UPDATE: 16th September 2016: The script has been updated to fix the Get-AzureRmLocation bug and the Port Range issue with the maxing out at 65000, now goes to 65535 as it should!
UPDATE 1st December 2015: The script has been updated to allow for creation and updating of Azure Resource Manager based Network Security Groups. The "Classic" functionality remains as was.
This script requires Azure PowerShell 1.0 or higher, this can be downloaded through the Microsoft Web Platform Installer.
There are three new functions:
The principle of the script remains the same, it uses CSV files to manage Network Security Groups.
Here are some examples of how to invoke the new cmdlets:
The New-AzureRmCustomNetworkSecurityGroup cmdlet supports -PassThru. Without using -PassThru it will not return the created NSG.
NOTE: The update function for Resource Manager based Network Security groups does not work in the same way as the Classic method. Instead all rules are removed from the NSG, without updating Azure, the updated rules are added to the NSG and the entire NSG passed to Azure for it to update.
UPDATE 18th August 2015: The script has been updated to significantly reduce the time it takes to validate the port ranges. The updated script is available on TechNet Gallery using the same URL.
This PowerShell script reads a CSV file that contains Azure Network Security Group Rules and creates it in Azure. In addition it can update an already created Azure Network Security Group with new rules, update existing and remove existing as required.
The script has two main functions:
Here is example of how to invoke each:
New-CustomAzureNetworkSecurityGroup -CSVPath C:\AzureNetworkSecuriyGroupRules\VS-DMZ-NSG.csv -NetworkSecurityGroupName "VS-DMZ-NSG" -AzureLocation "North Europe" -NetworkSecurityGroupLabel "This contains the rules for the Virtual Subnet VS-DMZ"
Update-AzureCustomNetworkSecurityGroup -CSVPath C:\AzureNetworkSecuriyGroupRules\VS-DMZ-NSG.csv -NetworkSecurityGroupName "VS-DMZ-NSG"
The first thing the script does is validate each rule against Microsoft's criteria (which can be found here About Azure Network Security Groups). If this is passed then it will move to either creating or updating the required Azure Network Security Group as has been instructed.
When the Script updates the rules in the Azure Network Security Group it processes them based on the priority value defined in the CSV, inbound first then outbound rules. If there is a clash in priority numbers between a new/updated rule and a rule that already exists in the Azure Network Security Group (that may be being updated further down the list of rules or removed entirely) it will decrement the Priority value temporarily. After this the Script will remove any rules missing from the CSV file so the Azure Network Security Group matches the CSV file. Once this is complete the Script will attempt to assign rules their correct priority value.
This script will NOT apply the Azure Network Security Group to a VM or a Subnet; is just creates the Azure Network Security Group for you. To apply it to a VM or subnet that can be achieved using the following Azure cmdlets:
Set-AzureNetworkSecurityGroupToSubnet -Name "VS-DMZ-NSG" -VirtualNetworkName "VS-MAIN" -SubnetName "VS-DMZ-NSG"
Get-AzureVM -ServiceName "DMZ" -Name "DMZ-WEB01" | Set-AzureNetworkSecurityGroupConfig -NetworkSecurityGroupName "VS-DMZ-NSG" | Update-AzureVM
The Script will not amend or remove the default Azure Network Security Group Rules.
You will need to have the Azure PowerShell module installed on the machine where the PowerShell is executed. You can obtain the Azure PowerShell cmdlets using the Web Platform Installer.
As always, test it first, make sure you're happy with it. Feel free to leave comments below if you think there's a way of improving it!
An example CSV is included.