AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Implement and Validate JIT VM Access Policies and Bastion Hosts

Just-in-Time VM Access and Azure Bastion are two complementary security features in Azure that help protect virtual machines from unauthorized access. Just-in-Time (JIT) VM Access is a feature in Microsoft Defender for Cloud that opens management ports only when needed. Azure Bastion is a fully managed service that provides RDP and SSH access over TLS without exposing a public IP. Together, they ensure that administrators can connect securely while minimizing the attack surface of each VM.

Azure Bastion simplifies secure remote connectivity by using a dedicated subnet and TLS encryption. It removes the need for direct public IPs on VMs and automatically handles secure tunnel creation. Key benefits include:

• Secure connectivity over port 443.
• No public IP required on the VM.
• Managed service with built-in scaling and updates.

To configure Azure Bastion, you must follow a few clear steps. First, create a dedicated subnet named AzureBastionSubnet in your virtual network. Next, deploy the Bastion host using the Azure portal, CLI, or PowerShell. Finally, adjust Network Security Group (NSG) rules to ensure only the Bastion service can access RDP/SSH ports.

Just-in-Time VM Access reduces exposure by opening specified ports for a limited time and restricted IP ranges. You enable JIT in Microsoft Defender for Cloud by selecting target VMs and defining:

• Allowed ports (for example, RDP or SSH).
• Approved source IP ranges.
• Time windows for access.

When an administrator requests access, Defender for Cloud grants temporary firewall rules and logs each session. You can monitor requests, approve or deny them, and adjust settings for ongoing compliance. This approach supports the principle of least privilege by granting access only when necessary and for a limited duration.

Integrating JIT with Azure Bastion offers layered protection and seamless connectivity. Ensure your JIT policies include the IP ranges used by Bastion hosts so that approved sessions can establish connections. Regularly review access logs in Defender for Cloud and the Azure portal to validate that only authorized users request and receive access. By combining these features, you achieve a robust remote management solution with minimal exposure to potential threats.

Conclusion

In this section, you learned how Azure Bastion secures VM connections over TLS without public IP exposure and how Just-in-Time VM Access limits when and from where management ports are open. You saw the key steps to deploy Bastion, create the required subnet, and configure NSG rules. You also explored enabling JIT in Defender for Cloud by defining ports, IP ranges, and time windows. Finally, you learned how integrating these features strengthens security by enforcing the least privilege principle and providing detailed access logs for ongoing validation.