Is there any way to allow-list inbound from domain name instead of IP address on my azure virtual ma-CodePudding

I want to allow inbound traffic from ddns name for my dynamic public IP to avoid changing security rules all time when my public IP is changing. Is there any way to insert a domain name (not IP address) into the networking rule? Right now I am unable to find any solution to do this. Many thanks

CodePudding user response：

If you mean if this is possible for Network Security Groups - No, it is not. NSGs do not have such a functionality.

But if you are looking for a solution, you could probably automate this by using an Azure function/Automation Runbook

Let the Function/Runbook do a NSLOOKUP and then have the function update the NSG with the IP it gets from that result. Note that I use the word UPDATE and not add. :)

EDIT: Going forward with Runbooks, as it is a bit smaller of a step for things to (want to) understand: https://azure.microsoft.com/nl-nl/blog/azure-automation-runbook-management/

When you create the Automation Account, create it with a system identity. After it is created, it will provide you with two default runbooks which already contain some code. The sample code provides you with the way to authenticate from the runbook against Azure. So you can leave the first bit in the Runbook.

Then add whatever code you need below, example:

#Example from here: https://tom-henderson.github.io/2016/09/14/azure-runbooks
$uri = '<DNS_ADDRESS_HERE>'
$ipaddress = [system.net.dns]::GetHostByName($uri).AddressList.IPAddressToString

#Now you need to grab the NSG which is providing whitelisting for your Azure Virtual Machine: https://docs.microsoft.com/en-us/powershell/module/az.network/get-aznetworksecuritygroup?view=azps-6.6.0
$nsg = get-aznetworksecuritygroup -ResourceGroupName '<RG_NAME_HERE>' -Name '<NSG_NAME_HERE>'

#Then update one of the rules: https://docs.microsoft.com/en-us/powershell/module/az.network/set-aznetworksecurityruleconfig?view=azps-6.6.0
#I think with those two example pages you should get what you are looking for.

After you got the runbook working like you need it to, you put a schedule on it to run whenever or how often you want.

Now you also should give the Identity your Runbook has permissions to update the NSG. Because otherwise it will just tell you it has insufficient permissions. Personally I prefer to make custom roles, so I can limit the permissions to what they need to be. In your case it might be easier to simply do:

Open the Automation Account in your resource group
Scroll down to Identity
click on Azure Role Assignments
Select Contributor
Click Add role assignment button
For scope select resource group, for role select Contributor, the rest should already be auto-filled.

Create the role assignment. And you're done.

If you are concerned about permissions, i suggest you read up on RBAC, Azure Resource Provider Operations (Not to be confused with Azure AD roles), custom role definitions, and role assignments.

CodePudding user response：

Right now I've prepared something like below:

$uri = <DDNS_NAME>
$resolvedIp = [system.net.dns]::GetHostByName($uri).AddressList.IPAddressToString
Write-Output ("The IP address is: "   $resolvedIp)
$nsg = Get-AzNetworkSecurityGroup -Name <MY_NSG_NAME> -ResourceGroupName <MY_RESGRP_NAME>
$nsg | Get-AzNetworkSecurityRuleConfig -Name <RULE_NAME>
Set-AzNetworkSecurityRuleConfig -Name <RULE_NAME> -NetworkSecurityGroup $nsg -SourceAddressPrefix $resolvedIp

the script executes without errors but the source address in NSG stays not changed. @Marco maybe have you any idea where am I wrong? PS: I've already added all needed privileges to using group resources for Automation Account.