question

TeddyDubois29 avatar image
0 Votes"
TeddyDubois29 asked SwathiDhanwada-MSFT commented

Azure VM JIT - Do not allow Any as source

Hello gents,

I'm having some issues with JIT for Azure VMs.
We want to use JIT to allow externals (Third-parties or contractors) to access specifics VMs remotely. As we have an huge list of externals (big enterprise, long list of applications from different providers), we can't provide a specific list of IPs into JIT configuration as we don't know the public IPs of all external companies. Due to that, we left the default rule "Per request" in JIT on the VM.

Next to that, I deployed an Azure Policy to restrict NSG rule so users cannot create a rule opening RDP or SSH from any, internet or 0.0.0.0/0. I tested the Policy by creating a rule in NSG manually, I get denied so that works.

During testing, I found out two issues:
1. I see that by default, the portal select "All configured IPs" in the "Connect" blade of Azure VM and I didn't find in JIT a way to remove that option to only have "My IP" or "Other IP/IPs". That option doesn't exist when going through "Security" blade but users won't go that way when the "Connect" blade takes 2 clicks instead of 5 in different panels through "Security". Is there a way to remove that option?
201314-image.png

  1. JIT ignores Azure Policy. Thanks to my Azure Policy, I cannot create manually a NSG rule to open RDP from any, but JIT doesn't throw an error and the "SecurityCenter-JITRule-" opening RDP from Any is created successfully. Can we make JIT under control by Azure Policy?
    201333-image.png

Notes to counter questions:
Yes, I tested to create a Rule in NSG manually using exactly the same configuration as JIT: my Azure Policy triggered and denied me.
We have scenarios where the Azure Vnet hosting the VM is not connected to our network, so VPN or access from company network is not possible either.
I know Bastion but it has a cost so we are looking at other options before validating the best option.

Thank you in advance,
Teddy


azure-virtual-machinesazure-policy
image.png (30.0 KiB)
image.png (54.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SwathiDhanwada-MSFT avatar image
1 Vote"
SwathiDhanwada-MSFT answered SwathiDhanwada-MSFT commented

@TeddyDubois29 Thanks for reaching out. I understand that you want to restrict the access to internet for your virtual machines. You have created a policy for the same where any user tries to create a rule which routes traffic to internet should be denied. However, this isn't working when JIT policy is added.

  1. Unfortunately, you can't disable the "All Configured IPs" as far as I know. However, you can use deny creation of JIT policies when the rules contain IP addresses of internet.

  2. For JIT, we have separate aliases within Policy with which you can restrict access.

Here is the list of available aliases for you to create a custom policy for your requirement.

 (Get-AzPolicyAlias -Namespace Microsoft.Security).Aliases.Name

203010-image.png




image.png (74.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the answer.
I will have to dive in those policies to find the best option.
Should I enforce the restriction through Azure Policy then?

0 Votes 0 ·

@TeddyDubois29 Yes, you would need to use Azure Policy for your requirement.

If above answer was helpful, please remember to accept it so that others in the community with similar questions can more easily find a solution.

0 Votes 0 ·