What feature allows administrators to access specific cloud VMs only upon request?

The feature that enables administrators to access specific cloud virtual machines (VMs) only upon request is Just-in-Time (JIT) access. This security mechanism is designed to minimize the attack surface by allowing access to VMs only when needed, and for a limited time. JIT works by requiring users to request access through a management portal; once approved, they can access the VMs for a specified duration.

By using JIT, organizations can reduce the risk of unauthorized access since VMs are not constantly available to users or services. In addition, this feature helps in maintaining compliance and provides better auditing capabilities, as all access requests and events are logged.

Other options, while important, serve different purposes. Virtual Network Service Endpoints enhance the security of cloud services by restricting network access but do not specifically govern access based on request. Resource Locks prevent accidental deletion or modification of resources but don't regulate user access. Role-Based Access Control (RBAC) indeed manages user permissions but allows continuous access to resources based on assigned roles, rather than limiting access to a request-based model. Thus, JIT is the most suitable feature for this particular scenario of accessing VMs on a request basis.