isjwuk/Set-APIM-STV2-NSG-Rules.ps1

## Set-APIM-STV2-NSG-Rules.ps1
Get-AzNetworkSecurityGroup -Name $Name -ResourceGroupName $ResourceGroupName `
        | Add-AzNetworkSecurityRuleConfig -Name "ClientCommunicationtoAPIM"                         -Description "Client communication to API Management"                                           -Access "Allow" -Protocol "tcp" -Direction "Inbound"    -Priority 200 -SourceAddressPrefix "internet"               -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (80,443) `
        | Add-AzNetworkSecurityRuleConfig -Name "ManagementEndpointForAzurePortalAndPowerShell"     -Description "Management endpoint for Azure portal and PowerShell"                              -Access "Allow" -Protocol "tcp" -Direction "Inbound"    -Priority 210 -SourceAddressPrefix "ApiManagement"          -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (3443) `
        | Add-AzNetworkSecurityRuleConfig -Name "AzureInfrastructureLoadBalancer"                   -Description "Azure Infrastructure Load Balancer"                                               -Access "Allow" -Protocol "tcp" -Direction "Inbound"    -Priority 220 -SourceAddressPrefix "AzureLoadBalancer"      -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (6390) `
        | Add-AzNetworkSecurityRuleConfig -Name "AzureTrafficManageRoutingForMultiRegionDeployment" -Description "Azure Traffic Manager routing for multi-region deployment"                        -Access "Allow" -Protocol "tcp" -Direction "Inbound"    -Priority 230 -SourceAddressPrefix "AzureTrafficManager"    -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (443) `
        | Add-AzNetworkSecurityRuleConfig -Name "DependencyOnAzureStorage"                          -Description "Dependency on Azure Storage for core service functionality"                       -Access "Allow" -Protocol "tcp" -Direction "Outbound"   -Priority 240 -SourceAddressPrefix "VirtualNetwork"         -SourcePortRange "*" -DestinationAddressPrefix "Storage"        -DestinationPortRange (443) `
        | Add-AzNetworkSecurityRuleConfig -Name "AccessToAzureSQLEndpoints"                         -Description "Access to Azure SQL endpoints for core service functionality"                     -Access "Allow" -Protocol "tcp" -Direction "Outbound"   -Priority 250 -SourceAddressPrefix "VirtualNetwork"         -SourcePortRange "*" -DestinationAddressPrefix "SQL"            -DestinationPortRange (1443) `
        | Add-AzNetworkSecurityRuleConfig -Name "AccessToAzureKeyVault"                             -Description "Access to Azure Key Vault for core service functionality"                         -Access "Allow" -Protocol "tcp" -Direction "Outbound"   -Priority 260 -SourceAddressPrefix "VirtualNetwork"         -SourcePortRange "*" -DestinationAddressPrefix "AzureKeyVault"  -DestinationPortRange (443) `
        | Add-AzNetworkSecurityRuleConfig -Name "PublishDiagnosticsLogsMetricsEtc"                  -Description "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights"  -Access "Allow" -Protocol "tcp" -Direction "Outbound"   -Priority 270 -SourceAddressPrefix "VirtualNetwork"         -SourcePortRange "*" -DestinationAddressPrefix "AzureMonitor"   -DestinationPortRange (1886,443) `
        | Set-AzNetworkSecurityGroup
# Reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2#configure-nsg-rules
	Get-AzNetworkSecurityGroup -Name $Name -ResourceGroupName $ResourceGroupName `
	\| Add-AzNetworkSecurityRuleConfig -Name "ClientCommunicationtoAPIM" -Description "Client communication to API Management" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 200 -SourceAddressPrefix "internet" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (80,443) `
	\| Add-AzNetworkSecurityRuleConfig -Name "ManagementEndpointForAzurePortalAndPowerShell" -Description "Management endpoint for Azure portal and PowerShell" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 210 -SourceAddressPrefix "ApiManagement" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (3443) `
	\| Add-AzNetworkSecurityRuleConfig -Name "AzureInfrastructureLoadBalancer" -Description "Azure Infrastructure Load Balancer" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 220 -SourceAddressPrefix "AzureLoadBalancer" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (6390) `
	\| Add-AzNetworkSecurityRuleConfig -Name "AzureTrafficManageRoutingForMultiRegionDeployment" -Description "Azure Traffic Manager routing for multi-region deployment" -Access "Allow" -Protocol "tcp" -Direction "Inbound" -Priority 230 -SourceAddressPrefix "AzureTrafficManager" -SourcePortRange "*" -DestinationAddressPrefix "VirtualNetwork" -DestinationPortRange (443) `
	\| Add-AzNetworkSecurityRuleConfig -Name "DependencyOnAzureStorage" -Description "Dependency on Azure Storage for core service functionality" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 240 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "Storage" -DestinationPortRange (443) `
	\| Add-AzNetworkSecurityRuleConfig -Name "AccessToAzureSQLEndpoints" -Description "Access to Azure SQL endpoints for core service functionality" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 250 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "SQL" -DestinationPortRange (1443) `
	\| Add-AzNetworkSecurityRuleConfig -Name "AccessToAzureKeyVault" -Description "Access to Azure Key Vault for core service functionality" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 260 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "AzureKeyVault" -DestinationPortRange (443) `
	\| Add-AzNetworkSecurityRuleConfig -Name "PublishDiagnosticsLogsMetricsEtc" -Description "Publish Diagnostics Logs and Metrics, Resource Health, and Application Insights" -Access "Allow" -Protocol "tcp" -Direction "Outbound" -Priority 270 -SourceAddressPrefix "VirtualNetwork" -SourcePortRange "*" -DestinationAddressPrefix "AzureMonitor" -DestinationPortRange (1886,443) `
	\| Set-AzNetworkSecurityGroup
	# Reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-using-with-vnet?tabs=stv2#configure-nsg-rules