Bastion and JIT Access
Currently Bastion in Azure Portal doesn't work well with Security Center Just In Time (JIT) access. You need to go the RDP or SSH page 1st in order to request JIT for the private IP of the destination VM first and then go back to Bastion to make the connection. In addition, when you request JIT on private IP it adds a NSG rule to allow entire VNet. Can we please have JIT support on Bastion page and allow only the Bastion subnet.

4 comments
-
Samuel Murcio commented
Was able to get JIT & Bastion to work without any crazy workarounds. When you onboard the VM to JIT, edit the policy and supply the CIDR for the AzureBastionSubnet instead.
-
Jake Edwards commented
The access controls and logs are useful. either Bastion can be enhanced to provide more portal-facing logs or leverage JIT.
-
Mike Wedderburn-Clarke commented
Thanks Ashish,
In my opinion JIT is still useful in this scenario as you don't need to leave standing access open to the VM from internal subnets (as we know, many attacks originate inside the network), access is for a limited amount of time and you have a detailed and central JIT log of access rather than having to try to parse logs from multiple sources
-
Thank you for the feedback.
Given Azure Bastion always uses target VM's private IP address to connect over RDP (will not use public IP even if the VM were to have it) and that you can define the rule on the target VM subnet to allow incoming 3389 only from AzureBastionSubnet, do you really see the need to use JIT in this scenario?
Not to say that JIT integration is not in part of our roadmap, it is part of our backlog. But just checking more on your usecase in light of the above details I mentioned.
Thanks,
Ashish Jain
Product Manager, Azure Bastion