In the last lab, we applied an NSG to our single VM (VM1) to allow HTTP traffic in. Now, Contoso need to carry out some administration on their VMs, which means they need to RDP in to the Windows machines and SSH into the Linux VMs. However, Contoso have complained that they can’t reach any of their machines to administer them (although the website is still accessible).
To test this, from the Azure portal select the public IP address ‘VM3-pip’ and copy the IP address. Try and SSH into this Linux virtual machine (e.g. ssh labuser@<ip address>) from your local machine (using a terminal emulator such as Putty or Windows 10 Linux Subsystem. This fails because your NSG does not allow TCP port 22 (or port 3389 for the Windows machines).
We could simply add a rule to our NSG that allows these ports, however that would allow access on a permanent basis – it would be nice if we could open these ports up only when an administrator requires access. The ‘Just in Time Access’ feature of Azure Security Center (currently in preview) allows this functionality.
1) In the Azure portal, navigate to Security Center from the left hand menu.
2) Under ‘Advanced Cloud Defense’, select ‘Just in Time Access (Preview).
3) In the main pane under ‘Virtual Machines’ click ‘Recommended’. This page displays a list of VMs that are recommended for JIT protection.
4) You should see all four VMs listed here. Select them all and then click on ‘Enable JIT on 4 VMs’, as shown in Figure 14.
Figure 14: Applying Just in Time Access
5) The suggested ports are shown – port 22, 3389 are suggested, as well as ports 5985 and 5986 (used for Powershell remote). Click ‘Save’.
Now that JIT access is configured, let’s say we want to gain access to one of our VMs. To do this, follow these steps:
1) Go to the ‘configured’ tab under Just in Time Access.
2) Select VM-3 and then click ‘Request’
3) As this is a Linux VM, we only need SSH access, so toggle port 22 to ‘on’. Leave all other settings at their default value. Click on ‘Open ports’. This is shown in Figure 15.
Figure 15: Requesting VM Access
4) Try to SSH into VM-3 again (using the public IP address you obtained at the beginning of this lab). You may need to try this twice to allow time for the NSG to be modified, but it should succeed.
6) Return to your ‘Contoso-IaaS’ resource group and click on the NSG you created earlier (Contoso-NSG). You should see a list of rules for the various ports – at the top, you should see an ‘allow’ rule for port 22, using your IP address as shown in Figure 16 (source IP address removed from image).
Figure 16: Just in Time Access – NSG Rules