4.1.1. Azure Bastion and Just-in-Time (JIT) VM Access

💡 First Principle: Traditional remote access (RDP/SSH) exposes management ports to attack. Azure Bastion and JIT minimize this exposure by eliminating public IPs and time-limiting access.

Scenario: Your security team needs to manage VMs but you cannot expose RDP/SSH ports to the internet.

Azure Bastion

• Purpose: Secure RDP/SSH access without public IPs on VMs
• How it works: Browser-based connection through Azure portal
• Benefit: VMs never exposed to public internet
• Requirement: Deploy Bastion in the VNet

Just-in-Time (JIT) VM Access

• Purpose: Open management ports only when needed
• How it works: Ports are blocked by default; request access for limited time
• Benefit: Reduces attack surface of open management ports
• Requirement: Microsoft Defender for Servers enabled

⚠️ Security Best Practice: Combine JIT access with agentless vulnerability scanning (Defender for Servers Plan 2) to minimize attack surface while maintaining security visibility. See Section 4.3.1 for implementation details.

Visual: Bastion vs. Public IP Access