Securely connect to your Azure VMs with JIT and a P2S VPN

In this blog post, I will show you how you can use JIT in combination with a Point-to-Site (P2S) VPN to securely connect to your Azure virtual machines (VMs).

These days, there are different ways you can use to securely connect to your Azure resources, one of those is through the use of a Point-to-Site (P2S) VPN connection. Such a P2S VPN connection allows you to securely connect to resources in a virtual network (VNet) or any of its peered VNets from a client device.

This can be quite handy if you are working from home or from a customer’s site on your own or a corporate Windows 10 or 11 device. Next to that, you can also use it instead of a Site-to-Site (S2S) VPN when you only need to connect a few client devices to resources in a specific VNet.

I’ve already written a PowerShell script that you can use to configure a P2S VPN to an existing VNet using Azure certificate authentication. You can find the related blog post over here, or you can download the script directly from GitHub. If you prefer to let your P2S VPN clients authenticate using native Azure Active Directory authentication, you can read more about it here.

When you implement or already use a P2S VPN in your environment, you can add an additional security layer to this connection by combining it with just-in-time (JIT) VM access.

JIT is a feature of Microsoft Defender for Cloud, which provides just-in-time network-based access to VMs by locking down your VMs at the network level by blocking all unnecessary inbound traffic to specific management ports, like RDP or SSH.

If you want to read more about how JIT works and how you can enable it, you can do so in a previous blog post, in which I wrote about this: Azure Bastion: Combine JIT with Azure Bastion

To use a P2S VPN in combination with JIT, you can follow the steps below.

Prerequisites

• An Azure subscription.
• An Azure Administrator account with the necessary RBAC roles.
• An existing HUB VNet, and an Azure VPN Gateway (at least with a SKU VpnGw1).
• A configured and working P2S VPN connection.
• Another existing VNet (other than the Hub VNet) and a subnet with a network security group (NSG) associated with it. This VNet should also be peerd with the HUB VNet.
• An existing VM, connected to the above subnet, with Microsoft Defender for Cloud enabled and Microsoft Defender for Server Plan 2 enabled for the Azure subscription holding the VM.
• Write down, remember, or look up your P2S VPN address pool and the AzureBastionSubnet IP range (only required if you are also using Azure Bastion in your environment).

Enable JIT

On the Microsoft Defender for Cloud page (blade), select Workload protections. Then, on the Defender for Cloud coverage page, scroll down to the Advanced protection area and select just-in-time VM access.

On the Just-in-time VM access page, click on the Not Configured tab to get a view of all the VMs without JIT enabled but that can support JIT. Then mark a VM that you want to protect with JIT and click on the Enable JIT on 1 VM button (you can also complete this step for multiple VMs at once).

Then, on the JIT VM access configuration page, delete any default port(s) that you do not need, such as 5986, 5989, and 22. If required, you can also add other custom ports.

Then click on port 3389, to configure the port configuration. For example, over here you can configure the Max request time to set the maximum time window during which this port can be opened. Next to that, you can also configure the Allowed source IPs. To improve security, I mostly set this one to only allow the Point-to-site (P2S) VPN IP range and/or the AzureBastionSubnet IP range (use a comma “,” between the different IP ranges). Click OK to apply your changes.

Then select Save.

Use JIT with a P2S VPN

Because we now have a VM that has JIT enabled, we have to request access to connect to it. You can request access in many ways, like from the Microsoft Defender for Cloud page, through Azure PowerShell, or from the Azure virtual machine’s connect page, as I will explain and show in the steps below.

First of all, connect your client device through your P2S VPN to your Azure environment.

Then go back to your Azure Portal and type “vm” in the Global search bar. Then click on Virtual machines.

Select the VM to which you want to connect (in my example, swntst003).

On the Overview page, click Connect and select RDP or SSH, depending on the type of VM (Windows or Linux) you want to connect to.

If JIT is enabled for that specific VM, an information message on top of the Connect page will explain that you need to select Request access before connecting. To do so, scroll down and click on Request access.

After the request is approved, you should be able to RDP from your client device to the specific Azure VM. You can quickly test this by downloading the RDP file and trying to connect with the right authentication credentials.

If you used the correct credentials to log on, the RDP connection to this VM via your P2S VPN will now be open.

Session monitoring, troubleshooting, and auditing

You can audit the JIT access activity in Microsoft Defender for Cloud. Therefor, you go to the Just-in-time VM access page and click the Configured tab. You can already see all active connections and who initiated them on this page.

To view the Activity log, go to the VM that you want to audit and open the ellipsis menu (…). Then click on Activity Log. Now you should see the Activity log which provides you with a filtered view of all operations performed on that particular VM.

You can also validate the added JIT NSG Inbound Security Rules by opening the NSG associated with the subnet where the VM belongs to.

To see or troubleshoot the current P2S VPN session(s) in case of a connectivity or security issue, or to even disconnect one of them, you can follow the instructions shown over here.

Conclusion

When using a P2S VPN to connect to Azure VMs in your environment, you can combine this with JIT VM access to better secure those connection(s).

When using JIT, a user first needs to request access to the VM; when access is approved and everything in the background is configured, they can proceed to make the connection through the connected P2S VPN by providing the required authentication credentials, which allow or disallow them to logon to the VM.

So, by using this multilayered connection approach, you will enhance your overall security and reduce the attack surface of your VMs.

If you have any questions related to the use of a P2S VPN or JIT in your environment, feel free to contact me through my Twitter handle (@wmatthyssen) or to just leave a comment. I am always happy to help.