UPDATED: Managing Azure Network Security Groups using CSV files
UPDATE 18th August 2015: The script has been updated to significantly reduce the time it takes to validate the port ranges. The updated script is available on TechNet Gallery using the same URL.
Azure Network Security Groups allow you to apply Access Control Lists to VMs and Virtual Subnets (not an entire Virtual Network in one hit) in Microsoft Azure. More details on what an Azure Network Security Group is can be found here:
Recently I’ve been working with a customer who wants to move a LOT of their Virtual Machine infrastructure to Azure and will be reliant upon Azure Network Security Groups to apply security to VMs and Virtual Subnets. They needed an easy way to manage all of these in Azure as they will have many different Azure Accounts and Subscriptions – mainly due to the Azure subscription limitations (Azure Limitations) as they will have a LOT of their services in Azure.
To allow them to manage their Azure Network Security Groups I created a PowerShell script which reads a CSV file that contains Azure Network Security Group Rules and creates it in Azure. In addition it can update an already created Azure Network Security Group with new rules, update existing and remove existing as required.
The screenshot below shows an example Azure Network Security Group CSV file:
The script has two main functions:
Here is example of how to invoke each:
New-CustomAzureNetworkSecurityGroup -CSVPath C:\AzureNetworkSecuriyGroupRules\VS-DMZ-NSG.csv -NetworkSecurityGroupName "VS-DMZ-NSG" -AzureLocation "North Europe" -NetworkSecurityGroupLabel "This contains the rules for the Virtual Subnet VS-DMZ"
Update-AzureCustomNetworkSecurityGroup -CSVPath C:\AzureNetworkSecuriyGroupRules\VS-DMZ-NSG.csv -NetworkSecurityGroupName "VS-DMZ-NSG"
The first thing the script does is validate each rule against Microsoft’s criteria (which can be found here About Azure Network Security Groups). If this is passed then it will move to either creating or updating the required Azure Network Security Group as has been instructed.
When the Script updates the rules in the Azure Network Security Group it processes them based on the priority value defined in the CSV, inbound first then outbound rules. If there is a clash in priority numbers between a new/updated rule and a rule that already exists in the Azure Network Security Group (that may be being updated further down the list of rules or removed entirely) it will decrement the Priority value temporarily. After this the Script will remove any rules missing from the CSV file so the Azure Network Security Group matches the CSV file. Once this is complete the Script will attempt to assign rules their correct priority value.
This script will NOT apply the Azure Network Security Group to a VM or a Subnet; is just creates the Azure Network Security Group for you. To apply it to a VM or subnet that can be achieved using the following Azure cmdlets:
- For a subnet:
Set-AzureNetworkSecurityGroupToSubnet -Name "VS-DMZ-NSG" -VirtualNetworkName "VS-MAIN" -SubnetName "VS-DMZ-NSG"
- For a VM:
Get-AzureVM -ServiceName "DMZ" -Name "DMZ-WEB01" | Set-AzureNetworkSecurityGroupConfig -NetworkSecurityGroupName "VS-DMZ-NSG" | Update-AzureVM
The Script will not amend or remove the default Azure Network Security Group Rules.
The script can be downloaded from here.
You will need to have the Azure PowerShell module installed on the machine where the PowerShell is executed. You can obtain the Azure PowerShell cmdlets using the Web Platform Installer.
As always, test it first, make sure you’re happy with it. Feel free to leave comments below if you think there’s a way of improving it!