Powershell: Azure submitting JIT Request via Powershell

Summary:

If you make use of Azure Security Center w/ your VM's, you can enable Just in Time VM Access (JIT).  This allows you to open up ports for a finite period of time to access your VM via its public IP.  I make use of this a lot working in my environments to sshuttle in.  Connection will stay active as long as I maintain it, otherwise I get disconnected and have to go through JIT process again.

Anyway, going through the portal can get very cumbersome requesting this access, so you can use the below powershell example to automate opening ports, setting time frame, and setting an allowed public IP address source.

Comments

Anonymous said…
Works great, would you be able to provide something similar with the ability to request multiple ports?
I have been looking around and struggling to get a modified version of this working to request multiple ports.
Zsoldier said…
So took a look. There are two parts to this, one is the policy applied to the system. Policies will only allow certain ports, so you may be limited there. Not actually sure how to determine the allowed parameters.

Second appears to be the Microsoft.Azure.Commands.Security.Models.JitNetworkAccessPolicies.PSSecurityJitNetworkAccessPolicyInitiatePort object would allow an array, but does not appear designed as such.

To get around the second part, you can simply utilize the function w/o defaults populated and build around using a loop for all the ports you want and submit several JIT requests at a time. Like so
#Remove the defaults from param block.
$AzureVMName="myvmname",
$SubscriptionID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
$AllowedSourceIP = (Invoke-Restmethod http://ipinfo.io/json).ip,
$TimeRequested=(get-date).AddHours(3),
$PortRequested,
$JITPolicyName = "default"

#loop through the ports you want.
$ports = @(22,3389,443)
Foreach ($port in $ports){
Request-AZJIT -portrequested $port
}


It's not super ideal, but should work.

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.