Jit Network Access Policies - Initiate

Service:

Defender for Cloud

API Version:

2020-01-01

從特定的 Just-In-Time 原則設定起始 JIT 存取。

POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/locations/{ascLocation}/jitNetworkAccessPolicies/{jitNetworkAccessPolicyName}/initiate?api-version=2020-01-01

URI 參數

名稱	位於	必要	類型	Description
ascLocation	path	True	string	ASC 儲存訂閱數據的位置。 可以從取得位置擷取
jitNetworkAccessPolicyInitiateType	path	True	JitNetworkAccessPolicyInitiateType	在 Just-In-Time 存取原則上要執行的動作類型。
jitNetworkAccessPolicyName	path	True	string	Just-In-Time 存取設定原則的名稱。
resourceGroupName	path	True	string	用戶訂用帳戶內的資源組名。 名稱不區分大小寫。 Regex pattern: ^[-\w\._\(\)]+$
subscriptionId	path	True	string	Azure 訂用帳戶識別碼 Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$
api-version	query	True	string	作業的 API 版本

要求本文

名稱	必要	類型	Description
virtualMachines	True	JitNetworkAccessPolicyInitiateVirtualMachine[]	要開啟存取權的虛擬機清單 & 埠
justification		string	提出起始要求的理由

回應

名稱	類型	Description
202 Accepted	JitNetworkAccessRequest	已接受
Other Status Codes	CloudError	描述作業失敗原因的錯誤回應。

安全性

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

名稱	Description
user_impersonation	模擬您的用戶帳戶

範例

Initiate an action on a JIT network access policy

Sample Request

HTTP

POST https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default/initiate?api-version=2020-01-01

{
  "virtualMachines": [
    {
      "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
      "ports": [
        {
          "number": 3389,
          "duration": "PT1H",
          "allowedSourceAddressPrefix": "192.127.0.2"
        }
      ]
    }
  ],
  "justification": "testing a new version of the product"
}

Java

import com.azure.resourcemanager.security.models.JitNetworkAccessPolicyInitiatePort;
import com.azure.resourcemanager.security.models.JitNetworkAccessPolicyInitiateRequest;
import com.azure.resourcemanager.security.models.JitNetworkAccessPolicyInitiateVirtualMachine;
import java.util.Arrays;

/** Samples for JitNetworkAccessPolicies Initiate. */
public final class Main {
    /*
     * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/InitiateJitNetworkAccessPolicy_example.json
     */
    /**
     * Sample code: Initiate an action on a JIT network access policy.
     *
     * @param manager Entry point to SecurityManager.
     */
    public static void initiateAnActionOnAJITNetworkAccessPolicy(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager
            .jitNetworkAccessPolicies()
            .initiateWithResponse(
                "myRg1",
                "westeurope",
                "default",
                new JitNetworkAccessPolicyInitiateRequest()
                    .withVirtualMachines(
                        Arrays
                            .asList(
                                new JitNetworkAccessPolicyInitiateVirtualMachine()
                                    .withId(
                                        "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1")
                                    .withPorts(
                                        Arrays
                                            .asList(
                                                new JitNetworkAccessPolicyInitiatePort()
                                                    .withNumber(3389)
                                                    .withAllowedSourceAddressPrefix("192.127.0.2")))))
                    .withJustification("testing a new version of the product"),
                com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/e716082ac474f182e2220e4f38f1d6191e7636cf/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/InitiateJitNetworkAccessPolicy_example.json
func ExampleJitNetworkAccessPoliciesClient_Initiate() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	_, err = clientFactory.NewJitNetworkAccessPoliciesClient().Initiate(ctx, "myRg1", "westeurope", "default", armsecurity.JitNetworkAccessPolicyInitiateRequest{
		Justification: to.Ptr("testing a new version of the product"),
		VirtualMachines: []*armsecurity.JitNetworkAccessPolicyInitiateVirtualMachine{
			{
				ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1"),
				Ports: []*armsecurity.JitNetworkAccessPolicyInitiatePort{
					{
						AllowedSourceAddressPrefix: to.Ptr("192.127.0.2"),
						Number:                     to.Ptr[int32](3389),
					}},
			}},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Initiate a JIT access from a specific Just-in-Time policy configuration.
 *
 * @summary Initiate a JIT access from a specific Just-in-Time policy configuration.
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/InitiateJitNetworkAccessPolicy_example.json
 */
async function initiateAnActionOnAJitNetworkAccessPolicy() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const resourceGroupName = process.env["SECURITY_RESOURCE_GROUP"] || "myRg1";
  const ascLocation = "westeurope";
  const jitNetworkAccessPolicyName = "default";
  const body = {
    justification: "testing a new version of the product",
    virtualMachines: [
      {
        id: "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
        ports: [
          { allowedSourceAddressPrefix: "192.127.0.2", number: 3389, endTimeUtc: new Date() },
        ],
      },
    ],
  };
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const result = await client.jitNetworkAccessPolicies.initiate(
    resourceGroupName,
    ascLocation,
    jitNetworkAccessPolicyName,
    body
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using System;
using System.Threading.Tasks;
using System.Xml;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.SecurityCenter;
using Azure.ResourceManager.SecurityCenter.Models;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/InitiateJitNetworkAccessPolicy_example.json
// this example is just showing the usage of "JitNetworkAccessPolicies_Initiate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this JitNetworkAccessPolicyResource created on azure
// for more information of creating JitNetworkAccessPolicyResource, please refer to the document of JitNetworkAccessPolicyResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string resourceGroupName = "myRg1";
AzureLocation ascLocation = new AzureLocation("westeurope");
string jitNetworkAccessPolicyName = "default";
ResourceIdentifier jitNetworkAccessPolicyResourceId = JitNetworkAccessPolicyResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, ascLocation, jitNetworkAccessPolicyName);
JitNetworkAccessPolicyResource jitNetworkAccessPolicy = client.GetJitNetworkAccessPolicyResource(jitNetworkAccessPolicyResourceId);

// invoke the operation
JitNetworkAccessPolicyInitiateContent content = new JitNetworkAccessPolicyInitiateContent(new JitNetworkAccessPolicyInitiateVirtualMachine[]
{
new JitNetworkAccessPolicyInitiateVirtualMachine(new ResourceIdentifier("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1"),new JitNetworkAccessPolicyInitiatePort[]
{
new JitNetworkAccessPolicyInitiatePort(3389,DateTimeOffset.Parse("placeholder"))
{
AllowedSourceAddressPrefix = "192.127.0.2",
}
})
})
{
    Justification = "testing a new version of the product",
};
JitNetworkAccessRequestInfo result = await jitNetworkAccessPolicy.InitiateAsync(content);

Console.WriteLine($"Succeeded: {result}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

202

{
  "virtualMachines": [
    {
      "id": "/subscriptions/3eeab341-f466-499c-a8be-85427e154baf/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
      "ports": [
        {
          "number": 3389,
          "allowedSourceAddressPrefix": "192.127.0.2",
          "endTimeUtc": "2018-07-12T09:53:03.3658798Z",
          "status": "Initiating",
          "statusReason": "UserRequested"
        }
      ]
    }
  ],
  "startTimeUtc": "2018-07-12T08:53:03.3658798Z",
  "requestor": "barbara@contoso.com",
  "justification": "testing a new version of the product"
}

定義

名稱	Description
CloudError	所有 Azure Resource Manager API 的常見錯誤回應，以傳回失敗作業的錯誤詳細數據。 (這也會遵循 OData 錯誤回應格式。) 。
CloudErrorBody	錯誤詳細數據。
ErrorAdditionalInfo	資源管理錯誤其他資訊。
JitNetworkAccessPolicyInitiatePort
JitNetworkAccessPolicyInitiateRequest
JitNetworkAccessPolicyInitiateType	在 Just-In-Time 存取原則上要執行的動作類型。
JitNetworkAccessPolicyInitiateVirtualMachine
JitNetworkAccessRequest
JitNetworkAccessRequestPort
JitNetworkAccessRequestVirtualMachine
status	埠的狀態
statusReason	為何 status 具有其值的描述

CloudError

所有 Azure Resource Manager API 的常見錯誤回應，以傳回失敗作業的錯誤詳細數據。 (這也會遵循 OData 錯誤回應格式。) 。

名稱	類型	Description
error.additionalInfo	ErrorAdditionalInfo[]	錯誤其他資訊。
error.code	string	錯誤碼。
error.details	CloudErrorBody[]	錯誤詳細資料。
error.message	string	錯誤訊息。
error.target	string	錯誤目標。

CloudErrorBody

錯誤詳細數據。

名稱	類型	Description
additionalInfo	ErrorAdditionalInfo[]	錯誤其他資訊。
code	string	錯誤碼。
details	CloudErrorBody[]	錯誤詳細資料。
message	string	錯誤訊息。
target	string	錯誤目標。

ErrorAdditionalInfo

資源管理錯誤其他資訊。

名稱	類型	Description
info	object	其他資訊。
type	string	其他信息類型。

JitNetworkAccessPolicyInitiatePort

名稱	類型	Description
allowedSourceAddressPrefix	string	允許流量的來源。 如果省略，則要求將會是起始要求的來源IP位址。
endTimeUtc	string	以 UTC 關閉要求的時間
number	integer

JitNetworkAccessPolicyInitiateRequest

名稱	類型	Description
justification	string	提出起始要求的理由
virtualMachines	JitNetworkAccessPolicyInitiateVirtualMachine[]	要開啟存取權的虛擬機清單 & 埠

JitNetworkAccessPolicyInitiateType

在 Just-In-Time 存取原則上要執行的動作類型。

名稱	類型	Description
initiate	string

JitNetworkAccessPolicyInitiateVirtualMachine

名稱	類型	Description
id	string	連結至此原則之虛擬機的資源標識碼
ports	JitNetworkAccessPolicyInitiatePort[]	要針對具有 之資源的開啟埠 id

JitNetworkAccessRequest

名稱	類型	Description
justification	string	提出起始要求的理由
requestor	string	提出要求的人員身分識別
startTimeUtc	string	以UTC為單位的要求開始時間
virtualMachines	JitNetworkAccessRequestVirtualMachine[]

JitNetworkAccessRequestPort

名稱	類型	Description
allowedSourceAddressPrefix	string	與 「allowedSourceAddressPrefixes」 參數互斥。 應該是IP位址或 CIDR，例如 「192.168.0.3」 或 「192.168.0.0/16」。。
allowedSourceAddressPrefixes	string[]	與 「allowedSourceAddressPrefix」 參數互斥。
endTimeUtc	string	要求以 UTC 結束的日期 & 時間
mappedPort	integer	如果適用，則對應至 Azure 防火牆 中此埠的number埠
number	integer
status	status	埠的狀態
statusReason	statusReason	為何 status 具有其值的描述

JitNetworkAccessRequestVirtualMachine

名稱	類型	Description
id	string	連結至此原則之虛擬機的資源標識碼
ports	JitNetworkAccessRequestPort[]	為虛擬機開啟的埠

status

埠的狀態

名稱	類型	Description
Initiated	string
Revoked	string

statusReason

為何 status 具有其值的描述

名稱	類型	Description
Expired	string
NewerRequestInitiated	string
UserRequested	string