SC-900 Microsoft Security, Compliance, and Identity Fundamentals

Describe Azure Bastion and JIT Access

#SC-900 Microsoft Security, Compliance, and Identity Fundamentals

Azure Bastion is a fully managed Platform as a Service (PaaS) solution that offers secure and seamless RDP (Remote Desktop Protocol) and SSH (Secure Shell) connectivity to your virtual machines. Azure Bastion is provisioned directly in your Azure Virtual Network (VNet) and offers a browser-based connectivity that doesn’t require exposing public IP addresses on your virtual machines. Azure Bastion orchestrates connectivity from a public endpoint to a private endpoint inside the Azure Virtual Network.

Table of Contents

Key Features and Benefits of Azure Bastion:

  • Integrated into Azure portal: Azure Bastion’s integration with the Azure portal allows you to use SSH/RDP protocols directly in the portal over SSL.
  • Remote session over SSL: With this feature, no public IP is required on the Azure Virtual Machine. The SSH/RDP connectivity is taken care of by Azure Bastion.
  • Protection against port scanning: Since the VMs are not exposed to the public, the chance of getting port-scanned by rogue actors is significantly reduced.
  • Hardening in-built: Azure Bastion comes with in-built protection for hardening, i.e., there is no necessity for you to manage it.

Just In Time (JIT) Virtual Machine (VM) Access, on the other hand, is a feature offered by Azure Security Center. It locks down the inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

Key Features and Benefits of JIT VM Access:

  • Reduced Attack Surface: By limiting the time that ports remain open, JIT VM access helps to reduce attack surface.
  • Simplified Access Request: Request access to VMs easily right from the Azure portal.
  • Audited Access: Get comprehensive logs in the activity log. You can see who requested access, what was the timeframe for the access, and whether it was approved or not.

If we were to compare the two, Azure Bastion offers integrated connectivity to virtual machines inside your Azure Virtual Network without needing a public IP. On the other hand, JIT VM Access majorly focuses on reducing the attack surface by controlling and limiting access to your VMs.

Azure Bastion JIT VM Access
Purpose Secure and seamless RDP/SSH connectivity to Azure VM Lock down inbound traffic, reducing exposure to attacks
Key Feature No need for public IP on Azure VM Limits the time that ports remain open
Benefits Reduction in port scanning, in-built hardening Simplified access request, audited access

In conclusion, both Azure Bastion and Just-In-Time VM Access play a crucial role in enhancing the security posture within Azure. Azure Bastion secures your virtual machines from unwanted exposure, while JIT VM Access minimizes the attack surface by limiting access to virtual machines. These tools, while distinct in their functionality, jointly contribute to a more secure and robust cloud infrastructure when utilised within the Azure ecosystem.

Practice Test

True or False: With Azure Bastion, you can start an RDP or SSH session over SSL from the Azure portal.

  • True
  • False

Answer: True

Explanation: Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly in the Azure portal over SSL.

Which of the following services minimizes security vulnerabilities and limits exposure to attacks by providing limited, auditable access to resources when needed?

  • A. Azure Bastion
  • B. Just-In-Time (JIT) VM Access
  • C. Azure Defender
  • D. Azure Advisor

Answer: B. Just-In-Time (JIT) VM Access

Explanation: JIT VM access reduces your exposure to network volumetric attacks by providing only required access to VMs when needed.

True or False: Azure Bastion requires no public IP address for Azure VMs.

  • True
  • False

Answer: True

Explanation: Azure Bastion provides RDP and SSH connectivity to Azure VMs without a need for a public IP address.

What does JIT stand for in Azure JIT VM Access?

  • A. Java Integration Terminal
  • B. Junction Interval Time
  • C. Just in Time
  • D. Jet Investigation Time

Answer: C. Just in Time

Explanation: JIT in Azure JIT VM Access stands for Just-In-Time, allowing administrators to grant temporary access to virtual machines.

Multiple Select: Which of the following are main features of Azure Bastion?

  • A. RDP and SSH directly in Azure Portal
  • B. Remote access to Azure VMs
  • C. Firewall and network security
  • D. Public IP Address for VMs

Answer: A. RDP and SSH directly in Azure Portal, B. Remote access to Azure VMs

Explanation: Azure Bastion enables secure and seamless RDP/SSH to Azure VMs directly from the Azure Portal.

True or False: You can use Just-In-Time (JIT) VM access in Azure to restrict inbound traffic to your Azure VMs.

  • True
  • False

Answer: True

Explanation: JIT VM access is a feature of Azure Security Center that restricts inbound traffic to your Azure VMs, reducing exposure to attacks.

Which type of protocol does Azure Bastion use for connectivity to VMs?

  • A. FTP
  • B. SSL
  • C. IMAP
  • D. SMTP

Answer: B. SSL

Explanation: Azure Bastion uses SSH and RDP over SSL for providing seamless connectivity to VMs.

Multiple Select: What are the key benefits of using Azure JIT VM access?

  • A. Protect VMs from brute force attacks
  • B. Managed public IP addresses
  • C. Reduces attack surface by limiting access
  • D. Provides automatic encryption

Answer: A. Protect VMs from brute force attacks, C. Reduces attack surface by limiting access

Explanation: Azure JIT VM access reduces the attack surface by enabling access to VMs only when needed, thus protecting VMs from attacks.

True or False: Azure Bastion does not require an agent to be installed on the VM.

  • True
  • False

Answer: True

Explanation: Azure Bastion is a fully platform-managed PaaS service provided by Azure and does not require any agents to be installed on VMs.

Azure Bastion is a ____ that provides secure and seamless RDP and SSH access to your virtual machines directly from the ___.

  • A. service, Azure portal
  • B. client, command line
  • C. server, Microsoft 365 dashboard
  • D. platform, Windows control panel

Answer: A. service, Azure portal

Explanation: Azure Bastion is a fully managed PaaS service that provides secure and seamless RDP and SSH access to virtual machines directly from the Azure portal.

Interview Questions

What is Azure Bastion?

Azure Bastion is a service that provides secure and seamless RDP and SSH access to Virtual Machines directly through the Azure portal.

How does Azure Bastion enhance security?

Azure Bastion provides secure and seamless connectivity to your virtual machines over Secure Shell (SSH) and Remote Desktop Protocol (RDP) without exposing public IP addresses.

How does Just in Time (JIT) VM access contribute to Azure Security?

JIT VM access helps you control the access to your Azure VMs by reducing the attack surface. It locks down the inbound traffic to your Azure VMs, and provides controlled access only when needed.

How does Azure Bastion work?

Azure Bastion is a fully managed service by Microsoft which you provision inside your Virtual Network (vnet). It provides secure and seamless RDP/SSH connectivity to your VMs directly in the Azure portal over SSL.

What is the purpose of Just In Time (JIT) VM Access?

Just In Time (JIT) VM Access is used to lock down the inbound traffic to Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

What are the minimum permissions needed to configure JIT?

The minimum permissions required to configure JIT are ‘Microsoft.Security/locations/jitNetworkAccessPolicies/write’ and ‘Microsoft.Security/locations/jitNetworkAccessPolicies/read’.

Can Azure Bastion be used for VMs that are behind a firewall or Network Virtual Appliance?

Yes, Azure Bastion can be used for VMs that are behind a firewall or Network Virtual Appliance.

What protocols does Azure Bastion support?

Azure Bastion supports RDP (Remote Desktop Protocol) for Windows VMs and SSH (Secure Shell) for Linux VMs.

Can I customize the port on which JIT should open access to VMs?

Yes, the request to open access to a VM can specify a custom port, the source IP ranges for the allowed traffic, and the time window during which rules are in place.

What are the benefits of using Azure Bastion?

Azure Bastion provides several benefits such as seamless RDP and SSH connectivity, increased security through minimization of threats, no requirement of public IP on Azure Virtual Machines, and protection against port scanning.

How is the security of an RDP/SSH session ensured when using Azure Bastion?

All RDP/SSH sessions are spread over SSL on port 443, thus they are secured and encrypted.

What features does Azure JIT provide?

Azure JIT provides features like automated request & approval process, activity logging, and exposure time limits on open ports.

Can I use Azure Bastion with Azure AD accounts?

Yes, Azure Bastion supports Azure Active Directory (Azure AD) authentication for RDP/SSH.

Can Azure Bastion be deployed in a peered VNet?

No, Azure Bastion cannot be deployed in a peered VNet, it needs to be deployed in the same VNet as the VM that it is targeting.

What are the prerequisites for configuring JIT VM Access?

A few prerequisites are that the VM must be running Windows Server 2008 R2 SP1 or later, and Network Security Groups (NSGs) must be enabled and be allowing traffic on ports that you want JIT to manage.

Related Post

SC-900 Microsoft Security, Compliance, and Identity Fundamentals

Describe Azure Firewall

extutorials.com
SC-900 Microsoft Security, Compliance, and Identity Fundamentals

Describe the capabilities in the Microsoft Purview governance portal

extutorials.com
SC-900 Microsoft Security, Compliance, and Identity Fundamentals

Describe the different external identity types

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *