-
Notifications
You must be signed in to change notification settings - Fork 17
/
azure-az-add-nsg-rule.ps1
111 lines (98 loc) · 3.7 KB
/
azure-az-add-nsg-rule.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
<#
script to add NSG 100 rule for remote access to azure resources for test deployments
https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview
iwr "https://raw.githubusercontent.com/jagilber/powershellScripts/master/azure-az-add-nsg-rule.ps1" -out "$pwd\azure-az-add-nsg-rule.ps1";.\azure-az-add-nsg-rule.ps1
#>
param(
[Parameter(Mandatory = $true)]
[string]$resourceGroup = '',
[string]$nsgRuleName = "remote-rule",
[int]$priority = 100,
[string[]]$destPorts = @('*'), #@('3389', '19000', '19080', '19081', '22'),
[string[]]$existingNsgNames = @(),
[ValidateSet('allow','deny')]
[string]$access = "Allow",
[ValidateSet('inbound','outbound')]
[string]$direction = "inbound",
[string[]]$sourceAddressPrefix = @(((Invoke-RestMethod https://ipinfo.io/json).ip)), #,'*','AzureDevOps','AzureTrafficManager','ServiceFabric'), # *
[string[]]$destAddressPrefix = @('*'), #,'*','AzureDevOps','AzureTrafficManager','ServiceFabric'), # *
[switch]$force,
[switch]$remove,
[switch]$wait
)
function main () {
$waitCount = 0
while ($wait -or $waitCount -eq 0) {
if (!$existingNsgNames) {
$existingNsgNames = @((get-aznetworksecuritygroup -resourcegroupname $resourceGroup).Name)
}
foreach ($nsgName in $existingNsgNames) {
if ([string]::IsNullOrEmpty($nsgName)) { continue }
$nsg = get-nsg $nsgName
if (!$nsg) {
Write-Warning "unable to find $nsgName"
continue
}
modify-nsgRule $nsg
$waitCount++
}
if ($wait -and $waitCount -eq 0) {
Write-Host "$waitCount waiting for nsg $(get-date)"
Start-Sleep -Seconds 60
}
else {
break
}
}
write-host "finished"
}
function get-nsg($name) {
$nsg = Get-AzNetworkSecurityGroup -Name $name -ResourceGroupName $resourceGroup
if (!$nsg) {
Write-Warning "no nsg $nsgname`r`nreturning"
return $false
}
return $nsg
}
function modify-nsgRule($nsg) {
$currentRule = Get-AzNetworkSecurityRuleConfig -Name $nsgRuleName -NetworkSecurityGroup $nsg
if ($currentRule -and ($force -or $remove)) {
Write-Warning "deleting existing rule`r`n$($currentRule | convertto-json -depth 5)"
Remove-AzNetworkSecurityRuleConfig -Name $nsgRuleName -NetworkSecurityGroup $nsg
}
elseif ($currentRule) {
Write-Warning "$nsgRuleName exists`r`nreturning"
return
}
elseif (!$currentRule -and $remove) {
Write-Warning "$nsgRuleName does not exist`r`nreturning"
return
}
write-host "adding rule:
Add-AzNetworkSecurityRuleConfig -Name $nsgRuleName ``
-NetworkSecurityGroup $nsg ``
-Description $nsgRuleName ``
-Access $access ``
-Protocol Tcp ``
-Direction $direction ``
-Priority $priority ``
-SourceAddressPrefix $sourceAddressPrefix ``
-SourcePortRange * ``
-DestinationAddressPrefix $destAddressPrefix ``
-DestinationPortRange $destPorts
" -ForegroundColor Green
Add-AzNetworkSecurityRuleConfig -Name $nsgRuleName `
-NetworkSecurityGroup $nsg `
-Description $nsgRuleName `
-Access $access `
-Protocol Tcp `
-Direction $direction `
-Priority $priority `
-SourceAddressPrefix $sourceAddressPrefix `
-SourcePortRange * `
-DestinationAddressPrefix $destAddressPrefix `
-DestinationPortRange $destPorts
write-host "setting rule: Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg" -ForegroundColor Green
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg
}
main