Cyber Intelligence
PROTEGO
Cloud Security6 min read

VM & Container Security: AZ-500 Exam Essentials

JIT VM access, disk encryption options, and AKS/ACR security are all tested on the AZ-500. This lesson covers the exam's most common VM and container security scenarios.

I
Idan Ohayon
Microsoft Cloud Solution Architect
AZ-500JITDisk EncryptionAKSACRContainer SecurityCertification

Just-in-Time (JIT) VM Access

JIT VM access blocks inbound management ports (RDP 3389, SSH 22, WinRM 5985/5986) by default with an NSG deny rule. When a user needs access, they request it through Defender for Cloud. The NSG rule is temporarily allowed for a specified time window and source IP.

Benefits for the exam:

  • Eliminates always-open management ports
  • Creates an audit trail of who requested access and when
  • Time-limited exposure (default 3 hours, configurable to 1 to 24 hours)
Exam tip: JIT VM access is a feature of Defender for Servers (paid plan). It requires the VM to have a public IP or be accessible via NSG.

Disk Encryption

OptionWhat It EncryptsKey Location
Azure Disk Encryption (ADE)OS plus data disks using BitLocker (Windows) / DM-Crypt (Linux)Keys in Key Vault
Server-Side Encryption (SSE)Storage-layer encryption (always on)Microsoft keys or CMK in Key Vault
Encryption at hostSSE extended to temp disks and cacheMicrosoft keys or CMK
Exam tip: ADE is the only option that encrypts the disk inside the VM OS. SSE encrypts the storage blob, not the OS-visible disk.

Azure Container Registry (ACR) Security

  • Enable Admin account: disabled by default. Use managed identities or service principals instead.
  • ACR Tasks: build images in Azure. The build environment is ephemeral and isolated.
  • Content Trust: sign images with Docker Content Trust. Pulls only verified images.
  • Defender for Containers scans ACR images on push for known CVEs.

AKS Security Basics

For the AZ-500: disable local accounts on AKS clusters (use Entra ID authentication), use Azure RBAC for Kubernetes authorization, enable the Microsoft Defender for Containers plan on the subscription. Network policies (Calico or Azure) restrict pod-to-pod traffic.

N

Recommended tool: Nordpass

Up to 40% commission

Try for free

Get weekly security insights

Cloud security, zero trust, and identity guides — straight to your inbox.

I

Idan Ohayon

Microsoft Cloud Solution Architect

Cloud Solution Architect with deep expertise in Microsoft Azure and a strong background in systems and IT infrastructure. Passionate about cloud technologies, security best practices, and helping organizations modernize their infrastructure.

Share this article

TwitterLinkedIn

Questions & Answers

Related Articles

☁️
Cloud Security

Azure Firewall Premium vs Standard: When the Upgrade Is Worth It

16 min read

☁️
Cloud Security

Microsoft Security Score: How to Actually Improve It (Not Just Game It)

17 min read

☁️
Cloud Security

Microsoft Defender for Identity vs Defender for Endpoint: What They Actually Cover

16 min read

Need Help with Your Security?

Our team of security experts can help you implement the strategies discussed in this article.

Contact Us