Hello,
Can we integrate Azure JIT VMs with Hashicorp Vault?
Port 3389 is disabled for Azure JIT enabled VMs. How do we onboard Hashicorp for Azure JIT enabled VMs?
Thanks!
Are you looking to access Vault from a VM with JIT enabled, or do you want to deploy Vault on a VM with JIT enabled and have other VMs access Vault?
We want to deploy Vault on a VM with JIT enabled and have other VMs access Vault.
Unless I am misunderstanding the use case, this should in theory work. JIT is designed to limit access to common management ports such as SSH (22) and RDP (3389) so those do not need to be left open. Even with JIT enabled, if you already have rules for those ports, they would take precedence over the JIT rule. From the Azure documentation:
If other rules already exist for the selected ports, then those existing rules take priority over
the new "deny all inbound traffic" rules. If there are no existing rules on the selected ports,
then the new rules take top priority in the NSG and Azure Firewall.
Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
I don’t have an Azure environment I can validate this in, but from everything I can see as long as your rule to permit 8200 is before the deny-all rule, this should work.
If you’re trying to limit access also on 8200, you would need to build some automation to request JIT access. Looks like Microsoft provides examples for PowerShell and the Defender for Cloud API here Enable just-in-time access on VMs - Microsoft Defender for Cloud | Microsoft Learn