How can we improve Azure Networking?

← Networking

Bastion and JIT Access

Currently Bastion in Azure Portal doesn't work well with Security Center Just In Time (JIT) access. You need to go the RDP or SSH page 1st in order to request JIT for the private IP of the destination VM first and then go back to Bastion to make the connection. In addition, when you request JIT on private IP it adds a NSG rule to allow entire VNet. Can we please have JIT support on Bastion page and allow only the Bastion subnet.

60 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Mike Wedderburn-Clarke (CSA) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

2 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • AdminAzureBastionTeam (Admin, Microsoft Azure) commented  ·   ·  Flag as inappropriate

    Thank you for the feedback.

    Given Azure Bastion always uses target VM's private IP address to connect over RDP (will not use public IP even if the VM were to have it) and that you can define the rule on the target VM subnet to allow incoming 3389 only from AzureBastionSubnet, do you really see the need to use JIT in this scenario?

    Not to say that JIT integration is not in part of our roadmap, it is part of our backlog. But just checking more on your usecase in light of the above details I mentioned.

    Thanks,
    Ashish Jain
    Product Manager, Azure Bastion

Networking: Bastion

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice