UPDATED: Managing Azure Network Security Groups using CSV files

UPDATE 18th August 2015: The script has been updated to significantly reduce the time it takes to validate the port ranges. The updated script is available on TechNet Gallery using the same URL.

Azure Network Security Groups allow you to apply Access Control Lists to VMs and Virtual Subnets (not an entire Virtual Network in one hit) in Microsoft Azure. More details on what an Azure Network Security Group is can be found here:

Recently I’ve been working with a customer who wants to move a LOT of their Virtual Machine infrastructure to Azure and will be reliant upon Azure Network Security Groups to apply security to VMs and Virtual Subnets. They needed an easy way to manage all of these in Azure as they will have many different Azure Accounts and Subscriptions – mainly due to the Azure subscription limitations (Azure Limitations) as they will have a LOT of their services in Azure.

To allow them to manage their Azure Network Security Groups I created a PowerShell script which reads a CSV file that contains Azure Network Security Group Rules and creates it in Azure. In addition it can update an already created Azure Network Security Group with new rules, update existing and remove existing as required.

The screenshot below shows an example Azure Network Security Group CSV file:

CSV-SS

The script has two main functions:

  1. New-CustomAzureNetworkSecurityGroup
  2. Update-CustomAzureNetworkSecurityGroup

Here is example of how to invoke each:

  1. New-CustomAzureNetworkSecurityGroup -CSVPath C:\AzureNetworkSecuriyGroupRules\VS-DMZ-NSG.csv -NetworkSecurityGroupName "VS-DMZ-NSG" -AzureLocation "North Europe" -NetworkSecurityGroupLabel "This contains the rules for the Virtual Subnet VS-DMZ"
  2. Update-AzureCustomNetworkSecurityGroup -CSVPath C:\AzureNetworkSecuriyGroupRules\VS-DMZ-NSG.csv -NetworkSecurityGroupName "VS-DMZ-NSG"

The first thing the script does is validate each rule against Microsoft’s criteria (which can be found here About Azure Network Security Groups). If this is passed then it will move to either creating or updating the required Azure Network Security Group as has been instructed.

When the Script updates the rules in the Azure Network Security Group it processes them based on the priority value defined in the CSV, inbound first then outbound rules. If there is a clash in priority numbers between a new/updated rule and a rule that already exists in the Azure Network Security Group (that may be being updated further down the list of rules or removed entirely) it will decrement the Priority value temporarily. After this the Script will remove any rules missing from the CSV file so the Azure Network Security Group matches the CSV file. Once this is complete the Script will attempt to assign rules their correct priority value.

This script will NOT apply the Azure Network Security Group to a VM or a Subnet; is just creates the Azure Network Security Group for you. To apply it to a VM or subnet that can be achieved using the following Azure cmdlets:

  • For a subnet: Set-AzureNetworkSecurityGroupToSubnet -Name "VS-DMZ-NSG"  -VirtualNetworkName "VS-MAIN" -SubnetName "VS-DMZ-NSG"
  • For a VM: Get-AzureVM -ServiceName "DMZ" -Name "DMZ-WEB01" | Set-AzureNetworkSecurityGroupConfig -NetworkSecurityGroupName "VS-DMZ-NSG" | Update-AzureVM

The Script will not amend or remove the default Azure Network Security Group Rules.

The script can be downloaded from here.

You will need to have the Azure PowerShell module installed on the machine where the PowerShell is executed. You can obtain the Azure PowerShell cmdlets using the Web Platform Installer.

As always, test it first, make sure you’re happy with it. Feel free to leave comments below if you think there’s a way of improving it!

Advertisements

Posted on 23 January, 2015, in Microsoft. Bookmark the permalink. 15 Comments.

  1. This looks awesome, we were struggling to manage a lot of NSG rules in Azure.

    • Any problems let me know

      • Hi there. I’ve been using this heavily over the last few weeks and I’m just looking at some of the logic. I’ve enabled the verbose output and I don’t quite understand why the validation process takes so long.

        It looks like with the validation process it’s querying one rule at a time. Wouldnt it be much much quicker just to do a “Get-AzureNetworkSecurityGroup -Detailed” and compare that against the CSV? In theory if both are in memory the comparison of all rules should take less than a second, rather than several minutes when querying each rule, one at a time.

        Any changes that are required, ie additions, deletions, and modifications could be queued for execution at the end.

        Thanks again for your work on this, it’s greatly simplified managing a bunch of rules.

      • The validation process takes a long time because of the port validation. If the port (source or destination) is a single number then it should be quite fast. If it contains a range then it takes time. If I get a chance I’ll see what I can do to speed it up.

  2. Hi, I downloaded they zip which containged the “AzureCustomNetworkSecurityGroup.PS1” and “Rules.csv” files. I updated the csv as I needed but then the guide says to run New-CustomAzureNetworkSecurityGroup or Update-CustomAzureNetworkSecurityGroup ? Were these supposed to be in the zip file ? Im I missing something ?

  3. Hi Ryan, Me again. I have tweaked the destination port validation code and it now runs in about 2 seconds rather than 15 minutes. We were only using single port numbers, not ranges, and it was running very very slowly. Leave your email address and I can send this through if you wanted.

    • Hi – I’ll look at optimising the code for validation this week. I’ll advise if there’s an updated copy available. I believe the issue comes down to type conversions, should be an easy enough fix.

    • I’ve updated the Script now. Takes about 4 seconds to validate the entire sample Rules.csv file. It’s available to download via TechNet

  4. HI mate

    Once i run the script, New-CustomAzureNetworkSecurityGroup functions are not avliable. any idea ?

  5. Hi Ryan, We are currently using this to manage our NSGs, are you aware of anyone that is utilising your module in Azure Automation to automatically run the script each day?

    Its something we wanted to look at, but adding the module fails when trying to extract the activities.

    • Have you changed this into a ps module?

      • I saved the file as a .psm1. It imports just fine locally, but importing into Automation gives me the below generic error:

        error occurred during module validation. When importing the module to an internal PowerShell session, it was not able to be loaded by PowerShell. There is likely an issue with the contents of the module that results in PowerShell’s not being able to load it. Please verify that the module imports successfully in a local PowerShell session, correct any issues, and then try importing again.

      • Is this as a hybrid runbook or native? I’ve not tried as a native

Anything to add? Let me know

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: