Azure VM on JIT, temporary rule for port 3389 is not created so cannot RDP

Hi Benjamin Cleyndert.

Welcome to Microsoft Q&A, i hope you are doing great!

Thank you for reaching out with your query.

The behavior you're experiencing, where the JIT (Just-In-Time) access creates a rule for port 6516 but not for port 3389. can occur due to the way the JIT policy is configured or how the portal initiates those rules. Here are some steps and clarifications to help you troubleshoot and resolve the issue:

1. Check JIT Policy and Security Group Rules:

• Confirm that your Network Security Group (NSG) attached to the VM or subnet allows inbound RDP traffic on port 3389.

The JIT feature depends on the NSG rules to create the temporary rules. If port 3389 is not allowed or blocked, the system might not create or open it.

2. Validation of JIT Request and Rules:

• When requesting JIT access:
  • The portal may sometimes automatically open a temporary port (such as 6516 if configured), especially if custom port mappings are involved.
  • Verify that in the Azure Security Center / Azure Monitor logs, the JIT request attempts to open port 3389.

3. Difference in Behavior Between Users:

• The user where both rules are created might have different NSG configurations, existing rules, or JIT policies.
• Double-check the JIT policies assigned to your VM in Azure Security Center to ensure port 3389 is included in the allowed ports.

4. Manual Creation of RDP Rule:

• Since you need manual rules for port 3389:
  • You can add a temporary inbound security rule to allow port 3389 on the NSG.
  • After RDP is complete, remove or disable this rule to maintain security.

5. About the NIC Reset and Private IP Change:

• The 'Reset-Nic' command resets the NIC, which can cause the private IP address to change.
• To assign a fixed IP:
  • Set a static IP address in your subnet settings in the Azure portal.
  • You can reconfigure the NIC to have a specific private IP again, avoiding changes during resets.

6. Additional Recommendations:

• Check the JIT configuration in Azure Security Center: Make sure that port 3389 is explicitly included as an allowed port for your JIT policy. Use Azure Activity Log to review JIT requests and confirm if port 3389 is being attempted to open. You may also consider updating the JIT policy temporarily to explicitly include port 3389 if it is missing.

If you continue to experience issues or need further guidance on configuring JIT policies or NSGs, feel free to ask!

If you found the answer helpful, it would be great if you please mark it "Accept as answer". This will help others to find answers in Q&A.

Thanks,

Harish.

Hello Benjamin,

Thank you for posting question on Microsoft Windows Forum.

Based on your query of not being able to create rule port 3389 for RDP when using the 'Connect to my virtual machine' functionality. The potential causes might be of that the JIT access policy configured for your VM might have been customized to protect port 3389 differently, or that port 6516 has been defined as a custom port for management. Since a rule for port 6516 is created but not for the standard RDP port 3389. On the other hand, As JIT requires specific Azure RBAC permissions to request access. If the other user has a higher-level role, they might be able to request access to the default JIT ports (like 3389) while your role only permits access to specific, non-default ports (like 6516). You can try the following suggested troubleshooting steps for the issue.

1.Check the JIT policy for your VM.

• In the Azure portal, navigate to Microsoft Defender for Cloud → Just-in-time VM access.
• Select your VM and verify which ports are configured. If 3389 is not listed, add it.
• Save the policy, then request access again.

2.Check User Permissions.

• Ensure your account has Virtual Machine Administrator Login or Virtual Machine User Login roles
• Check if you have JIT Network Access Manager permissions

3.Network Security Group (NSG) Check.

1. Go to your VM's networking settings
2. Check the associated NSG
3. Ensure there are no conflicting rules blocking RDP
4. The JIT service should automatically manage NSG rules when properly configured.

4.Trying to disable and re-enable the JIT policy.

• In the JIT configuration, select the VM and click "Disable" to remove the JIT policy.
• Then, click "Enable" and configure the rules again.

You can refer to below article for more troubleshooting associated with the abovementioned issue.

• https://free.blessedness.top/en-us/troubleshoot/azure/virtual-machines/windows/troubleshoot-rdp-nsg-problem

Hope the above information is helpful!

hi Benjamin Cleyndert,

the portal is creating a rule for port 6516, which is used for the bastion service, but not for the direct RDP port 3389 that you need. this usually happens because of how the VM's network interface is configured.

the fact that it works for another user on the same VM is the key clue. the issue is likely with your specific network interface configuration or a cached setting in your browser.

try a hard refresh of the azure portal in your browser. sometimes the ui gets stuck on an old configuration. clear your browser cache or try using an incognito/private window.

if that doesn't work, the problem is likely that the vm's nic has an incorrect public ip association. the JIT service needs a public ip to create the rule for, and it might be getting confused.

go to your vm in the azure portal, and under the 'networking' settings, check which public ip address is associated with the network interface. make sure it's the correct one. you might need to disassociate and then re associate the public ip to refresh the configuration.

the 'reset nic' button you used is a nuclear option that can change the private ip, which is why your address shifted. it's best to avoid that unless absolutely necessary.

try a hard browser refresh first, then check and potentially reassign the public ip address on the vm's network interface.

regards,

Alex

and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

https://ctrlaltdel.blog/