Comparing Azure Bastion and JIT VM Access: Use Cases and Key Benefits

-
Azure Bastion Architecture and Comparison

The following guidance provides a quick summary of when to use Azure Bastion versus JIT VM Access based on your specific needs.

Brief Guidance:

Azure Bastion: Ideal for secure, web-based access without needing local software or public IP addresses, especially in environments with firewall restrictions.

JIT VM Access: Best for minimizing access time and costs, and when file transfers or traditional clients are required.

Use Case Azure Bastion JIT VM Access
Want to reduce costs for virtual machines accessible and used 24/7
Client computers are locked and cannot install RDP software
Need to transfer files
Corporate firewall does not have ports 3389 or 22 open
Azure Bastion Architecture Diagram

Architecture Explanation:

This diagram illustrates how Azure Bastion provides secure RDP/SSH access to VMs in an Azure region (Sweden). Azure Bastion, a managed PaaS service, enables connectivity via private IPs over TLS (port 443), eliminating the need to expose RDP (port 3389) or SSH (port 22) to the internet. Network Security Groups (NSGs) block direct RDP/SSH access from the internet, ensuring all traffic goes through Bastion. Azure Bastion supports VMs in multiple regions by deploying an instance per region.

Just-in-time (JIT) VM access Diagram

Architecture Explanation:

Just-in-time (JIT) VM access, a feature of Microsoft Defender for Cloud, lets you grant temporary access to a VM for a set time, unlike Azure Bastion. Once the time’s up, access is revoked by adjusting NSG and Azure Firewall rules. Benefits include using your preferred tools (like Remote Desktop), easy file management, and automatic security by restricting inbound traffic when not in use.

Key Features and Benefits Azure Bastion JIT VM Access
RDP and SSH via Azure Portal
Remote session over TLS (port 443) and firewall traversal
No public IP address required on the VM
No hassle managing Network Security Groups (NSGs)
Managed PaaS service (no separate bastion host)
Time-limited access to reduce costs
Flexibility for file transfer via traditional clients

Note: This section covered the architecture of Azure Bastion and JIT VM Access. Configuration and troubleshooting will be explored in the next episode.

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
🔹 Benefits of IntuneWin: ✅ Seamless app packaging 📦 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »