During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Defender plans to Microsoft Defender plans. For example, Azure Defender for Storage is now Microsoft Defender for Storage.
In this article, we will show you how to configure Just-In-Time VM Access for Azure Firewall in Microsoft Defender for Cloud (formerly Azure Security Center).
In This Article
The most frequent attack that we see today is an attack on RDP/SSH management port (the brute force attack), and Microsoft provides you with the capability that you don’t need to have these ports open even for legitimate administrative purposes, you don’t need to have these ports open, with Azure Security Center you can only make these ports available for administration purposes for your virtual machines only when they are required.
A while ago, we blogged about how to automate Just In Time VM Access request with PowerShell. Just-in-Time VM Access is one of many features that is included in Azure Security Center which is something you should consider for your virtual machines which are publicly facing. You can specify rules for how users can connect to virtual machines. When needed, access can be requested from Azure Security Center or via PowerShell. As long as the request complies with the rules, access is automatically granted for the requested time only.
Last week, Microsoft announced that Just-in-time VM access can now be used with Azure Firewall as well, despite the recent public preview announcement of the new Azure Bastion which is feature incomplete at this time, Azure Bastion does not replace the need for Just-In-Time (JIT) VM Access.
Just-In-Time access for Azure Firewall
To learn more about Just-In-Time (JIT) VM access, please check the following article. Just like JIT on Network Security Groups (NSG), when using Just-In-Time with Azure Firewall, Azure Security Center allows inbound traffic to your Azure VMs only per confirmed request, by creating an Azure Firewall NAT rule (if needed – in addition to NSG rules). If you are new to Azure Firewall, please check Microsoft documentation here.
When a user requests access to a VM, Azure Security Center checks that the user has Role-Based Access Control (RBAC) permissions that permit them to successfully request access to a VM. If the request is approved, Azure Security Center automatically configures the Azure Firewall (and NSGs) to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, Azure Security Center restores the firewalls and NSGs to their previous states. However, the connections that are already established (connected) won’t be interrupted. In addition, when requesting access, Azure Security Center provides you with the right connection details to your virtual machine.
Use Just-In-Time access with Azure Firewall
To use Just-In-Time (JIT) VM Access with Azure Firewall, you need first to configure and deploy Azure Firewall. Microsoft has a great tutorial on how to deploy and configure Azure Firewall using the Azure portal.
Once you have Azure Firewall configured and you enabled Just-In-Time access for your virtual machine, then you can take the following easy steps:
1) Open the Azure Portal, then go to Security Center, under Just in time VM access, select Configured.
2) Under VMs, select the VM that you want to request just-in-time access for, and then select Request access.
3) Under Request access, for each selected VM, configure the ports that you want to open and the source IP addresses that the port is opened on and the time window for which the port will be open. Please note that it is only possible to request access to the ports that are configured in the just-in-time policy. Each port has a maximum allowed time derived from the just-in-time policy. Select Open ports.
4) The icon in the ‘Connection Details’ column indicates whether JIT is enabled on the NSG or FW. If it’s enabled on both, only the Firewall icon appears. The ‘Connection Details’ column provides the correct information required to connect the VM, as well as indicates the opened ports. In this example, since we are using Azure Firewall with JIT, the Firewall icon only appears.
5) Finally, in order to connect to your VM, you have to use the firewall’s public IP address only and the mapped port provided by Azure Security Center as shown in the ‘Connection Details’ column as shown in the screenshot above. In this example, it is 184.108.40.206:13389
6) Copy the ‘Connection Details’ from Azure Security Center, and then press the Windows key and the R key at the same time, it will open the Run command box, type the following command: mstsc /v followed by the ‘Connection Details’ to connect to your VM directly.
When the request access is approved, Azure Security Center creates high priority NAT rule in your Azure Firewall, allowing inbound traffic through the opened ports to the requested source IPs as shown in the following screenshot.
Azure Bastion and Just-In-Time VM access
As we mentioned at the beginning of this article, Microsoft announced the public preview of the new Azure Bastion. Azure Bastion is a new managed PaaS service that provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure Portal over SSL and without any public IP on your virtual machines.
Updated – 29/11/2021 – Azure Bastion is now supported with Just-In-Time VM access as confirmed by Microsoft in the multilayered protection for Azure virtual machine access. The Bastion private IP range (AzureBastionSubnet) will have to be entered either when Just-In-Time (JIT) is set up, or when the JIT request is created in Microsoft Defender for Cloud.
Azure Bastion is completely optional in this solution. By using the RDP protocol, users can connect directly to Azure VMs. If you do configure Azure Bastion in an Azure virtual network, set up a separate subnet called AzureBastionSubnet. Then associate a network security group with that subnet. In that group, specify a source for HTTPS traffic such as the user’s on-premises IP classless inter-domain routing (CIDR) block. By using this configuration, you block connections that don’t come from the user’s on-premises environment.
Please note that Azure Bastion and Just-In-Time (JIT) VM access cannot be used together. In other words, if you enable Azure Bastion in your virtual network (VNET) with an existing JIT VM enabled, the Bastion Host won’t connect to the target machine. You will receive the following message.
The network connection to the Bastion Host appears unstable.
Just-in-time VM access is a great feature because Azure Administrators don’t need to go and change the Azure Firewall rules and Network Security Group (NSG) settings each and every time, and with this tool, it becomes even faster to automate this process. Please note that Just-in-time VM access will incur additional charges to your Azure subscription as it is part of the Azure Security Center (Azure Defender for Servers). For more information on the Azure Security Center pricing Tiers, please check Microsoft pricing documentation here.
Until then… Stay secure with Just in Time access and Azure Firewall!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.