I need some help to add an extra IP (122.21.20.3/12) to a bunch of NSG in Azure. This is to allow an additional Source Address. I was able to put together a script to help me find impacted NSGs. I have to add the new IP only to the NSGs containing another similar IP (122.21.20.2/12):
$azSubs = Get-AzSubscription
foreach ( $azSub in $azSubs ) {
Set-AzContext -Subscription $azSub | Out-Null
$azNsgs = Get-AzNetworkSecurityGroup
foreach ( $azNsg in $azNsgs ) {
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.SourceAddressPrefix -eq '122.21.20.2/12' } | `
Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } },
@{label = 'Rule Name'; expression = { $_.Name } },
@{label = 'Source IP'; expression = { $_.SourceAddressPrefix } },
@{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
@{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } }
}
}
I am able to get the list of affected NSGs. Not sure how to fit this into the SourceAddressPrefix for each of them. Is Set-AzNetworkSecurityRuleConfig used for that? Does anyone have an example, please?
Thank you very much!
CodePudding user response:
Based on the above requirement , we have created the below PowerShell script which will pull all the existing Network Security Groups & their respective NSG rules.
We have added a condition in the below script to pull only the NSG rule that has SourceAddressPrefix with ParticularIP
that we want & it will updated the NSG rule with Required SourceIPAddressPrefixes
Here is the PowerShell Script :
connect-azaccount
$requiredIp=("10.x.x.x/27") ##Ip that you want to check
$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription
foreach($ng in $ngs){
$nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups
foreach( $item in $nsgrule) {
$ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
foreach( $ip in $ruleip)
{
if( $ip.SourceAddressPrefix -eq $requiredIp){
$rec=Get-AzNetworkSecurityGroup -Name $ng.Name
## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address
Set-AzNetworkSecurityRuleConfig -Name $ip.Name -NetworkSecurityGroup $rec -SourceAddressPrefix ($($requiredIp),"10.x.x.x/27") -Protocol Tcp -Access Allow -Direction Inbound -DestinationAddressPrefix * -SourcePortRange * -DestinationPortRange * -Priority 310
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
}
}
}
}
Here is the Sample Output for reference:
CodePudding user response:
Yes, but you need to change your NSG.
Something like that, maybe?
$NSG = Get-AzNetworkSecurityGroup -Name 'MyNSG' -ResourceGroupName 'MyRG'
$Params = @{
'Name' = 'NewRule'
'NetworkSecurityGroup' = $NSG
'Protocol' = '*'
'Direction' = 'Outbound'
'Priority' = 200
'SourceAddressPrefix' = '*'
'SourcePortRange' = '*'
'DestinationAddressPrefix' = '*'
'DestinationPortRange' = @('80', '443')
'Access' = 'Deny'
}
Add-AzNetworkSecurityRuleConfig @Params | Set-AzNetworkSecurityGroup
CodePudding user response:
The complete script to perform this task is:
connect-azaccount
$requiredIp=("10.x.x.x/27") ##Ip that you want to check
$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription
foreach($ng in $ngs){
$nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups
foreach( $item in $nsgrule) {
$ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
foreach( $ip in $ruleip)
{
if( $ip.SourceAddressPrefix -eq $requiredIp){
$rec=Get-AzNetworkSecurityGroup -Name $ng.Name
## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address
Set-AzNetworkSecurityRuleConfig `
-Name $ip.Name `
-NetworkSecurityGroup $rec `
-SourceAddressPrefix ( @($item.SourceAddressPrefix) $newIP ) `
-Protocol * `
-Access Allow `
-Direction Inbound `
-DestinationAddressPrefix * `
-SourcePortRange * `
-DestinationPortRange * `
-Priority $item.Priority
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
}
}
}
}