L14. VM & Container Security
Course outlineLesson 14 of 18
JIT VM access, disk encryption options, and AKS/ACR security are all tested on the AZ-500. This lesson covers the exam's most common VM and container security scenarios.
Just-in-Time (JIT) VM Access
JIT VM access blocks inbound management ports (RDP 3389, SSH 22, WinRM 5985/5986) by default with an NSG deny rule. When a user needs access, they request it through Defender for Cloud. The NSG rule is temporarily allowed for a specified time window and source IP.
Benefits for the exam:
- Eliminates always-open management ports
- Creates an audit trail of who requested access and when
- Time-limited exposure (default 3 hours, configurable to 1 to 24 hours)
Disk Encryption
| Option | What It Encrypts | Key Location |
|---|---|---|
| Azure Disk Encryption (ADE) | OS plus data disks using BitLocker (Windows) / DM-Crypt (Linux) | Keys in Key Vault |
| Server-Side Encryption (SSE) | Storage-layer encryption (always on) | Microsoft keys or CMK in Key Vault |
| Encryption at host | SSE extended to temp disks and cache | Microsoft keys or CMK |
Azure Container Registry (ACR) Security
- Enable Admin account: disabled by default. Use managed identities or service principals instead.
- ACR Tasks: build images in Azure. The build environment is ephemeral and isolated.
- Content Trust: sign images with Docker Content Trust. Pulls only verified images.
- Defender for Containers scans ACR images on push for known CVEs.
AKS Security Basics
For the AZ-500: disable local accounts on AKS clusters (use Entra ID authentication), use Azure RBAC for Kubernetes authorization, enable the Microsoft Defender for Containers plan on the subscription. Network policies (Calico or Azure) restrict pod-to-pod traffic.
- ✓JIT VM access: NSG deny rule on management ports, temporary allow on request via Defender for Cloud
- ✓JIT requires Defender for Servers plan: access windows are 1 to 24 hours, source-IP scoped
- ✓Azure Disk Encryption (ADE) encrypts inside the OS (BitLocker/DM-Crypt); SSE encrypts the storage layer
- ✓ACR: disable admin account, use managed identities; Defender for Containers scans images on push
- ✓AKS: disable local accounts, use Entra ID plus Azure RBAC for Kubernetes; network policies restrict pod traffic
1. When Just-in-Time (JIT) VM access is enabled in Defender for Cloud, what happens to inbound management port rules?
2. What is the purpose of Azure Disk Encryption on a VM?
3. Which AKS security feature restricts which container images can be deployed to the cluster?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured video courses, hands-on Azure labs, and timed practice exams to make it stick before exam day.