Just-in-time access now supports Azure Firewall
Updated: June 19, 2019
Just-in-time (JIT) virtual machine (VM) access can now be used with Azure Firewall.
Till now, when just-in-time was enabled, Security Center created a just-in-time policy which locked down inbound traffic to your Azure VMs (on ports that you select) by creating an Network Security Groups (NSG) rule. Now, JIT is also available to VMs protected by Azure Firewall.
When a user requests access to a VM with a JIT policy, Security Center first checks that the user has Role-Based Access Control (RBAC) permissions to request access to a VM with a JIT policy. If the user has permissions and the request is approved, Security Center automatically configures the NSG and the Azure Firewall rules to allow inbound traffic with the following restrictions:
- To the specified VM ports
- From the requested source IP addresses or ranges
- For the specified amount of time
After the time expires, Security Center restores the NSGs and Azure Firewalls to their previous states.
In addition, after a request is approved for a VM protected by Azure Firewall, Security Center provides the user with the proper connection details (the port mapping from the DNAT table) to use to connect to the VM.
Using JIT access for VMs protected by Azure Firewall, customers can now protect a wider range of resources and further limit exposure to attacks. To learn more, see Manage virtual machine access using just-in-time.