AZ-500 Microsoft Azure Security Technologies Exam

Are you a guardian of your domain? Lean how to leverage your aptitude in security to protect Microsoft Azure technologies, with a goal of earning the Microsoft Certified: Azure Security Engineer Associate certification!

Practice Test

Expert
Exam

Plan and implement remote access to virtual machines, including AzureBastion and just-in-time

Plan and implement advanced security for compute

Configure Azure Bastion and Just-In-Time VM Access

Azure Bastion and Just-In-Time (JIT) VM Access work together to provide secure remote management for Azure virtual machines. Azure Bastion acts as a managed jump-box deployed inside your virtual network, so you never need a public IP on your VMs. This setup reduces the attack surface by enforcing least-privilege connectivity and ensuring all remote sessions stay within Azure’s private network. By using a browser-based client, administrators gain seamless RDP or SSH access without exposing infrastructure to the Internet.

To deploy Azure Bastion, you must create an AzureBastionSubnet with a minimum /26 address space and select the Standard SKU or higher. The Bastion host uses private IPs to connect to your VMs, eliminating the need for public IP assignments on each machine. Users simply open the Azure portal in any HTML5-capable browser, choose Connect > Bastion on the target VM, and start their session. This method ensures that sensitive management ports are never directly reachable from the Internet.

Proper network segmentation and NSG configuration are crucial for Azure Bastion’s security and reliability. Your NSGs around the Bastion subnet must allow:

  • Ingress on port 443 from the Internet and Azure service tags like GatewayManager and AzureLoadBalancer
  • Egress on ports 3389 (RDP) and 22 (SSH) to VM subnets
  • Egress on ports 8080 and 5701 for Bastion’s data plane, plus 443 to AzureCloud

It is important to include all required rules so that Bastion can receive updates and maintain continuous service without exposing additional ports.

JIT VM Access complements Azure Bastion by granting time-bound inbound connections only when needed. Administrators define JIT policies that specify:

  • Which ports and protocols can open
  • The allowed source IP ranges
  • A maximum access duration (for example, one hour)

These policies integrate with Role-Based Access Control (RBAC), ensuring that only authorized users can request access. When a user submits a JIT request, Azure Security Center evaluates the request against policy and, upon approval, opens the requested port for the specified time window.

All connection requests and approvals are logged in Azure Monitor, providing comprehensive auditing for security reviews and compliance standards. By combining Azure Bastion with JIT VM Access, you achieve a layered defense that enforces least-privilege, minimizes open ports, and captures detailed logs for every access event.

Conclusion

Azure Bastion and Just-In-Time VM Access form a powerful duo for securing remote management of Azure VMs. By deploying Bastion in its own segment, you avoid public IP exposure and keep traffic within Azure’s private network. JIT VM Access further shrinks the attack surface by allowing time-limited, policy-driven openings of specific ports. Together, they integrate with RBAC and Azure Monitor to deliver a holistic security approach that meets stringent compliance and auditing requirements.

Recommend when to use Azure DDoS Protection StandardConfigure network isolation for Azure Kubernetes Service