Azure Bastion and Just-in-Time (JIT) VM access are two powerful security features in Azure that help protect virtual machines from unauthorized access and reduce attack surfaces.
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to your virtua…Azure Bastion and Just-in-Time (JIT) VM access are two powerful security features in Azure that help protect virtual machines from unauthorized access and reduce attack surfaces.
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to your virtual machines through the Azure portal. When you deploy Azure Bastion, it is provisioned in your virtual network and provides connectivity to all VMs within that VNet or peered VNets. The key benefit is that your VMs no longer require public IP addresses for remote management access. Users connect through an HTML5 browser session over TLS, eliminating exposure of RDP and SSH ports to the public internet. Azure Bastion sits at the perimeter of your virtual network and acts as a hardened jump server, handling all connection requests while protecting against port scanning and zero-day exploits.
Just-in-Time VM access is a feature of Microsoft Defender for Cloud that locks down inbound traffic to Azure VMs by creating Network Security Group (NSG) rules. When enabled, management ports like RDP (3389) and SSH (22) remain closed until access is requested. Users must request access through the Azure portal, specifying the duration, source IP addresses, and target ports. Administrators can approve or deny these requests, and once approved, temporary NSG rules are created to allow traffic for the specified time period only. After the time expires, the ports automatically close again.
Used together, these services create a defense-in-depth approach to VM security. Azure Bastion eliminates the need for public IPs while providing secure browser-based access, and JIT ensures management ports remain closed until legitimately needed. This combination significantly reduces the attack surface and helps organizations meet compliance requirements while maintaining operational flexibility for administrators.
Azure Bastion and Just-In-Time (JIT) VM Access
Why This Topic Is Important
Azure Bastion and Just-In-Time (JIT) VM access are critical components of securing virtual machine access in Azure. These technologies help organizations reduce their attack surface by eliminating the need for public IP addresses on VMs and limiting the time windows during which management ports are open. For the AZ-500 exam, understanding these concepts is essential as they represent Microsoft's recommended approaches for secure VM connectivity.
What is Azure Bastion?
Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH connectivity to your virtual machines through the Azure portal. Key characteristics include:
• Browser-based access - Connect via HTML5 browser over TLS on port 443 • No public IP required - VMs don't need public IP addresses for RDP/SSH access • No agent required - Works with existing Azure VMs with no additional software • Protection against port scanning - VMs are not exposed to the public internet • Hardened in one place - Only the Bastion host needs to be secured
Azure Bastion SKUs
• Basic SKU: Supports up to 2 instances, 25 concurrent RDP/SSH connections • Standard SKU: Supports up to 50 instances, native client support, IP-based connection, shareable links, and Kerberos authentication
What is Just-In-Time (JIT) VM Access?
JIT VM access is a feature of Microsoft Defender for Cloud that reduces exposure to attacks by enabling access to VMs only when needed, for a limited time, and from approved IP addresses.
How JIT Works:
1. A user requests access to a VM through Defender for Cloud or programmatically 2. Defender for Cloud checks Azure RBAC permissions 3. If approved, Defender for Cloud configures NSG and Azure Firewall rules to allow inbound traffic 4. After the specified time expires, rules are automatically reverted to deny state
JIT Requirements:
• Microsoft Defender for Servers Plan 2 enabled • VM must have an NSG or Azure Firewall attached • Appropriate RBAC permissions (Reader and SecurityReader for viewing, Contributor or custom role for requesting access)
How Azure Bastion and JIT Work Together
These technologies can be combined for enhanced security:
• Use Azure Bastion as the connectivity method (eliminating public IPs) • Apply JIT policies to further restrict when Bastion can connect • This creates a defense-in-depth approach to VM access security
Exam Tips: Answering Questions on Azure Bastion and JIT VM Access
Key Points to Remember:
• Azure Bastion requires a dedicated subnet named AzureBastionSubnet with a minimum /26 CIDR block • Bastion is deployed per virtual network, not per VM • JIT requires Defender for Servers Plan 2 to be enabled • JIT modifies NSG rules dynamically - it does not replace NSGs • Maximum JIT access duration is 24 hours • Default ports protected by JIT: 22 (SSH), 3389 (RDP), 5985/5986 (WinRM)
Common Exam Scenarios:
• When asked about securing VM access from the internet, consider Azure Bastion first • Questions about time-limited access or reducing attack surface point to JIT • If a question mentions eliminating public IPs while maintaining management access, Azure Bastion is likely the answer • For questions about NSG rule automation based on access requests, JIT is the solution
Watch Out For:
• Bastion Standard SKU features (native client, shareable links) vs Basic SKU limitations • JIT access requests require specific RBAC permissions beyond just VM access • Azure Bastion connects over port 443 outbound, not traditional RDP/SSH ports • JIT is a Defender for Cloud feature, not a standalone Azure service