Jit Network Access Policies - List By Resource Group

Service:

Defender for Cloud

API Version:

2020-01-01

使用訂用帳戶、位置的 Just-In-Time 訪問控制來保護資源的原則

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Security/jitNetworkAccessPolicies?api-version=2020-01-01

URI 參數

名稱	位於	必要	類型	Description
resourceGroupName	path	True	string	用戶訂用帳戶內的資源組名。 名稱不區分大小寫。 Regex pattern: ^[-\w\._\(\)]+$
subscriptionId	path	True	string	Azure 訂用帳戶識別碼 Regex pattern: ^[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}$
api-version	query	True	string	作業的 API 版本

回應

名稱	類型	Description
200 OK	JitNetworkAccessPoliciesList	確定
Other Status Codes	CloudError	描述作業失敗原因的錯誤回應。

安全性

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

名稱	Description
user_impersonation	模擬您的用戶帳戶

範例

Get JIT network access policies on a resource group

Sample Request

HTTP

GET https://management.azure.com/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/jitNetworkAccessPolicies?api-version=2020-01-01

Java

/** Samples for JitNetworkAccessPolicies ListByResourceGroup. */
public final class Main {
    /*
     * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/GetJitNetworkAccessPoliciesResourceGroup_example.json
     */
    /**
     * Sample code: Get JIT network access policies on a resource group.
     *
     * @param manager Entry point to SecurityManager.
     */
    public static void getJITNetworkAccessPoliciesOnAResourceGroup(
        com.azure.resourcemanager.security.SecurityManager manager) {
        manager.jitNetworkAccessPolicies().listByResourceGroup("myRg1", com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armsecurity_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/security/armsecurity"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/e716082ac474f182e2220e4f38f1d6191e7636cf/specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/GetJitNetworkAccessPoliciesResourceGroup_example.json
func ExampleJitNetworkAccessPoliciesClient_NewListByResourceGroupPager() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsecurity.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	pager := clientFactory.NewJitNetworkAccessPoliciesClient().NewListByResourceGroupPager("myRg1", nil)
	for pager.More() {
		page, err := pager.NextPage(ctx)
		if err != nil {
			log.Fatalf("failed to advance page: %v", err)
		}
		for _, v := range page.Value {
			// You could use page here. We use blank identifier for just demo purposes.
			_ = v
		}
		// If the HTTP response code is 200 as defined in example definition, your page structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
		// page.JitNetworkAccessPoliciesList = armsecurity.JitNetworkAccessPoliciesList{
		// 	Value: []*armsecurity.JitNetworkAccessPolicy{
		// 		{
		// 			Kind: to.Ptr("Basic"),
		// 			Location: to.Ptr("westeurope"),
		// 			Name: to.Ptr("default"),
		// 			Type: to.Ptr("Microsoft.Security/locations/jitNetworkAccessPolicies"),
		// 			ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default"),
		// 			Properties: &armsecurity.JitNetworkAccessPolicyProperties{
		// 				ProvisioningState: to.Ptr("Succeeded"),
		// 				Requests: []*armsecurity.JitNetworkAccessRequest{
		// 					{
		// 						Justification: to.Ptr("testing a new version of the product"),
		// 						Requestor: to.Ptr("barbara@contoso.com"),
		// 						StartTimeUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2018-05-17T08:06:45.569Z"); return t}()),
		// 						VirtualMachines: []*armsecurity.JitNetworkAccessRequestVirtualMachine{
		// 							{
		// 								ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1"),
		// 								Ports: []*armsecurity.JitNetworkAccessRequestPort{
		// 									{
		// 										AllowedSourceAddressPrefix: to.Ptr("192.127.0.2"),
		// 										EndTimeUTC: to.Ptr(func() time.Time { t, _ := time.Parse(time.RFC3339Nano, "2018-05-17T09:06:45.569Z"); return t}()),
		// 										Number: to.Ptr[int32](3389),
		// 										Status: to.Ptr(armsecurity.StatusInitiated),
		// 										StatusReason: to.Ptr(armsecurity.StatusReasonUserRequested),
		// 								}},
		// 						}},
		// 				}},
		// 				VirtualMachines: []*armsecurity.JitNetworkAccessPolicyVirtualMachine{
		// 					{
		// 						ID: to.Ptr("/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1"),
		// 						Ports: []*armsecurity.JitNetworkAccessPortRule{
		// 							{
		// 								AllowedSourceAddressPrefix: to.Ptr("*"),
		// 								MaxRequestAccessDuration: to.Ptr("PT3H"),
		// 								Number: to.Ptr[int32](22),
		// 								Protocol: to.Ptr(armsecurity.ProtocolAll),
		// 							},
		// 							{
		// 								AllowedSourceAddressPrefix: to.Ptr("*"),
		// 								MaxRequestAccessDuration: to.Ptr("PT3H"),
		// 								Number: to.Ptr[int32](3389),
		// 								Protocol: to.Ptr(armsecurity.ProtocolAll),
		// 						}},
		// 				}},
		// 			},
		// 	}},
		// }
	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { SecurityCenter } = require("@azure/arm-security");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Policies for protecting resources using Just-in-Time access control for the subscription, location
 *
 * @summary Policies for protecting resources using Just-in-Time access control for the subscription, location
 * x-ms-original-file: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/GetJitNetworkAccessPoliciesResourceGroup_example.json
 */
async function getJitNetworkAccessPoliciesOnAResourceGroup() {
  const subscriptionId =
    process.env["SECURITY_SUBSCRIPTION_ID"] || "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
  const resourceGroupName = process.env["SECURITY_RESOURCE_GROUP"] || "myRg1";
  const credential = new DefaultAzureCredential();
  const client = new SecurityCenter(credential, subscriptionId);
  const resArray = new Array();
  for await (let item of client.jitNetworkAccessPolicies.listByResourceGroup(resourceGroupName)) {
    resArray.push(item);
  }
  console.log(resArray);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using System;
using System.Threading.Tasks;
using System.Xml;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Resources;
using Azure.ResourceManager.SecurityCenter;
using Azure.ResourceManager.SecurityCenter.Models;

// Generated from example definition: specification/security/resource-manager/Microsoft.Security/stable/2020-01-01/examples/JitNetworkAccessPolicies/GetJitNetworkAccessPoliciesResourceGroup_example.json
// this example is just showing the usage of "JitNetworkAccessPolicies_ListByResourceGroup" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this ResourceGroupResource created on azure
// for more information of creating ResourceGroupResource, please refer to the document of ResourceGroupResource
string subscriptionId = "20ff7fc3-e762-44dd-bd96-b71116dcdc23";
string resourceGroupName = "myRg1";
ResourceIdentifier resourceGroupResourceId = ResourceGroupResource.CreateResourceIdentifier(subscriptionId, resourceGroupName);
ResourceGroupResource resourceGroupResource = client.GetResourceGroupResource(resourceGroupResourceId);

// invoke the operation and iterate over the result
await foreach (JitNetworkAccessPolicyResource item in resourceGroupResource.GetJitNetworkAccessPoliciesAsync())
{
    // the variable item is a resource, you could call other operations on this instance as well
    // but just for demo, we get its data from this resource instance
    JitNetworkAccessPolicyData resourceData = item.Data;
    // for demo we just print out the id
    Console.WriteLine($"Succeeded on id: {resourceData.Id}");
}

Console.WriteLine($"Succeeded");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

{
  "value": [
    {
      "kind": "Basic",
      "properties": {
        "virtualMachines": [
          {
            "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
            "ports": [
              {
                "number": 22,
                "protocol": "*",
                "allowedSourceAddressPrefix": "*",
                "maxRequestAccessDuration": "PT3H"
              },
              {
                "number": 3389,
                "protocol": "*",
                "allowedSourceAddressPrefix": "*",
                "maxRequestAccessDuration": "PT3H"
              }
            ]
          }
        ],
        "requests": [
          {
            "virtualMachines": [
              {
                "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Compute/virtualMachines/vm1",
                "ports": [
                  {
                    "number": 3389,
                    "allowedSourceAddressPrefix": "192.127.0.2",
                    "endTimeUtc": "2018-05-17T09:06:45.5691611Z",
                    "status": "Initiated",
                    "statusReason": "UserRequested"
                  }
                ]
              }
            ],
            "startTimeUtc": "2018-05-17T08:06:45.5691611Z",
            "requestor": "barbara@contoso.com",
            "justification": "testing a new version of the product"
          }
        ],
        "provisioningState": "Succeeded"
      },
      "id": "/subscriptions/20ff7fc3-e762-44dd-bd96-b71116dcdc23/resourceGroups/myRg1/providers/Microsoft.Security/locations/westeurope/jitNetworkAccessPolicies/default",
      "name": "default",
      "type": "Microsoft.Security/locations/jitNetworkAccessPolicies",
      "location": "westeurope"
    }
  ]
}

定義

名稱	Description
CloudError	所有 Azure Resource Manager API 的常見錯誤回應，以傳回失敗作業的錯誤詳細數據。 (這也會遵循 OData 錯誤回應格式.) 。
CloudErrorBody	錯誤詳細數據。
ErrorAdditionalInfo	資源管理錯誤其他資訊。
JitNetworkAccessPoliciesList
JitNetworkAccessPolicy
JitNetworkAccessPolicyVirtualMachine
JitNetworkAccessPortRule
JitNetworkAccessRequest
JitNetworkAccessRequestPort
JitNetworkAccessRequestVirtualMachine
protocol
status	埠的狀態
statusReason	為何 status 具有其值的描述

CloudError

所有 Azure Resource Manager API 的常見錯誤回應，以傳回失敗作業的錯誤詳細數據。 (這也會遵循 OData 錯誤回應格式.) 。

名稱	類型	Description
error.additionalInfo	ErrorAdditionalInfo[]	錯誤其他資訊。
error.code	string	錯誤碼。
error.details	CloudErrorBody[]	錯誤詳細資料。
error.message	string	錯誤訊息。
error.target	string	錯誤目標。

CloudErrorBody

錯誤詳細數據。

名稱	類型	Description
additionalInfo	ErrorAdditionalInfo[]	錯誤其他資訊。
code	string	錯誤碼。
details	CloudErrorBody[]	錯誤詳細資料。
message	string	錯誤訊息。
target	string	錯誤目標。

ErrorAdditionalInfo

資源管理錯誤其他資訊。

名稱	類型	Description
info	object	其他資訊。
type	string	其他信息類型。

JitNetworkAccessPoliciesList

名稱	類型	Description
nextLink	string	要擷取下一頁的 URI。
value	JitNetworkAccessPolicy[]

JitNetworkAccessPolicy

名稱	類型	Description
id	string	資源標識碼
kind	string	資源的種類
location	string	儲存資源的位置
name	string	資源名稱
properties.provisioningState	string	取得 Just-In-Time 原則的布建狀態。
properties.requests	JitNetworkAccessRequest[]
properties.virtualMachines	JitNetworkAccessPolicyVirtualMachine[]	Microsoft.Compute/virtualMachines 資源類型的組態。
type	string	資源類型

JitNetworkAccessPolicyVirtualMachine

名稱	類型	Description
id	string	連結至此原則之虛擬機的資源標識碼
ports	JitNetworkAccessPortRule[]	虛擬機的埠組態
publicIpAddress	string	如果適用，則連結至此原則之 Azure 防火牆 的公用IP位址

JitNetworkAccessPortRule

名稱	類型	Description
allowedSourceAddressPrefix	string	與 「allowedSourceAddressPrefixes」 參數互斥。 應該是IP位址或 CIDR，例如 「192.168.0.3」 或 「192.168.0.0/16」。。
allowedSourceAddressPrefixes	string[]	與 「allowedSourceAddressPrefix」 參數互斥。
maxRequestAccessDuration	string	您可以針對最大持續時間要求。 ISO 8601 持續時間格式。 至少 5 分鐘，最多 1 天
number	integer
protocol	protocol

JitNetworkAccessRequest

名稱	類型	Description
justification	string	提出起始要求的理由
requestor	string	提出要求的人員身分識別
startTimeUtc	string	UTC 要求開始時間
virtualMachines	JitNetworkAccessRequestVirtualMachine[]

JitNetworkAccessRequestPort

名稱	類型	Description
allowedSourceAddressPrefix	string	與 「allowedSourceAddressPrefixes」 參數互斥。 應該是IP位址或 CIDR，例如 「192.168.0.3」 或 「192.168.0.0/16」。。
allowedSourceAddressPrefixes	string[]	與 「allowedSourceAddressPrefix」 參數互斥。
endTimeUtc	string	要求以 UTC 結束的日期 & 時間
mappedPort	integer	如果適用，則對應至 Azure 防火牆 中此埠的number埠
number	integer
status	status	埠的狀態
statusReason	statusReason	為何 status 具有其值的描述

JitNetworkAccessRequestVirtualMachine

名稱	類型	Description
id	string	連結至此原則之虛擬機的資源標識碼
ports	JitNetworkAccessRequestPort[]	為虛擬機開啟的埠

protocol

名稱	類型	Description
*	string
TCP	string
UDP	string

status

埠的狀態

名稱	類型	Description
Initiated	string
Revoked	string

statusReason

為何 status 具有其值的描述

名稱	類型	Description
Expired	string
NewerRequestInitiated	string
UserRequested	string