Azure VM JIT - Do not allow Any as source

Ted 191 Reputation points
2022-05-12T07:55:25.313+00:00

Hello gents,

I'm having some issues with JIT for Azure VMs.
We want to use JIT to allow externals (Third-parties or contractors) to access specifics VMs remotely. As we have an huge list of externals (big enterprise, long list of applications from different providers), we can't provide a specific list of IPs into JIT configuration as we don't know the public IPs of all external companies. Due to that, we left the default rule "Per request" in JIT on the VM.

Next to that, I deployed an Azure Policy to restrict NSG rule so users cannot create a rule opening RDP or SSH from any, internet or 0.0.0.0/0. I tested the Policy by creating a rule in NSG manually, I get denied so that works.

During testing, I found out two issues:

  1. I see that by default, the portal select "All configured IPs" in the "Connect" blade of Azure VM and I didn't find in JIT a way to remove that option to only have "My IP" or "Other IP/IPs". That option doesn't exist when going through "Security" blade but users won't go that way when the "Connect" blade takes 2 clicks instead of 5 in different panels through "Security". Is there a way to remove that option?
    201314-image.png
  2. JIT ignores Azure Policy. Thanks to my Azure Policy, I cannot create manually a NSG rule to open RDP from any, but JIT doesn't throw an error and the "SecurityCenter-JITRule-" opening RDP from Any is created successfully. Can we make JIT under control by Azure Policy?
    201333-image.png

Notes to counter questions:
Yes, I tested to create a Rule in NSG manually using exactly the same configuration as JIT: my Azure Policy triggered and denied me.
We have scenarios where the Azure Vnet hosting the VM is not connected to our network, so VPN or access from company network is not possible either.
I know Bastion but it has a cost so we are looking at other options before validating the best option.

Thank you in advance,
Teddy

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,160 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
799 questions
0 comments
Accepted answer
  1. SwathiDhanwada-MSFT 17,641 Reputation points
    2022-05-18T07:14:57.28+00:00

    @Ted Thanks for reaching out. I understand that you want to restrict the access to internet for your virtual machines. You have created a policy for the same where any user tries to create a rule which routes traffic to internet should be denied. However, this isn't working when JIT policy is added.

    1. Unfortunately, you can't disable the "All Configured IPs" as far as I know. However, you can use deny creation of JIT policies when the rules contain IP addresses of internet.
    2. For JIT, we have separate aliases within Policy with which you can restrict access.

    Here is the list of available aliases for you to create a custom policy for your requirement. 

    (Get-AzPolicyAlias -Namespace Microsoft.Security).Aliases.Name

    203010-image.png

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest