Multi-layered protection for Azure virtual machine access
Updated: Nov 24
This solution provides a multi-layered approach for protecting virtual machines (VMs) in Azure. Users need to connect to VMs for management and administrative purposes. It's critical to minimize the attack surface that connectivity creates.
By incorporating several protection mechanisms, this solution achieves non-persistent granular access to VMs. It aligns with the principle of least privilege (PoLP) and the concept of separation of duties. To reduce exposure to attacks, this solution locks down inbound traffic to VMs, but it makes VM connections accessible when needed. Implementing this type of protection minimizes the risk of many popular cyber-attacks on VMs, such as brute-force attacks and distributed denial-of-service (DDoS) attacks.
This solution uses many Azure services and features including
Azure Active Directory (Azure AD) Privileged Identity Management (PIM).
The just-in-time (JIT) VM access feature of Microsoft Defender for Cloud.
Azure role-based access control (Azure RBAC) custom roles.
Azure AD Conditional Access, optionally.
Defense in depth is the main idea behind this architecture. This strategy challenges users with several lines of defense before granting the users access to VMs. The goal is to ensure that :
Each user is legitimate.
Each user has legal intentions.
Communication is secure.
Access to VMs in Azure is only provided when needed.
The defense in depth strategy and the solution in this article apply to many scenarios:
An administrator needs to access an Azure VM under these circumstances:
The administrator needs to troubleshoot an issue, investigate behavior, or apply a critical update.
The administrator uses Remote Desktop Protocol (RDP) to access a Windows VM or secure shell (SSH) to access a Linux VM.
The access should include the minimum number of permissions that the work requires.
The access should be valid for only a limited time.
After the access expires, the system should lock down the VM access to prevent malicious access attempts.
Employees need access to a remote workstation that's hosted in Azure as a VM. The following conditions apply:
The employees should access the VM only during work hours.
The security system should consider requests to access the VM outside work hours unnecessary and malicious.
Users would like to connect to Azure VM workloads. The system should approve connections that are only from managed and compliant devices.
A system has experienced a tremendous number of brute-force attacks:
These attacks have targeted Azure VMs on RDP and SSH ports 3389 and 22.
The attacks have tried to guess the credentials.
The solution should prevent access ports such as 3389 and 22 from being exposed to the internet or on-premises environments.
This solution uses the following components:
Azure Virtual Machines is an infrastructure-as-a-service (IaaS) offer. You can use Virtual Machines to deploy on-demand, scalable computing resources. In production environments that use this solution, deploy your workloads on Azure VMs. Then eliminate unnecessary exposure to your VMs and Azure assets.
Azure AD is a cloud-based identity service that controls access to Azure and other cloud apps.
PIM is an Azure AD service that manages, controls, and monitors access to important resources. In this solution, this service:
Limits permanent administrator access to standard and custom privileged roles.
Provides just-in-time identity-based access to custom roles.
JIT VM access is a feature of Defender for Cloud that provides just-in-time network-based access to VMs. This feature adds a deny rule to the Azure network security group that protects the VM network interface or the subnet that contains the VM network interface. That rule minimizes the attack surface of the VM by blocking unnecessary communication to the VM. When a user requests access to the VM, the service adds a temporary allow rule to the network security group. Because the allow rule has higher priority than the deny rule, the user can connect to the VM. Azure Bastion works best for connecting to the VM. But the user can also use a direct RDP or SSH session.
Azure RBAC is an authorization system that provides fine-grained access management of Azure resources.
Azure RBAC custom roles provide a way to expand on Azure RBAC built-in roles. You can use them to assign permissions at levels that meet your organization's needs. These roles support PoLP. They grant only the permissions that a user needs for the user's purpose. To access a VM in this solution, the user gets permissions for:
Using Azure Bastion.
Requesting JIT VM access in Defender for Cloud.
Reading or listing VMs.
Azure AD Conditional Access is a tool that Azure AD uses to control access to resources. Conditional Access policies support the zero trust security model. In this solution, the policies ensure that only authenticated users get access to Azure resources.
Azure Bastion provides secure and seamless RDP and SSH connectivity to VMs in a network. In this solution, Azure Bastion connects users who use Microsoft Edge or another internet browser for HTTPS, or secured traffic on port 443. Azure Bastion sets up the RDP connection to the VM. RDP and SSH ports aren't exposed to the internet or the user's origin.