Exam SC-100 topic 3 question 22 discussion

Configure Azure Bastion: Azure Bastion is a service that allows you to securely connect to your Azure virtual machines over Remote Desktop Protocol (RDP) or Secure Shell (SSH) directly from the Azure portal, without the need to enable ports 3389 or 22 on the virtual machines. Azure Bastion uses Remote Desktop Services and Azure AD for authentication, providing a secure and convenient way to access the virtual machines. Enable just-in-time (JIT) VM access: JIT VM access is a feature of Azure Security Center that allows you to control and monitor inbound traffic to your virtual machines. By enabling JIT VM access, you can grant administrators access to the virtual machines only when required, and automatically revoke the access when the session ends. This helps prevent unauthorized access to the virtual machines and ensures that access is granted only to authorized administrators. Other actions, such as configuring Azure VPN Gateway, enabling Just Enough Administration (JEA), or enabling Azure AD Privileged Identity Management (PIM) roles as virtual machine contributors, may not be directly related to providing secure remote access to the virtual machines.

C. Azure Bastion is a fully managed service that provides more secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to virtual machines (VMs) without any exposure through public IP addresses. Provision the service directly in your local or peered virtual network to get support for all the VMs within it --> https://azure.microsoft.com/en-us/services/azure-bastion/#overview D --> https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview?tabs=defender-for-container-arch-aks

Here's a trick, B and C are complete solutions in themselves, the question says: "Each correct answer presents part of the solution" So I think the correct thing is: D. Enable just-in-time (JIT) VM access. E. Enable Azure Active Directory (Azure AD) Privileged Identity Management (PIM) roles as virtual machine contributors.

i believe it should be CDE https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/multilayered-protection-azure-vm

CD is the answer. https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/multilayered-protection-azure-vm#components Azure Bastion provides secure and seamless RDP and SSH connectivity to VMs in a network. In this solution, Azure Bastion connects users who use Microsoft Edge or another internet browser for HTTPS, or secured traffic on port 443. Azure Bastion sets up the RDP connection to the VM. RDP and SSH ports aren't exposed to the internet or the user's origin.

Correct.

Going with C and D.

Jit controls access based on nsg not based on identity. Permissions are given in pim

Bastion and PIM for "Only provide permission to connect the virtual machines when required"

correct link https://learn.microsoft.com/en-us/azure/architecture/solution-ideas/articles/multilayered-protection-azure-vm#architecture

JIT enables on ports exposed to the internet, not to the Bastion vNET. So... what gives?

The given answer is correct: C & D