Managing Azure Network Security Groups using CSV files

This script reads a CSV file which contains Azure Network Security Group Rules and creates it in Azure. It can update an already created Azure Network Security Group with new rules, update existing and remove existing as required. Works with Resource Manager and Classic Azure

 
 
 
 
 
4 Star
(7)
1,733 times
Add to favorites
Windows Azure
9/16/2016
E-mail Twitter del.icio.us Digg Facebook
Sign in to ask a question


  • After update to Latest Azure Powershell module getting errors.
    5 Posts | Last post October 24, 2018
    • I'm getting the below error message when attempting to run the script after updating to the latest azure power-shell even though the security group -does- exist.
      
      Update-AzureRmCustomNetworkSecurityGroup : Cannot validate argument on parameter 'NetworkSecurityGroupName'. The Network Security Group Name "azruktestwaf-nsg" does not 
      exist. Consider using New-AzureRmCustomNetworkSecurityGroup
      At <Path removed for this post>\LoadACSVBasedSecurityGroup.ps1:15 char:149
      + ... urityGroupName "azruktestwaf-nsg" -ResourceGroupName Networks -Verbose
      +                    ~~~~~~~~~~~~~~~~~~
          + CategoryInfo          : InvalidData: (:) [Update-AzureRmCustomNetworkSecurityGroup], ParameterBindingValidationException
          + FullyQualifiedErrorId : ParameterArgumentValidationError,Update-AzureRmCustomNetworkSecurityGroup
      
      I have tried with a different machine running the previous version of Azure powershell and I was able to successfully apply the Security group again.
      
      Output of Version info from server that works:
      
      ModuleType Version    Name                                ExportedCommands                                                                                                                                      
      ---------- -------    ----                                ----------------                                                                                                                                      
      Manifest   1.6.0      Azure                               {Get-AzureAutomationCertificate, Get-.}                   
      
      Hrrm the output of the system it doesn't work on doesn't seem to be reporting the version and it's the newer version, perhaps something is broken with the azure powershell install, I'll have to ivestigate that as could be the source of the issue.                                       
    • Okay I have confirmed now that this does not work on the later version of powershell.
      Can the Author please review and fix this? Thanks.
    • Sorry I mean the later versions of Azure powershell.
      
      To recreate the issue above just download the latest Azure powershell installable and install it then try to run the script you should get the above error.
      
    • I'm not sure why the author didn't catch this but as I think this module is awesome I really wish he would let me know how I can contribute to this module.
      
      Anyway here is how I solved it for those with the same issue:
      
      Here's what I did to solve it:
      
      1.) Remove any older azure modules, for some reason Uninstall-Module AzureRM doesn't work as there appears to be a bug and it only uninstalls AzureRM.
      
      foreach ($module in (Get-Module -ListAvailable AzureRM*).Name |Get-Unique) {
      
      write-host "Removing Module $module"
      Uninstall-module $module
      
      }
      
      Then install the latest 5.0.x
      
      Install-Module AzureRM
      
      When its done then try the script again.
      
      If it still fails, try making sure the NetworkSecurity group name is the same case as it is in Azure, I haven't checked the code to figure out why but for some reason either older modules and or Case issue can cause this.
      
      
      
      
      
      
      
    • First of all: best tool for NSG´s ever seen! Very importand for IAC as Template export / import is not the best way ;-) (in fact not working)!
      This script swill not work with Augmented rules for NSGs. Will there be an update?
  • Cannot validate argument on parameter 'NetworkSecurityGroupName'
    2 Posts | Last post December 01, 2017
    • Getting error while running the script. THe NSG name is correct
    • Okay I was getting this to.
      
      Here's what I did to solve it:
      
      1.) Remove any older azure modules, for some reason Uninstall-Module AzureRM doesn't work as there appears to be a bug and it only uninstalls AzureRM.
      
      foreach ($module in (Get-Module -ListAvailable AzureRM*).Name |Get-Unique) {
      
      write-host "Removing Module $module"
      Uninstall-module $module
      
      }
      
      Then install the latest 5.0.x
      
      Install-Module AzureRM
      
      When its done then try the script again.
      
      If it still fails, try making sure the NetworkSecurity group name is the same case as it is in Azure, I haven't checked the code to figure out why but for some reason either older modules and or Case issue can cause this.
      
      
      
      
      
      
      
      
      
      
  • Is this your git repo for this?
    1 Posts | Last post October 31, 2017
    • https://github.com/fr1dayfire/azure-scratch
  • This week when exporting a NSG to CSV some values were returned as "System.Collections.Generic.List`1[System.String]"
    1 Posts | Last post October 10, 2017
    • It appears that the SourceAddressPrefix, SourcePortRange, DestinationAddressPrefix, and  DestinationPortRange were changed to arrays. To fix this I changed lines 780 to 783 to the following. 
                      SourceAddressPrefix      = $_.SourceAddressPrefix -join "`n"
                      SourcePortRange          = $_.SourcePortRange -join "`n"
                      DestinationAddressPrefix = $_.DestinationAddressPrefix -join "`n"
                      DestinationPortRange     = $_.DestinationPortRange -join "`n"
      
      This completely ignores the issue of importing the CSV when more than one value is supported as I expect will occur. 
  • Multiple Source IP Addresses
    1 Posts | Last post September 26, 2017
    • Hi Ryan,
      Is there a way to pass multiple source IP addresses/CIDIR ranges?
      
  • Invalid Azure location error.
    1 Posts | Last post September 14, 2017
    • Hi Ryan,
      
      I am getting below error while creating New security group at our North Europe location.
      
      New-AzureCustomNetworkSecurityGroup : Cannot validate argument on parameter 'AzureLocation'. The location you requested "North Europe" is not a valid Azure location
      At line:1 char:206
      
      Can you please help me on this ? ..Thanks 
  • Static IP without /32
    1 Posts | Last post September 11, 2017
    • Is there any way to use individual IP for source or destination IP without using the /32 address range like from within the portal?
      
      Thanks 
  • All my rules was killed by 'Description' and nothing was added?
    2 Posts | Last post October 28, 2016
    • VERBOSE: Creating updated rule name ldap389_to_dell_allow
      Add-AzureRmNetworkSecurityRuleConfig : Cannot validate argument on parameter 'Description'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.
      
    • Thanks, I've found problem by myself:
      1. source scv file need to be exported at first.
      2. all parameters values should be in ""
      3. in case I'll use my own custom CSV - all previous rules will be deleted - this was my problem.
      
      I've also found in a script a part: #Remove all existing rules - WILL NOT UPDATE AZURE
      
      Will be good to stop execution of before deletion and give an alert! Please, be aware, all your rules may be deleted!
  • Location bug
    3 Posts | Last post September 16, 2016
    • Line # 483. I had to update the script to use an ARM cmd to look up locations.
      
      if(-not(Get-AzureRMLocation | ?{$_.DisplayName -eq $DesiredLocation})){
    • This has been fixed now. Please download the file again.
    • It works now if you use the Display Name or the Internal Name for the location, for example if you use "West Europe" or "westeurope".
  • Script not accepting port ranges?
    2 Posts | Last post September 16, 2016
    • Hi all -
      
      Is anyone having trouble getting the script to accept a port range?  I want to include a common rule to allow the common active directory client ports, however when I add this line to my CSV file an error occurs saying that it's not a valid port range.
      
      
      Any idea?  I'm sure its a context thing.  Dunno.  I can posthumously go in and create the rule but my CSV has 150 or so rules and for cleanliness I'd like to include the port range as part of out infrastructure as code effort.
      
      Name	Priority	Access	SourceAddressPrefix	SourcePortRange	DestinationAddressPrefix	DestinationPortRange	Protocol	Direction	Description
      IBA-ADClientsDC1-49152-65535	1080	Allow	10.0.0.0/8	*	10.128.7.4/32	49152-65535	TCP	Inbound	DES1
      
    • This has been fixed now. Please download the file again.
1 - 10 of 14 Items