30.12+00:00

Got you , in that case you need to at least have one VM acting as a jump box from where you can connect to other VM's over Private network .
That is one solution that you can implement .

The only other way to connect to Azure VM using private IP from your laptop (provided there is no VPN set up and AD is not federated) would be via Azure Bastion Service .

Thanks,
Pradeep

Answer 3

Prrudram-MSFT 28,166 Moderator

Hello @Jay Sachapara ,

In addition to what my peer @Pradeep Kommaraju , has suggested I would like you to refer to the azure bastion documentation here
How to configure azure bastion
How to connect to a Windows VM
To connect to a Linux VM

(If any of the responses were helpful please don't forget to upvote and/or accept as answer, thank you)

Answer 4

Sam Cogan 10,812 Microsoft Employee Moderator

Just in Time access only works for VM's with Public IP's. What JIT does is open a NSG port for RDP access for the duration of the request, it doesn't do anything else to support access.
Instead, you can make use of Azure Bastion for this, which will provide a jump box as a service for you to connect. You could also combine this with Azure Privilaged Identity Management to perofrm just in time elevation to give rights to use bastion, to give you a JIT process.

Jay Sachapara 1 Reputation point

2022-01-20T13:59:27.693+00:00

Hello all.
Thank you for your input and clarification.

This will allow me to present to our organization and decide in between JIT and Azure Bastion Service.
Jay Sachapara 1 Reputation point

2022-01-20T14:01:57.263+00:00

@Sam Cogan
To your comment - "Instead, you can make use of Azure Bastion for this, which will provide a jump box as a service for you to connect. You could also combine this with Azure Privilaged Identity Management to perform just in time elevation to give rights to use bastion, to give you a JIT process." Can you elaborate more or share some documentation.
Billsborough, Scott/PDX 1 Reputation point

2024-08-02T14:28:33.9133333+00:00

Sam,

Sorry but JIT does work with private IP addresses. On the connect page there is an option to switch which IP you are using.

Share via

Can I use Just in time access without public IP?

4 answers

Your answer