Tag: Azure VM

Sep172019September 17, 2019September 17, 20190Commentby Thomas Maurer
Ping Azure VM Public IP address

How to enable Ping (ICMP echo) on an Azure VM

Posted in Cloud, Microsoft, Microsoft Azure, PowerShell, Virtualization, Windows, Windows Server, Work

This is just a very quick blog post because I got the question from a couple of people. In this blog post want to show you how you can enable ping (ICMP) on a public IP address of an Azure virtual machine (VM). First, just let me say that assigning a public IP address to a virtual machine can be a security risk. So if you do that, make sure you know what you are doing. If you need admin access to virtual machines only for a specific time, there are services like Azure Just-in-Time VM Access (JIT) and Azure Bastion you should have a look at. Now back to the topic, Azure by default denies and blocks all public inbound traffic to an Azure virtual machine, and also includes ICMP traffic. This is a good thing since it improves security by reducing the attack surface.

Azure Network Security Group Port Rules Deny All Inbound Traffic to Azure VM

Azure Network Security Group Port Rules Deny All Inbound Traffic to Azure VM

This also applies to pings or ICMP echo requests sent to Azure VMs.

Ping Azure VM failed

Ping Azure VM failed

However, if you need to access your application from a public IP address, you will need to allow the specific ports and protocols. The same applies to the ICMP (Internet Control Message Protocol) protocol. The ICMP protocol is typically used for diagnostic and is often used to troubleshoot networking issues. One of the diagnostic tools using ICMP is ping, which we all know and love.

What do I need to do to be able to ping my Azure virtual machines (VMs)

Overall we need to do two main steps:

Configure Network Security Group (NSG) to allow ICMP traffic

So here is how you enable or allow ping (ICMP) to an Azure VM. Click on add a new inbound port rule for the Azure network security group (NSG).

Enable Ping ICMP in a NSG on an Azure VM

Enable Ping ICMP in an NSG on an Azure VM

Change the protocol to ICMP. As you can see, you can also limit the sources which can make use of that rule, as well as change the name and description. You can also use the following Azure PowerShell commands to add the inbound security rule to your NSG.

Get-AzNetworkSecurityGroup -Name "AzureVM-WIN01-nsg" | Add-AzNetworkSecurityRuleConfig -Name ICMP-Ping -Description "Allow Ping" -Access Allow -Protocol ICMP -Direction Inbound -Priority 100 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange * | Set-AzNetworkSecurityGroup
Configure Network Security Group PowerShell

Configure Network Security Group PowerShell

Set up the operating system to answer to Ping/ICMP echo request

If you haven’t already configured the operating system that way, you will need to allow ICMP traffic, so the operating system response to a ping. On Windows Server, this is disabled by default, and you need to configure the Windows Firewall. You can run the following command to allow ICMP traffic in the Windows Server operating system. In the Windows Firewall with Advanced Security, you can enable the Echo Request – ICMPv4-In or Echo Request ICMPv6-In rules, depending on if you need IPv4 or IPv6.

Windows Firewall Enable Ping

Windows Firewall Enable Ping

You can also run the following command to do that:

# For IPv4
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol="icmpv4:8,any" dir=in action=allow
 
#For IPv6
netsh advfirewall firewall add rule name="ICMP Allow incoming V6 echo request" protocol="icmpv6:8,any" dir=in action=allow

After doing both steps, you should be able to ping your Azure Virtual Machine (VM) using a public IP address.

Ping Azure VM Public IP address

Ping Azure VM Public IP address

I hope this helps you be able to ping your Azure VMs. If you have any questions, please let me know in the comments.


Aug062019August 6, 2019August 5, 20190Commentby Thomas Maurer
Create Azure Dedicated Host

Azure Dedicated Host for your Azure VMs

Posted in Cloud, Hardware, Microsoft, Microsoft Azure, Virtualization, Windows Server, Work

Last week Ziv Rafalovich, Principal Program Manager in the Azure Compute team, announced the Azure Dedicated Host Public Preview. Azure Dedicated Host is a new Azure service which enables customers to run Windows and Linux virtual machines on single dedicated physical servers. Usually, the Azure host is used by multiple tenants, and the virtual machines are isolated using a multi-tenant hypervisor, with Azure Dedicated Host, the physical server only runs workloads from one tenant/customer. This gives customers the visibility and control on what physical hardware their virtual machines are running, and it allows to address corporate compliance and regulatory requirements.

Azure Dedicated Host Preview provides physical servers that host one or more Azure virtual machines. Your server is dedicated to your organization and workloads—capacity isn’t shared with other customers. This host-level isolation helps address compliance requirements. As you provision the host, you gain visibility into (and control over) the server infrastructure, and you determine the host’s maintenance policies.

You can find more information on Azure.com.

Azure Dedicated Host scenarios

The Azure Dedicated Host offers a couple of benefits and enables some new scenarios.

  • Host-level isolations for compliance requirements
  • Visibility and control over the server infrastructure to manage host maintenance policies, load on the server, fault domain count.
  • You get control over the full performance and capacity from a single Azure host which is not shared with other customers.
  • You get the advantage of unlimited virtualization for Windows Server and SQL Server with Azure Dedicated Hosts using the Azure Hybrid Benefit.

If you need these scenarios, then the Azure Dedicated host is an excellent option for you. However, if you don’t need them, you are more flexible with the shared Azure virtual machine experience.

Licensing and Pricing

Dedicated Hosts are charged at the host level and not on the number of Azure VMs you run on the host. However, software licenses are billed separately from compute resources at a VM level based on usage. There are no upfront costs or termination fees. Currently, the Azure Dedicated Host is a pay-as-you-go service, and you only pay for what you need.

You will have different dedicated host types and VM series/families available. During the preview period, you will be able to choose between Dsv3, Esv3, and Fsv2 VM series.

Dedicated Host Typ 1

Dedicated Host Type 1 is based on the 2.3 GHz Intel Xeon® E5-2673 v4 (Broadwell) processor and can achieve up to 3.5 gigahertz (GHz). Type 1 host has 64 available vCPUs.

    • Dsv3 Series
    • Esv3 Series

Dedicated Host Type 2

Dedicated Host Type 2 is based on the Intel Xeon® Platinum 8168 (Skylake) processor, which can achieve maximum single-core clock speeds of 3.7 GHz and sustained all core clock speeds as high as 3.4GHz with the Intel Turbo Boost Technology 2.0. Type 2 host has 72 available vCPUs.

    • Fsv2 Series

Dedicated Host configuration table

This is the Dedicated Host configuration table during the Public Preview. This might change later, and you can find the current pricing information on Azure.com.

Azure Dedicated Host configuration table

Azure Dedicated Host configuration table

Additional cost reduction

You can use your on-premises Windows Server and SQL Server licenses with Software Assurance benefits, or subscriptions with equivalent rights, when you migrate your workloads to Dedicated Host (Azure Hybrid Benefit).  Different the before is that with the dedicated host you get unlimited virtualization rights for Windows Server and SQL Server. For more information on the updated Microsoft licensing terms for dedicated hosted cloud services, check out this blog post. With this running Windows Server 2019 in Azure becomes even more attractive.

We are also expanding Azure Hybrid Benefit so you can take advantage of unlimited virtualization for Windows Server and SQL Server with Azure Dedicated Hosts. Customers with Windows Server Datacenter licenses and Software Assurance can use unlimited virtualization rights in Azure Dedicated Hosts. In other words, you can deploy as many Windows Server virtual machines as you like on the host, subject only to the physical capacity of the underlying server. Similarly, customers with SQL Server Enterprise Edition licenses and Software Assurance can use unlimited virtualization rights for SQL Server on their Azure Dedicated Hosts.

You’ll also get free extended security updates for Windows Server and SQL Server 2008 and 2008 R2.

Azure Reserved VM Instances are not available for purchase during the preview on Azure Dedicated Host.

Deploy VMs to an Azure Dedicated Hosts

To deploy a new Azure Dedicated Host, we first need to create a host group. After that, we can add hosts to this group, which will be used for our Azure virtual machines. In this blog post, I am going to show you how you can deploy a new host and after that, how you deploy Azure VMs on that host using the Azure portal. If you want to know more and if you want to see how you do this using Azure PowerShell, an Azure Resource Manager (ARM) template or the Azure CLI, check the Microsoft Docs.

Create a host group

Azure Host Groups

Azure Host Groups

You can find a new Azure resource called Host Group. Create a host group and configure the host group with specific settings like availability zones and fault domain count.

"<yoastmark

Deploy an Azure Dedicated Host

Azure Dedicated Hosts

Azure Dedicated Hosts

After you have created your host group, you can start creating new hosts and add them to your host group.

  • Select the location (region) of the host
  • Select the dedicated host VM family and hardware generation. You will only be able to provision VMs on this host in the same VM family. During the preview, we will support the following host SKU values: DSv3_Type1 and ESv3_Type1.
  • Configure the fault domain for the host.
  • Enable or disable of automatically replacing the host on a failure.
  • Configure cost savings like the Azure Hybrid Benefit.
Create Azure Dedicated Host

Create Azure Dedicated Host

Your host will be deployed in a couple of minutes. Important, your Azure subscription will need to have enough resources (CPU/Cores) enabled. Some subscriptions are limited to a specific amount of cores you can deploy in your subscription, in that case, you will need to open a support ticket, to raise the number of cores available in your subscription.

Create a VM

Now you can create a virtual machine on the Azure Dedicated Host. There area few things to consider about that VM. First, make sure the VM is created in the region you have created the host. Secondly, choose a virtual machine size of the VM family you had configured when you created the host.

During the creation process, you will find the section Host in the Advanced tab. Here you can select your host group and your host where the VM will be deployed on.

For more information, check out the Microsoft Docs.

Conclusion

The Azure Dedicated Host service enables new scenarios and addresses, especially customers with host-level isolations for compliance requirements. It makes the Azure IaaS platform even more exciting, and together with Azure Migrate, you can quickly move your virtual machines to Azure. If you have any questions, feel free to leave a comment.


Jul222019July 22, 2019July 22, 20190Commentby Thomas Maurer
SSH Remote Edit File with Visual Studio Code

Remote Edit Files on Azure Linux VMs using VS Code

Posted in Cloud, Containers, Microsoft, Microsoft Azure, Virtualization, Visual Studio, Visual Studio Code, Windows, Windows 10

There are a lot of different ways to remote manage your Azure virtual machines using various tools and technics. In this blog post, I am going to show you how you can remotely edit files on Azure Linux virtual machines using Visual Studio Code. Visual Studio Code has a new Remote Development Extention which allows you to open any folder in a container, on a remote computer, or in the Windows Subsystem for Linux (WSL) and take advantage of the VS Code feature set. With the Remote – SSH extensions, you can easily browse and edit files on an Azure VM or any other system where you can connect using SSH.

Installation

As mentioned to edit the files on the Azure Linux virtual machine remotely, we are using the light-weight, cross-platform, opensource editor Visual Studio Code. You can download and install VS Code from the official website.

Visual Studio Code Remote Development Extension

In addition to Visual Studio code, we need to install the Remote – SSH extension, which comes with Remote Development Extension Pack. This also includes remote extensions for containers or the Windows Subsystem for Linux (WSL).

If you are running on a Windows 10 machine, you will also need to install the OpenSSH client on your machine. You can do that going through this blog post, or by running this command.

# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

Azure VM connection using SSH

The Remote – SSH extensions currently only supports connecting to x86_64 Linux-based SSH servers using key-based authentication.

Optional: Create Azure Linux VM with key-based SSH authentication using the Azure CLI

Create Azure Linux VM Azure CLI SSH Keys DNS Name

If you want to try it out, and you haven’t set up a Linux VM SSH and key-based authentication. This Azure CLI command here helps you to create a new Azure virtual machine and sets up ssh keys as well as an optional unique Azure DNS name.

az vm create --resource-group demosshvm --name tomsVM --image UbuntuLTS --admin-username thomas --generate-ssh-keys --public-ip-address-dns-name tomsazurelinuxvm

In this example, you can use the public IP address or the Azure FQDN to connect to the Azure VM. If you have a VPN or Express Route set up, you can also use private IP addresses and DNS names. If you are using public IP addresses in production, make sure you are using a service like Azure Just in Time VM access.

Connect Visual Studio Code to Azure VM using SSH

After you have installed Visual Studio Code, the Remote – SSH extension, the SSH client and have a VM with key-based authentication, you can now easily connect. Open Visual Studio Code, on the bottom left, you see the Remote connection button. If you press it, you will find the remoting options. Select “Remote-SSH: Connect to Host…

Visual Studio Open Remote SSH Connection

This will ask you for the username and IP address or DNS name of the virtual machine. In my case, I am going to use the DNS name.

Visual Studio Code SSH Remoting Connection

 

After pressing enter, this will connect your Visual Studio Code environment to the Azure virtual machine.

Visual Studio Code SSH Connection

 

Remote edit files on Azure Linux VMs using VS Code

You can start opening folders and files on the remote Azure Linux VM and begin browsing the file system. On the bottom left, you see the name or IP address of the machine you are connected with.

SSH Remote File System Visual Studio Code

You can also open files and start remote edit files on your Azure Linux VM. If you save the changes you made to the file, this is directly saved on the remote Azure virtual machine.

SSH Remote Edit File with Visual Studio Code

You get all the advanced VS Code features you know from your local Visual Studio Code like syntax-highlighting and more.

I hope this shows you an easy way to remotely edit files on your Azure Linux virtual machines using Visual Studio Code and SSH. If you have any questions, please let me know in the comments.


Jul022019July 2, 2019July 2, 20191Commentby Thomas Maurer
Copy files to Azure VM using PowerShell Remoting

Copy Files to Azure VM using PowerShell Remoting

Posted in Cloud, Microsoft, Microsoft Azure, PowerShell, Virtualization, Windows, Windows 10, Windows Server, Windows Server 2016, Windows Server 2019

There are a couple of different cases you want to copy files to Azure virtual machines. To copy files to Azure VM, you can use PowerShell Remoting. This works with Windows and Linux virtual machines using Windows PowerShell 5.1 (Windows only) or PowerShell 6 (Windows and Linux). Check out my blog post at the ITOpsTalk.com about copying files from Windows to Linux using PowerShell Remoting.

Prepare your client machine

Prepare the client machine to create PowerShell Remote connections to a specific remote VM.

Set-Item WSMan:localhost\client\trustedhosts -value "AZUREVMIP"

You can also enable remoting to all machines by using an asterisk.

Set-Item WSMan:localhost\client\trustedhosts -value *

Copy Files to Windows Server Azure VM

If you want to copy files to an Azure VM running Windows Server, you have two options. If you are copying files from Windows to Windows, you can use Windows PowerShell Remoting; if you are copying files from Linux or macOS to Windows, you can use the cross-platform PowerShell 6 and PowerShell Remoting over SSH.

Using Windows PowerShell Remoting

To copy files from a Windows machine to a Windows Server running in Azure, you can use Windows PowerShell Remoting.

Prepare the host (Azure VM) to receive Windows PowerShell remote commands. The Enable-PSRemoting cmdlet configures the computer to receive Windows PowerShell remote commands that are sent by using the WS-Management technology.

Enable-PSRemoting -Force

Now you can create a new PowerShell Remoting session to the Azure VM.

$cred = Get-Credential
 
$s = New-PSSession -ComputerName "AZUREVMIPORNAME" -Credential $cred

After the session was successfully created, you can use the copy-item cmdlet with the -toSession parameter.

Copy-Item .\windows.txt C:\ -ToSession $s

Some important notes

  • You need to configure the Network Security Group for the Azure VM to allow port 5985 (HTTP) or 5986 (HTTPS)
  • You can use PowerShell Remoting over Public Internet or Private connectivity (VPN or Express Route). If you are using the Public Internet, I highly recommend that you use https. I also recommend that you use Just-in-time virtual machine access in Azure Security for public exposed ports.

Using PowerShell Core 6 PowerShell Remoting over SSH

If you are running PowerShell Core 6, you can use PowerShell Remoting over SSH. This gives you a simple connection and cross-platform support. First, you will need to install PowerShell 6. After that, you will need to configure and setup PowerShell SSH Remoting together with OpenSSH. You can follow my blog post to do this here: Setup PowerShell SSH Remoting in PowerShell 6

Now you can create a new PowerShell Remoting session to the Azure VM.

$s = New-PSSession -HostName "AZUREVMIPORNAME" -UserName

After the session was successfully created, you can use the copy-item cmdlet with the -toSession parameter.

Copy-Item .\windows.txt C:\ -ToSession $s

Some important notes

  • You need to configure the Network Security Group for the Azure VM to allow port 22 (SSH)
  • You can use PowerShell Remoting over Public Internet or Private connectivity (VPN or Express Route). Exposing the SSH port to the public internet maybe is not secure. If you still need to use a public SSH connection, I recommend that you use Just-in-time virtual machine access in Azure Security.

Copy Files to Linux Azure VM

Copy File Windows to Linux using PowerShell Remoting

If you want to copy files to a Linux VM running in Azure, you can make use of the cross-platform PowerShell capabilities of PowerShell 6, using PowerShell Remoting over SSH. As for the Windows virtual machines, you will need to install PowerShell 6. Next, you will need to configure and setup PowerShell SSH Remoting together with OpenSSH. You can follow my blog post to do this here: Setup PowerShell SSH Remoting in PowerShell 6

After installing and configuring PowerShell Remoting over SSH, you can create a new PowerShell Remoting session to the Azure VM.

$s = New-PSSession -HostName "AZUREVMIPORNAME" -UserName

After you successfully connected to your Azure VM, you can use the copy-item cmdlet with the -toSession parameter.

Copy-Item .\windows.txt /home/thomas -ToSession $s

I hope this gives you an overview about how you can copy files to Azure VMs using PowerShell Remoting. If you have any questions, let me know in the comments.


Jun182019June 18, 2019June 18, 20198Commentsby Thomas Maurer
Azure Bastion Windows VM

Azure Bastion – Private RDP and SSH access to Azure VMs

Posted in Cloud, Microsoft, Microsoft Azure, Virtualization, Windows, Windows Server, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Work

Azure Bastion is a new service which enables you to have private and fully managed RDP and SSH access to your Azure virtual machines. If you wanted to access your Azure virtual machines using RDP or SSH today, and you were not using a VPN connection, you had to assign a public IP address to the virtual machine. You were able to secure the connection using Azure Just in Time VM access in Azure Security Center. However, this had still some drawbacks. With Azure Bastion you get a private and fully managed service, which you deploy to your Virtual Network, which then allows you to access your VMs directly from the Azure portal using your browser over SSL.

Azure Bastion Architecture

Source: Microsoft Docs

Azure Bastion brings a couple of advantages

  • Removes requirement for a Remote Desktop (RDP) client on your local machine
  • Removes element for a local SSH client
  • No need for local RDP or SSH ports (handy when your company blocks it)
  • Uses secure SSL/TLS encryption
  • No need to assign public IP addresses to your Azure Virtual Machine
  • Works in basically any modern browser on any device (Windows, macOS, Linux, etc.)
  • Better hardening and more straightforward Network Security Group (NSG) management
  • Can remove the need for a Jumpbox

If you want to know more directly here is the link to the Azure Bastion announcement blog and the Microsoft Docs.

Public Preview

Azure Bastion is currently in public preview. The public preview is limited to the following Azure public regions:

  • West US
  • East US
  • West Europe
  • South Central US
  • Australia East
  • Japan East

To participate in this preview, you need to register. Use these steps to register for the preview:

Register-AzureRmProviderFeature -FeatureName AllowBastionHost -ProviderNamespace Microsoft.Network
 
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
 
Get-AzureRmProviderFeature -ProviderNamespace Microsoft.Network

To use the Azure Bastion service, you will also need to use the Azure Portal – Preview.

How to set up an Azure Bastion host for a private RDP and SSH access to Azure VMs

Create Azure Bastion Host

First, you will need to deploy Bastion Host in your virtual network (VNet). The Azure Bastion Host will need at least a /27 subnet.

AzureBastionSubnet

Access Azure virtual machines using Azure Bastion

Azure Bastion integrates natively in the Azure portal. The platform will automatically be detected if Bastion is deployed to the virtual network your virtual machine is in. To connect to a virtual machine, click on the connect button for the virtual machine. Now you can enter your username and password for the virtual machine.

Azure Portal connect to Linux VM SSH

This will now open up a web-based SSL RDP session in the Azure portal to the virtual machine. Again, there is no need to have a public IP address assigned to your virtual machine.

Private access to Azure Linux VM

 

Roadmap – more to come

As Yousef Khalidi (CVP Azure Networking) mentions in his preview announcement blog, the team will add more great capabilities, like Azure Active Directory and MFA support, as well as support for native RDP and SSH clients.

The Azure networking and compute team are doing more great work on creating a great Azure IaaS experience. I hope this gives you an overview of how you can get a private RDP or SSH access to your Azure VM. If you want to know more about the Azure Bastion service, check out the Microsoft Docs for more information. If you have any questions, feel free to leave a comment.


Nov282018November 28, 2018April 28, 20192Commentsby Thomas Maurer
Azure Live Migration

Azure uses Live Migration for VMs

Posted in Cloud, Hyper-V, Microsoft, Microsoft Azure, Virtualization, Windows Server, Work

If you have worked with Azure in the past, you might have been aware that Azure didn’t have live migration for VMs hosted in Azure for a long time. This had an impact for customers in terms of VM up-time during host maintenance. You basically got emails, that the host your VMs were running is going into maintenance during a specific time, and you will have a possible outage. Microsoft Hyper-V, which is the Hypervisor in Azure, had Live Migration for a long time. Today, Microsoft revealed that they are using Live Migration in Azure since early 2018 to move virtual machines in cases of rack maintenance and software and BIOS updates, as well as hardware faults.

But Microsoft didn’t stop there, they made even better using Machine Learning. Predictive ML helps Microsoft to detect proactively failure and do failure predictions. And in case a hardware failure is predicted, Microsoft can move the virtual machines from that host without downtime, using live migration.

To further push the envelope on live migration, we knew we needed to look at the proactive use of these capabilities, based on good predictive signals. Using our deep fleet telemetry, we enabled machine learning (ML)-based failure predictions and tied them to automatic live migration for several hardware failure cases, including disk failures, IO latency, and CPU frequency anomalies.

 

We partnered with Microsoft Research (MSR) on building our ML models that predict failures with a high degree of accuracy before they occur. As a result, we’re able to live migrate workloads off “at-risk” machines before they ever show any signs of failing. This means VMs running on Azure can be more reliable than the underlying hardware.

Microsoft talks in a blog post more about Live Migration in Azure and goes more in details about the challenges and how live migration in Azure works. It is great to see Microsoft adding features to improve VM resiliency with features like live migration and machine learning technology.


Jul042018July 4, 2018June 10, 20191Commentby Thomas Maurer
Inked Azure Security Center Just in time VM access_LI

Azure – Just in Time VM access

Posted in Cloud, Microsoft, Microsoft Azure, PowerShell, Virtualization, Windows Server, Work

If you run virtual machines with a public IP address connected to the internet, attackers immediately try to run attacks against it. Brute force attacks commonly target management ports, like RDP or SSH, to gain access to a VM. If the attacker is successful, he can take control over the VM and access other resources in the environment. To address that issue it is highly recommended to reduce the ports open, especially for the management ports. However, sometimes you will need to open to ports for some of the virtual machines for management tasks. Microsoft Azure has a simple way to address this issue, called Azure JIT virtual machine (VM) access. Just in time VM access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

To find more about Just-in-time virtual machine access in Azure Security, check out the Microsoft Docs.

How does Azure Just in Time VM Access work

In the Azure Security Center, you can enable just in time VM access; this will create a Network Security Rule (NSG) to lock down inbound traffic to the Azure VM. During the initial JIT VM access configuration, you will be configuring the ports specified, which will be managed by Azure Security Center, these ports will be locked down by the Azure Security Center using an NSGs.

Configure Azure JIT VM access

Inked Configure Just in time VM access_LI

Azure JIT VM access is configured in the Azure Security Center. To configure and enable JIT on a virtual machine open up the Azure Security Center and click on Just in time VM access.

Here you will find three states, Configured, Recommended and No recommendation.

  • Configured – VMs that have been set to support just in time VM access. The data presented is for the last week and includes for each VM the number of approved requests, last access date and time, and last user.
  • Recommended – VMs that can support just in time VM access but have not been configured to. We recommend that you enable just in time VM access control for these VMs. See Configuring a just in time access policy.
  • No recommendation – Reasons that can cause a VM not to be recommended are:
    • Missing NSG – The just in time solution requires an NSG to be in place.
    • Classic VM – Security Center just in time VM access currently supports only VMs deployed through Azure Resource Manager. A classic deployment is not supported by the just in time solution.
    • Other – A VM is in this category if the just in time solution is turned off in the security policy of the subscription or the resource group, or that the VM is missing a public IP and doesn’t have an NSG in place.

To configure you click on Recommended and select the Virtual Machine, for which you want to enable JIT.

Click on Enable JIT on VMs and configure the ports which should be managed by Just in time VM Access. Just in time VM access will recommend some default ports like RDP, SSH, and PowerShell Remoting. You can also add other ports to the virtual machine if you want or need to.

Requesting Just in time VM Access for Azure Virtual Machine

Request Just in time VM access

On the Configured section, you can select the VM you want to request access to and click on Request access. You can now choose the ports you want to be open for a specific time and a particular IP address. This will open up the ports, and after 2-3 minutes, you will be able to access the virtual machine.

To send such a request, the user who requests access to the Virtual Machine needs to have write access to the virtual machines in the Azure Role-Based Access Control (RBAC).

Auditing access activity

Of course, all the request get logged and can be reviewed in the Activity Log.

Licensing

Azure just in time VM access is licensed over Azure Security Center and needs the Standard Tier to be enabled for the specific virtual machine.

I hope this gives you an idea of how you can leverage Just in time VM access in Azure for your workloads.



  • Follow Me

  • About

    Thomas Maurer

    My name is Thomas Maurer. I am a Senior Cloud Advocate at Microsoft. I am part of the Azure engineering team (Cloud + AI) and engage with the community and customers around the world. I am located in Switzerland. I am focusing on Microsoft technologies, especially cloud and datacenter solutions based on Microsoft Azure, Azure Stack and Windows Server. Opinions are my own.

  • Sponsor

  • Sponsor

    Starwind Virtual SAN

  • Sponsor

    Vembu BDR Suite

  • Sponsor

    Altaro Ad