So, you’ve been working hard to secure your environment by locking down your NSGs (Network Security Groups) and restricting your admins teams access only to find yourself having to open and close ports on the NSG and add people in and out of AD groups every time someone from your IT team needs to access the VM.
Or on the other hand (and certainly the more concerning of the two scenarios here) you are leaving ports open to allow for administration!
Well, this is where JiT (Just in Time) access comes in. As the name suggests JiT allows access to your resources just t the moment it is needed, automatically. Gone are the days of sieve-like rule bases or many, many hours of adding and removing rules.
What’s the catch?
There isn’t one really, although, do consider this is apart of Azure Security Center standard pricing, although you should already have this enabled anyway! For those who haven’t yet enabled this you can view all the features here, there are a lot of excellent features included with the Standard licence with JiT being just one.
JiT works by configuring an NSG rule automatically when someone requests access Security Center will first check if the person requesting the access has the correct RBAC permissions to allow access to the VM. If the correct permissions are in place Security Center will configure an NSG rule and if implemented an Azure Firewall rule to allow inbound traffic to the selected ports and requested source IP addresses for the amount of time that was specified. After the time has expired, the Security Center restores the NSGs to their previous states. It is important to note that just like manually creating and applying an NSG rule connections that are already established are not being interrupted.
JiT certainly does not fix all of your security concerns or woes but it certainly should be one of the tools in your arsenal that you implement.