Remotely accessing your Azure VM couldn't be easier.
Afterall, you just click on Connect after building your VM and connect via RDP over the Internet. The problem is that it leaves port 3389 exposed to the Internet where attackers are only a userid and password away from compromising your VM.
There are a variety of ways of making remote access more secure; obfuscated RDP ports, jump boxes, Remote Desktop Session (RDS) hosts, and Virtual Desktop environments dedicated to admins. Obfuscated RDP ports are difficult to manage and jump boxes, RDS hosts, and virtual desktop environments are expensive.
Azure has recently introduced a different mechanism that is very secure and modestly priced; Just In Time VM Access.
JIT VM Access allows authorised administrators to request remote access to VMs for a pre-determined period of time via SSH, RDP, or remote PowerShell.
This article recommends that JIT VM Access is used instead of unsecured RDP access over port 3389, or as an alternative to more expensive Jump Boxes, RDP hosts, or VDI desktops.
Benefits to Partners :
The deployment of JIT VM access will provide an additional $15 / node / month of revenue if a customer would otherwise have used the default RDP access over port 3389 - and result in a more secure implementation for the customer. The value will be reflected in a reduction of Security Center warnings and alerts.
If a customer is using any of the alternative mechanisms, JIT VM access will simplify and better secure remote access - it and might reduce their costs! Partners that manage their customer's Azure resources will benefit from managing a more secure and less complex environment that experiences fewer incidents and less maintenance.
Benefits to Your Customer:
Customers benefit from the deployment of JIT VM Access in all scenarios. JIT VM Access not only dynamically opens and closes the remote access ports, it also limits access to the IP address of the requesting user. This makes it more secure than any other alternative - delighting anyone responsible for information security!
JIT VM Access is activated in the Azure Security Center's Advanced cloud defence area.
The JIT VM Access is part of a suite of capabilities branded as "advanced security for subscriptions." The Standard tier is the one that includes JIT VM Access as shown in the following screenshot along with several other important capabilities.
Once the JIT VM Access has been enabled one can select one or more VMs and create an access policy. The default access policy includes access for SSH, RDP and remote PowerShell. One can delete or add ports, as appropriate or needed. Note that you can also change the default maximum request time of 3 hours to something longer or shorter.
Once a VM's access policy has been defined, administrators can then request access. Note that the requester can further reduce open ports by toggling desired ports On or leaving them Off.
Once the JIT VM Access has been activated, the Network Security Group (NSG) associated with that VM is updated to open the requested port(s). Note, that all ports in the access policy are contained in the NSG, but only the ports that are supposed to be active are enabled. Once the access request expires the Allow rule will be removed.
By, Bill Neumann, Principle Consultant, rhipe Solutions