Cyber Intelligence
Compute, Storage & Data · 25% of exam

L14. VM & Container Security

Course outlineLesson 14 of 18

JIT VM access, disk encryption options, and AKS/ACR security are all tested on the AZ-500. This lesson covers the exam's most common VM and container security scenarios.

Just-in-Time (JIT) VM Access

JIT VM access blocks inbound management ports (RDP 3389, SSH 22, WinRM 5985/5986) by default with an NSG deny rule. When a user needs access, they request it through Defender for Cloud. The NSG rule is temporarily allowed for a specified time window and source IP.

Benefits for the exam:

  • Eliminates always-open management ports
  • Creates an audit trail of who requested access and when
  • Time-limited exposure (default 3 hours, configurable to 1 to 24 hours)
Exam tip: JIT VM access is a feature of Defender for Servers (paid plan). It requires the VM to have a public IP or be accessible via NSG.

Disk Encryption

OptionWhat It EncryptsKey Location
Azure Disk Encryption (ADE)OS plus data disks using BitLocker (Windows) / DM-Crypt (Linux)Keys in Key Vault
Server-Side Encryption (SSE)Storage-layer encryption (always on)Microsoft keys or CMK in Key Vault
Encryption at hostSSE extended to temp disks and cacheMicrosoft keys or CMK
Exam tip: ADE is the only option that encrypts the disk inside the VM OS. SSE encrypts the storage blob, not the OS-visible disk.

Azure Container Registry (ACR) Security

  • Enable Admin account: disabled by default. Use managed identities or service principals instead.
  • ACR Tasks: build images in Azure. The build environment is ephemeral and isolated.
  • Content Trust: sign images with Docker Content Trust. Pulls only verified images.
  • Defender for Containers scans ACR images on push for known CVEs.

AKS Security Basics

For the AZ-500: disable local accounts on AKS clusters (use Entra ID authentication), use Azure RBAC for Kubernetes authorization, enable the Microsoft Defender for Containers plan on the subscription. Network policies (Calico or Azure) restrict pod-to-pod traffic.

Exam Focus Points
  • JIT VM access: NSG deny rule on management ports, temporary allow on request via Defender for Cloud
  • JIT requires Defender for Servers plan: access windows are 1 to 24 hours, source-IP scoped
  • Azure Disk Encryption (ADE) encrypts inside the OS (BitLocker/DM-Crypt); SSE encrypts the storage layer
  • ACR: disable admin account, use managed identities; Defender for Containers scans images on push
  • AKS: disable local accounts, use Entra ID plus Azure RBAC for Kubernetes; network policies restrict pod traffic
Knowledge Check

1. When Just-in-Time (JIT) VM access is enabled in Defender for Cloud, what happens to inbound management port rules?

2. What is the purpose of Azure Disk Encryption on a VM?

3. Which AKS security feature restricts which container images can be deployed to the cluster?

Recommended: Pluralsight

This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.

Start AZ-500 prep free10-day free trial available