Azure Virtual Machine Just-In-Time Access
What is Just in time Virtual Machine access ?
Just in time virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
JIT VM feature is more like an automated Azure Network Security Group rule set for accessing to any Azure specific VM(s) for a temporary period which can be enabled any set of ports restricted from and to IP/Network range.
Typically, Azure Security Center locks down the inbound traffic to any specific ports and opens a port by creating a Network Security Group rule(s) for an appropriate time and from approved IP addresses(which in most cases would be our Public IP address for our local machines), and only for users with proper permissions.
All the requests are also logged in the Azure Activity Log, so we can easily monitor and audit the access.
How the Azure VM JIT Access works ?
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that provide write access for the VM. If they have write permissions, the request is approved and Security Center automatically configures the Network Security Groups (NSGs) to allow inbound traffic to the management ports for the amount of time you specified. After the time has expired, Security Center restores the NSGs to their previous state.
NOTE: The Free Tier does not include the JIT VM Access, but you should get an option for a 60 day trial for the Standard Tier that does.
Automating Azure VM Just in Time Access via PowerShell:
# Import Azure RM PSM
Import-Module AzureRM
# Import Azure SecCenter PSM
Import-Module Azure-Security-Center
# resource group name
$resourceGroup = "ResourceGroupName"
# VM that will be started after updating the NSG
$VMName = "VM-01"
# Get my Public IP - Navigate to "https://www.whatismyip.com/" and get the Public IP
$ipAddress = "183.83.222.243"
# paste the local RDP File
$RDPFile = "C:\Users\raghu\Downloads\vs2017-win2016.rdp"
# Hours for access
[int]$hours = 3
$cred = $null
$cred = Get-Credential -Message "Please enter the credentials to Login to Azure"
$SubscriptionId="4f98b0d0-a2bd-4389-bea7-31faae224077"
Login-AzureRmAccount -Credential $cred –SubscriptionId $SubscriptionId -ErrorAction Stop | out-null
# Main powershell script
# Requesting Access to the Azure VM for current public IP Address for RDP for 2 hours
Invoke-ASCJITAccess -ResourceGroupName $resourceGroup -VM $VMName -Port 3389 -Hours $hours -AddressPrefix $ipAddress
$vmDetails = Get-AzureRmVM -ResourceGroupName $resourceGroup -Name $vmName -Status -ErrorAction Stop
# Starting the Azure Virtual Machine if in Deallocated status.
$VMPowerState = (get-culture).TextInfo.ToTitleCase(($vmDetails.statuses)[1].code.split("/")[1])
if ($VMPowerState -eq "Deallocated"){
#Starting Azure Virtual machine
$vmstatus = Start-AzureRMVM -ResourceGroupName $resourceGroup -Name $vmName
# Connecting to Azure Virtual Machine by using RDP Settings File
if($vmstatus.Status.Equals("Succeeded")){
# Script Sleeps for 2 mins to start the Azure VM.
Start-Sleep 120
Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList $RDPFile
}
else{
Write-Host "Something went wrong when starting Azure VM Name: $VMName at - $(Get-date -format "dd-MMM-yyyy HH:mm:ss")" -foregroundcolor "red" -backgroundcolor "yellow"
}
} else {
Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList $RDPFile
}
#End of the script
From the above the script we are trying to import two modules:
- AzureRM Module
- Azure-Security-Center
Where Invoke-ASCJITAccess cmdlet is from Azure-Security-Center Powershell module for requesting the Just in Time Access.
For execution with proper logs, please find the automated powershell script which enables Just-In-Time Access for the Azure Virtual Machine for Security Center: Technet Script Center Link