Exam SC-200 topic 2 question 46 discussion

correct me if Im wrong but Bastion dose not seems to allow time limit , Im going with B

To meet the given requirements, you should use Azure Bastion to configure just-in-time (JIT) access for the virtual machines in RG1. Azure Bastion provides secure and seamless RDP and SSH access to virtual machines over a web browser and eliminates the need for a public IP address. It simplifies the process of connecting to virtual machines by allowing users to connect directly to virtual machines through the Azure portal. To enable JIT access with Azure Bastion, you can create a JIT policy that defines the rules for access, including limiting access to specific protocols like RDP and setting the maximum request time to two hours. This can be done using the Azure portal or Azure CLI, and once the policy is created, Azure Bastion will automatically enforce the access rules when users try to connect to the virtual machines.

You use Azure Bastion to limit the protocol to RDP only. Bastion does not have JIT access capabilities but Defender for Cloud does. The question states that you already have a Defender for Cloud subscription.

I don't even know if there is a clear definition of Azure Policy. I'd choose A because user needs to require for access to the VMs, and that should be via PIM.

A. Azure AD Privileged Identity Management (PIM): Incorrect: PIM is a service that helps manage, control, and monitor access to important resources in Azure. It is primarily focused on managing privileged roles within Azure AD, like who has access to a specific role and for how long. It doesn't provide direct JIT access to virtual machines. B. Azure Policy: Incorrect: Azure Policy helps to enforce organizational standards and assess compliance at scale by applying policies to resources. While you can use policies to control things like allowed VM sizes or locations, Azure Policy does not handle JIT access configurations. C. Azure Bastion: Correct: Azure Bastion is a fully managed service that provides secure and seamless RDP and SSH connectivity to your VMs directly in the Azure portal over SSL. It supports JIT access by limiting the exposure of VMs to the internet and only allowing connections via the Azure portal. It can be configured to limit access to specific protocols (like RDP) and to enforce time restrictions, such as the 2-hour maximum access time requested.

From another exam site who says, "Bastion". To meet the given requirements, you should use Azure Bastion to configure just-in-time (JIT) access for the virtual machines in RG1.Azure Bastion provides secure and seamless RDP and SSH access to virtual machines over a web browser and eliminates the need for a public IP address. It simplifies the process of connecting to virtual machines by allowing users to connect directly to virtual machines through the Azure portal.To enable JIT access with Azure Bastion, you can create a JIT policy that defines the rules for access, including limiting access to specific protocols like RDP and setting the maximum request time to two hours. This can be done using the Azure portal or Azure CLI, and once the policy is created, Azure Bastion will automatically enforce the access rules when users try to connect to the virtual machines.

This is a stupid question. Bastion is the best fit for security purposes to allow RDP access to a machine without exposing it to the internet. There is no option for JIT in Bastion. In order to set this up, you need a policy. Now, does that mean Azure Policy? Navigate to Microsoft Defender for Cloud in the Azure portal. Go to the Just-in-time VM access section under Configuration & management. Select the virtual machines in RG1 you want to configure JIT for. Configure the JIT policy: Set the maximum request time to 2 hours. Specify RDP (port 3389) as the allowed protocol. Save the configuration.

Answer is B since one of the requirements is to use RDP only. With Bastion you don't connect using RDP and Microsoft specifically mentions not to use RDP as the requirement.

Know that Azure Bastion and JIT access cannot be used together. If you enable Azure Bastion with an existing JIT access policy enabled on a VM, the bastion host will not connect to the target machine and you will get a connection error!. https://dev.to/adbertram/how-to-enable-and-configure-azure-jit-for-vms-4a26

I'd go with Azure Policy since Bastion alone does not support all the requirements listed in question. Azure Bastion and Just in time (JIT) access are two different technologies

You can setup JIT network access policy for the Resource Group. https://learn.microsoft.com/en-us/rest/api/defenderforcloud/jit-network-access-policies?view=rest-defenderforcloud-2020-01-01

Azure Policy

If i read this article correctly, then it can be accomplished by configuring the policy https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage

Azure Policy make more sense

A. Azure AD Privileged Identity Management (PIM) >> You cannot restrict to protocol. B. Azure Policy >> Looks like the answer. C. Azure Bastion >> You cannot limit the time using this. D. Azure Front Door >> Not for this purpose

Azure Bastion provides secure and seamless RDP and SSH access to Azure virtual machines directly through the Azure portal. It acts as a jump server or a bastion host, eliminating the need to expose public IP addresses or configure virtual private networks (VPNs) for remote access.

There are no references for Azure Bastion on the SC-200 MS Learn course