Home > Software engineering >  Azure (PowerShell) How to add an additional IP to multiple existent Network Security Groups (Source
Azure (PowerShell) How to add an additional IP to multiple existent Network Security Groups (Source

Time:12-11

I need some help to add an extra IP (122.21.20.3/12) to a bunch of NSG in Azure. This is to allow an additional Source Address. I was able to put together a script to help me find impacted NSGs. I have to add the new IP only to the NSGs containing another similar IP (122.21.20.2/12):

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null

    $azNsgs = Get-AzNetworkSecurityGroup 
    
    foreach ( $azNsg in $azNsgs ) {
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.SourceAddressPrefix -eq '122.21.20.2/12' } | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, 
                          @{label = 'Rule Name'; expression = { $_.Name } },
                          @{label = 'Source IP'; expression = { $_.SourceAddressPrefix } },
                          @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
                          @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } 
      
    }    
}

I am able to get the list of affected NSGs. Not sure how to fit this into the SourceAddressPrefix for each of them. Is Set-AzNetworkSecurityRuleConfig used for that? Does anyone have an example, please?

Thank you very much!

CodePudding user response:

Based on the above requirement , we have created the below PowerShell script which will pull all the existing Network Security Groups & their respective NSG rules.

We have added a condition in the below script to pull only the NSG rule that has SourceAddressPrefix with ParticularIP that we want & it will updated the NSG rule with Required SourceIPAddressPrefixes

Here is the PowerShell Script :

connect-azaccount

$requiredIp=("10.x.x.x/27") ##Ip that you want to check 

$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription

foreach($ng in $ngs){
    $nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups

foreach( $item in $nsgrule) {
    $ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
       
foreach( $ip in $ruleip)
    {
        if( $ip.SourceAddressPrefix -eq $requiredIp){
        
        $rec=Get-AzNetworkSecurityGroup -Name $ng.Name

        ## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address

        Set-AzNetworkSecurityRuleConfig -Name $ip.Name -NetworkSecurityGroup $rec -SourceAddressPrefix ($($requiredIp),"10.x.x.x/27") -Protocol Tcp -Access Allow -Direction Inbound -DestinationAddressPrefix * -SourcePortRange * -DestinationPortRange * -Priority 310
        Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
    }
   }
}
}

Here is the Sample Output for reference:

enter image description here

CodePudding user response:

Yes, but you need to change your NSG.

Something like that, maybe?

$NSG = Get-AzNetworkSecurityGroup -Name 'MyNSG' -ResourceGroupName 'MyRG'

$Params = @{
  'Name'                     = 'NewRule'
  'NetworkSecurityGroup'     = $NSG
  'Protocol'                 = '*'
  'Direction'                = 'Outbound'
  'Priority'                 = 200
  'SourceAddressPrefix'      = '*'
  'SourcePortRange'          = '*'
  'DestinationAddressPrefix' = '*'
  'DestinationPortRange'     = @('80', '443')
  'Access'                   = 'Deny'
}

Add-AzNetworkSecurityRuleConfig @Params | Set-AzNetworkSecurityGroup

CodePudding user response:

The complete script to perform this task is:

connect-azaccount

$requiredIp=("10.x.x.x/27") ##Ip that you want to check 

$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription

foreach($ng in $ngs){
    $nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups

foreach( $item in $nsgrule) {
    $ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
       
foreach( $ip in $ruleip)
    {
        if( $ip.SourceAddressPrefix -eq $requiredIp){
        
        $rec=Get-AzNetworkSecurityGroup -Name $ng.Name

        ## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address

        Set-AzNetworkSecurityRuleConfig `
            -Name $ip.Name `
            -NetworkSecurityGroup $rec `
            -SourceAddressPrefix ( @($item.SourceAddressPrefix)   $newIP ) `
            -Protocol * `
            -Access Allow `
            -Direction Inbound `
            -DestinationAddressPrefix * `
            -SourcePortRange * `
            -DestinationPortRange * `
            -Priority $item.Priority
        Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
    }
   }
}
}
  • Related