Skip to content

Instantly share code, notes, and snippets.

@guitarrapc

guitarrapc/AzNsgSourceIp.psm1

Last active February 8, 2019 08:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save guitarrapc/ccb7b56ac68248d7dbb893f7a1bd76e2 to your computer and use it in GitHub Desktop.
Save guitarrapc/ccb7b56ac68248d7dbb893f7a1bd76e2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md

Prerequisites

  • install pwsh.
  • open pwsh
  • install az module
Install-Module Az -Scope CurrentUser -AllowClobber

signin

Connect-AzAccount

Sample

Import-Module Az
Import-Module .\AzNsgSourceIp.psm1

$checkip = "8.8.8.8" # YOUR IP
[string[]]$newip = @("4.4.4.4") # YOUR NEW IP
$adjustPriority = -1 # Relative priority from current

# get current and prepare new
$details = Get-AzureNSGSecurityGroupDetail -CheckIp $checkip -IpMappingName NEWRULE
# sampling
$detail = $details | select -First 1
# add new rule 
$newRule = New-AzureNSGSecurityGroupRule -NewName $detail.NewRuleName -NewSourceAddressPrefix $newip -Detail $detail -AdjustPriority -1
$param = @{
    Name = $newRule.Name
    NetworkSecurityGroup = $newRule.NetworkSecurityGroup
    Protocol = $newRule.Protocol
    SourcePortRange = $newRule.SourcePortRange
    DestinationPortRange = $newrule.DestinationPortRange
    SourceAddressPrefix = $newrule.SourceAddressPrefix
    DestinationAddressPrefix = $newrule.DestinationAddressPrefix
    SourceApplicationSecurityGroup = $newRule.SourceApplicationSecurityGroup
    DestinationApplicationSecurityGroup = $newRule.DestinationApplicationSecurityGroups
    Access = $newRule.Access
    Priority = $newrule.Priority
    Direction = $newRule.Direction
    DefaultProfile = $newRule.DefaultProfile
}
Add-AzNetworkSecurityRuleConfig @param
# commit change
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $newrule.NetworkSecurityGroup

run

Import-Module Az
Import-Module .\AzNsgSourceIp.psm1

$checkip = "8.8.8.8"
[string[]]$newip = @("4.4.4.4")
$adjustPriority = -1

$details = Get-AzureNSGSecurityGroupDetail -CheckIp $checkip -IpMappingName NEWRULE
foreach ($detail in $details) {
    $newRule = New-AzureNSGSecurityGroupRule -NewName $detail.NewRuleName -NewSourceAddressPrefix $newip -Detail $detail -AdjustPriority -1
    $param = @{
        Name = $newRule.Name
        NetworkSecurityGroup = $newRule.NetworkSecurityGroup
        Protocol = $newRule.Protocol
        SourcePortRange = $newRule.SourcePortRange
        DestinationPortRange = $newrule.DestinationPortRange
        SourceAddressPrefix = $newrule.SourceAddressPrefix
        DestinationAddressPrefix = $newrule.DestinationAddressPrefix
        SourceApplicationSecurityGroup = $newRule.SourceApplicationSecurityGroup
        DestinationApplicationSecurityGroup = $newRule.DestinationApplicationSecurityGroups
        Access = $newRule.Access
        Priority = $newrule.Priority
        Direction = $newRule.Direction
        DefaultProfile = $newRule.DefaultProfile
    }
    # check
    #New-AzNetworkSecurityRuleConfig @param
    # Add
    Add-AzNetworkSecurityRuleConfig @param
    # Commit
    Set-AzNetworkSecurityGroup -NetworkSecurityGroup $newrule.NetworkSecurityGroup
}

Ref

https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-1.2.0

Raw
AzNsgSourceIp.psm1
#Required -Version 6.1
#required -Module Az
using namespace Microsoft.Azure.Commands.Network.Models
using namespace System.Collections.Generic
class AzureNSGSecurityGroupDetail{
[PSNetworkSecurityGroup]$NetworkSecurityGroup
[PSSecurityRule]$NetworkSecurityRule
[string]$CurrentRuleName
[string]$NewRuleName
AzureNSGSecurityGroupDetail([PSNetworkSecurityGroup]$sg, [PSSecurityRule]$rule, [string]$name) {
$this.NetworkSecurityGroup = $sg
$this.NetworkSecurityRule = $rule
$this.CurrentRuleName = $rule.Name
$this.NewRuleName = $name
}
}
class AzureNSGSecurityGroupRule{
[string]$Name
[PSNetworkSecurityGroup]$NetworkSecurityGroup
[string]$Description
[string]$Protocol
[IList[string]]$SourcePortRange
[IList[string]]$DestinationPortRange
[IList[string]]$SourceAddressPrefix
[IList[string]]$DestinationAddressPrefix
[List[PSApplicationSecurityGroup]]$SourceApplicationSecurityGroup
[List[PSApplicationSecurityGroup]]$DestinationApplicationSecurityGroups
[string]$Access
[int]$Priority
[string]$Direction
[Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer]$DefaultProfile
AzureNSGSecurityGroupRule([PSNetworkSecurityGroup]$sg, [PSSecurityRule]$rule, [string]$name, [System.Collections.Generic.IList[string]]$sourceAddressPrefix) {
$this.NetworkSecurityGroup = $sg
$this.Name = $name
$this.Description = $rule.Description
$this.Protocol = $rule.Protocol
$this.SourcePortRange = $rule.SourcePortRange
$this.DestinationPortRange = $rule.DestinationPortRange
$this.SourceAddressPrefix = $sourceAddressPrefix
$this.DestinationAddressPrefix = $rule.DestinationAddressPrefix
$this.SourceApplicationSecurityGroup = $rule.SourceApplicationSecurityGroup
$this.DestinationApplicationSecurityGroups = $rule.DestinationApplicationSecurityGroup
$this.Access = $rule.Access
$this.Priority = $rule.Priority
$this.Direction = $rule.Direction
$this.DefaultProfile = $rule.DefaultProfile
}
}
function Get-AzureNSGSecurityGroupDetail {
[OutputType([AzureNSGSecurityGroupDetail[]])]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[string]$CheckIp,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[string]$IpMappingName
)
# {ACCESS}_MAPPING_{PORT_MAPPING}
$ruleFormat = "{0}_${IpMappingName}_{1}"
$portUsageMapping = @{
"22" = "SSH"
"443" = "HTTPS"
"80" = "HTTP"
"*" = "ALL"
}
Get-AzNetworkSecurityGroup -PipelineVariable sg |
Get-AzNetworkSecurityRuleConfig -PipelineVariable rule |
Where-Object {($_.SourceAddressPrefix | Where-Object {$_.StartsWith($checkip)} | Measure-Object).Count -ne 0} |
ForEach-Object {
# get port name mapping (use mapping or fallover to PORT+PORTNUM)
$map = $portUsageMapping[$rule.DestinationPortRange[0]]
if ($null -eq $map) {
$map = "PORT" + $rule.DestinationPortRange[0]
}
# gen new name
$ruleName = [string]::Format($ruleFormat, $rule.Access, $map)
# result
$r = [AzureNSGSecurityGroupDetail]::new($sg, $rule, $ruleName)
return $r
}
}
function New-AzureNSGSecurityGroupRule {
[OutputType([AzureNSGSecurityGroupRule])]
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[string]$NewName,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[System.Collections.Generic.IList[string]]$NewSourceAddressPrefix,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[AzureNSGSecurityGroupDetail]$Detail,
[Parameter(Mandatory = $true)]
[ValidateNotNull()]
[int]$AdjustPriority
)
$rule = [AzureNSGSecurityGroupRule]::New($Detail.NetworkSecurityGroup, $Detail.NetworkSecurityRule, $NewName, $NewSourceAddressPrefix)
$rule.Priority += $AdjustPriority
Write-Output $rule
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment