Why does JIT open NSG ports to ANY IP address?

Question

We've set up Just-in-Time access to our VM's using Azure Security Center, and also use Bastion to access machines within a subnet.

I assumed everything was locked down securely. However for one public-facing VM, a connection was requested using "All configured IPs", then I saw a rule in NSG created by JIT that opens ports 22, 3389, 5985, 5986 to any IP address.

This appears to be the default behaviour for JIT access requests. Can anyone clarify this is the case please?

If I configure ports myself in the Security Center, are there any IP's used by Azure services (e.g. logs) that need to be accounted for? I'm nervous about being insecure, but mindful Azure itself needs to access the machine in my absense...

Thank you.

Answer 1

Yes, if you don't configure the allowed source IP addresses then it all allow all by default.

Regarding allowing Azure services, unless you are putting in explicit deny rules on top of the default NSG configuration you should be OK.

Answer 2

How is this ok for the default behavior of just in time to allow all IPs from the internet to attempt RDP.

This is infinitely worse than a static NSG rule. Note that most of my users are in countries where there public IP address changes daily.

Why is there no option to deny the behavior of allow all?

Can we get this obvious next step request added as a feature request on the roadmap or am I missing something?