You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**Just-in-time VM access** provides information on the state of your VMs:
43
+
The **Just-in-time VM access** window opens and shows information on the state of your VMs:
48
44
49
45
-**Configured** - VMs that have been configured to support just-in-time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
50
46
-**Recommended** - VMs that can support just-in-time VM access but haven't been configured to. We recommend that you enable just-in-time VM access control for these VMs.
@@ -53,26 +49,26 @@ From Security Center, you can configure a JIT policy and request access to a VM
53
49
- Classic VM - Security Center just-in-time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just-in-time solution.
54
50
- Other - A VM is in this category if the just-in-time solution is turned off in the security policy of the subscription or the resource group, or if the VM is missing a public IP and doesn't have an NSG in place.
55
51
56
-
3. Select the **Recommended** tab.
52
+
1. Select the **Recommended** tab.
57
53
58
-
4. Under **VIRTUAL MACHINE**, click the VMs that you want to enable. This puts a checkmark next to a VM.
54
+
1. Under **VIRTUAL MACHINE**, click the VMs that you want to enable. This puts a checkmark next to a VM.
59
55
60
-
5. Click **Enable JIT on VMs**.
61
-
-. This blade displays the default ports recommended by Azure Security Center:
1. Click **Add**. The **Add port configuration** window opens.
69
-
2. For each port you choose to configure, both default and custom, you can customize the following settings:
58
+
1. Click **Enable JIT on VMs**. A pane opens displaying the default ports recommended by Azure Security Center:
59
+
- 22 - SSH
60
+
- 3389 - RDP
61
+
- 5985 - WinRM
62
+
- 5986 - WinRM
63
+
1. Optionally, you can add custom ports to the list:
70
64
71
-
-**Protocol type**- The protocol that is allowed on this port when a request is approved.
72
-
-**Allowed source IP addresses**- The IP ranges that are allowed on this port when a request is approved.
73
-
-**Maximum request time**- The maximum time window during which a specific port can be opened.
65
+
1. Click **Add**. The **Add port configuration** window opens.
66
+
1. For each port you choose to configure, both default and custom, you can customize the following settings:
67
+
-**Protocol type**- The protocol that is allowed on this port when a request is approved.
68
+
-**Allowed source IP addresses**- The IP ranges that are allowed on this port when a request is approved.
69
+
-**Maximum request time**- The maximum time window during which a specific port can be opened.
74
70
75
-
3. Click **OK**.
71
+
1. Click **OK**.
76
72
77
73
1. Click **Save**.
78
74
@@ -121,7 +117,7 @@ To edit an existing just-in-time policy of a VM:
121
117
You can gain insights into VM activities using log search. To view logs:
122
118
123
119
1. Under **Just-in-time VM access**, select the **Configured** tab.
124
-
2. Under **VMs**, select a VM to view information about by clicking on the three dots within the row for that VM and select **Activity Log**in the menu. The **Activity log** opens.
120
+
2. Under **VMs**, select a VM to view information about by clicking on the three dots within the row for that VM and select **Activity Log**from the menu. The **Activity log** opens.
@@ -144,7 +140,7 @@ To make it easy to roll out just-in-time access across your VMs, you can set a V
144
140
1. From the [Azure portal](https://ms.portal.azure.com), search for and select **Virtual machines**.
145
141
2. Select the virtual machine you want to limit to just-in-time access.
146
142
3. In the menu, select **Configuration**.
147
-
4. Under **Just-in-time-access**, select **Enable just-in-time**.
143
+
4. Under **Just-in-timeaccess**, select **Enable just-in-time**.
148
144
149
145
This enables just-in-time access for the VM using the following settings:
150
146
@@ -161,11 +157,11 @@ If a VM already has just-in-time enabled, when you go to its configuration page
161
157
162
158
163
159
164
-
### Request JIT access to a VM via the Azure VM blade
160
+
### Request JIT access to a VM via an Azure VM's page
165
161
166
162
In the Azure portal, when you try to connect to a VM, Azure checks to see if you have a just-in-time access policy configured on that VM.
167
163
168
-
- If you do have a JIT policy configured on the VM, you can click **Request access** to enable you to have access in accordance with the JIT policy set for the VM.
164
+
- If you have a JIT policy configured on the VM, you can click **Request access** to enable you to have access in accordance with the JIT policy set for the VM.
@@ -186,11 +182,11 @@ In the Azure portal, when you try to connect to a VM, Azure checks to see if you
186
182
187
183
You can set up and use just-in-time via REST APIs and via PowerShell.
188
184
189
-
## JIT VM access via REST APIs
185
+
###JIT VM access via REST APIs
190
186
191
187
The just-in-time VM access feature can be used via the Azure Security Center API. You can get information about configured VMs, add new ones, request access to a VM, and more, via this API. See [Jit Network Access Policies](https://docs.microsoft.com/rest/api/securitycenter/jitnetworkaccesspolicies), to learn more about the just-in-time REST API.
192
188
193
-
## JIT VM access via PowerShell
189
+
###JIT VM access via PowerShell
194
190
195
191
To use the just-in-time VM access solution via PowerShell, use the official Azure Security Center PowerShell cmdlets, and specifically `Set-AzJitNetworkAccessPolicy`.
196
192
@@ -226,7 +222,7 @@ Run the following in PowerShell to accomplish this:
In the following example, you can see a just-in-time VM access request to a specific VM in which port 22 is requested to be opened for a specific IP address and for a specific amount of time:
232
228
@@ -251,14 +247,13 @@ For more information, see the PowerShell cmdlet documentation.
251
247
252
248
## Automatic cleanup of redundant JIT rules
253
249
254
-
Whenever you update a JIT policy, a cleanup tool automatically runs to check the validity of your entire ruleset. If it finds a mismatch between a rule in your policy and a rule in the NSG, it determines the cause and removes the rule when safe to do so.
250
+
Whenever you update a JIT policy, a cleanup tool automatically runs to check the validity of your entire ruleset. The tool looks for mismatches between rules in your policy and rules in the NSG. If the cleanup tool finds a mismatch, it determines the cause and, when it's safe to do so, removes built-in rules that aren't needed any more. The cleaner never deletes rules that you've created.
255
251
256
-
Examples scenarios when the cleaner might remove a rule:
252
+
Examples scenarios when the cleaner might remove a built-in rule:
257
253
258
254
- When two rules with identical definitions exist and one has a higher priority than the other (meaning, the lower priority rule will never be used)
259
255
- When a rule description includes the name of a VM which doesn't match the destination IP in the rule
260
256
261
-
262
257
## Next steps
263
258
In this article, you learned how just-in-time VM access in Security Center helps you control access to your Azure virtual machines.
0 commit comments