vijayjt/Get-AzureRegionPublicIPAddressList.ps1

## Get-AzureRegionPublicIPAddressList.ps1
Function Get-AzureRegionPublicIPAddressList
{
<#
    .SYNOPSIS
        The function lists the public IP addresses in a particular Azure region
    .DESCRIPTION
        The function lists the public IP addresses in a particular Azure region.
    .PARAMETER Region
        The Azure region for which you want to retrieve public IP addresses.
    .PARAMETER AzureIPRangeXMLFile
        The XML file containing the Azure IP ranges.
    .PARAMETER OutputAsNSGAllowRuleFormat
        This switch will result in the IP addresses to be output as outbound allow Network Security Group (NSG) rules in CSV form.
        Placeholder values will be used for the rule priority (RulePriority), subnet address prefix (SubnetAddressPrefix).
        For each IP address/range two rules will be listed one for HTTP and another for HTTPS.
    .PARAMETER OutputAsIpSecurityXMLFormat
        This switch will output the IP addresses as in IP Security XML format that is typically used in IIS IP Security restrictions.
    .PARAMETER OutputAsCheckpointObjectGroupFormat
        This switch will output the IP addresses in Checkpoint network object group format
    .EXAMPLE
        Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsIisIpSecurityXMLFormat
        Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsNSGAllowRuleFormat -NSGRuleNamePrefix 'Allow-AzurePlatformIP-'
        Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsCheckpointObjectGroupFormat
#>
 [CmdletBinding()]
 Param(
    [Parameter(Mandatory=$true,HelpMessage='Enter the region.')]
    [String]$Region,
    [Parameter(Mandatory=$true,HelpMessage='Enter the path to the Azure IP ranges XML file.')]
    [String]$AzureIPRangeXMLFile,
    [Parameter(ParameterSetName='NSGFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')]
    [Switch]$OutputAsNSGAllowRuleFormat,
    [Parameter(ParameterSetName='NSGFormat',Mandatory=$true,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')]
    [String]$NSGRuleNamePrefix = 'Allow-AzurePlatformIP-',
    [Parameter(ParameterSetName='IPSecurityFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow IIS Ip Security rules XML.')]
    [Switch]$OutputAsIpSecurityXMLFormat,
    [Parameter(ParameterSetName='CFWNetworkObjGroupFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be output in Checkpoint firewall network object group format.')]
    [Switch]$OutputAsCheckpointObjectGroupFormat
 )

$IpSecuirtyXml = [xml] @'
<system.webServer>
    <security>
    <!--Unlisted IP addresses are denied access-->
    <ipSecurity allowUnlisted="false">
        <!--The following IP addresses are granted access-->
        <add allowed="true" ipAddress="0.0.0.0" subnetMask="255.255.255.255" />
    </ipSecurity>
    </security>
</system.webServer>
'@

$IpSecuirtyXml.'system.webServer'.security.ipSecurity.InnerXml = $null

    If( $OutputAsNSGAllowRuleFormat )
    {
        Write-Output "RuleName,Priority,Action,Direction,SourceAddressPrefix,SourcePortRange,DestinationAddressPrefix,DestinationPortRange,Protocol,Description"
    }

    $NetworkName = $Network = $Subnet = $null
	$NetworkList = @()

    $AzureIPRanges = [xml] (Get-Content $AzureIPRangeXMLFile)
    #Check that the supplied region matches one in the file
    If( $AzureIPRanges.AzurePublicIpAddresses.Region.Name -contains $Region)
    {
        $AzureIPRanges.AzurePublicIpAddresses.Region | ForEach-Object {
            If($_.Name -eq $Region )
            {
                $RuleNumber = 1;
                ForEach( $IPAddress in $_.IpRange )
                {
                    If( $OutputAsNSGAllowRuleFormat )
                    {
                        Write-Output "$($NSGRuleNamePrefix)-HTTPS-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),443,TCP,Allow Azure VM Agent and Extension HTTPS traffic"
                        $RuleNumber++
                        Write-Output "$($NSGRuleNamePrefix)-HTTP-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),80,TCP,Allow Azure VM Agent and Extension HTTP traffic"
                        $RuleNumber++
                    }
                    ElseIf( $OutputAsIpSecurityXMLFormat )
                    {
                        $IPAddress = ($IPAddress.Subnet -split '/')[0]
                        $MaskLength = ($IPAddress.Subnet -split '/')[1]
                        [IPAddress] $ip = 0
                        $ip.Address = ([UInt32]::MaxValue -1) -shl (32 - $MaskLength) -shr (32 - $MaskLength)
                        $xmlElt = $IpSecuirtyXml.CreateElement("add")
                        $xmlAtt = $IpSecuirtyXml.CreateAttribute("ipAddress")
                        $xmlAtt.Value = $IPAddress.toString()
                        [void] $xmlElt.Attributes.Append($xmlAtt)
                        $xmlAtt = $IpSecuirtyXml.CreateAttribute("subnetMask")
                        $xmlAtt.Value =  $ip.IPAddressToString.toString()
                        [void] $xmlElt.Attributes.Append($xmlAtt)
                        [void] $IpSecuirtyXml.'system.webServer'.security.ipSecurity.AppendChild($xmlElt)
                    }
                    ElseIf( $OutputAsCheckpointObjectGroupFormat )
                    {
                        $NetworkName = ("AzureNetwork$Region" + ("{0:D2}" -f $RuleNumber))
                        $NetworkList += $NetworkName
                        $Network = (ConvertFrom-CidrNotation $IPAddress.Subnet).Network
	                    $Subnet = (ConvertFrom-CidrNotation $IPAddress.Subnet).Subnet
	                    Write-Output "create network $($NetworkName)"
	                    Write-Output "modify network_objects $($NetworkName) ipaddr $($Network)"
	                    Write-Output "modify network_objects $($NetworkName) netmask $($Subnet)"
	                    Write-Output "update network_objects $($NetworkName)"
                        $RuleNumber++
                    }
                    Else
                    {
                        $IPAddress
                    }
                }
            }
        }
    }
    Else
    {
        Throw "The supplied region $Region is not in the list of regions in the Azure IP Range XML file ($($AzIPs.AzurePublicIpAddresses.Region.Name -join ","))"
    }

    If( $OutputAsIpSecurityXMLFormat )
    {
      return $IpSecuirtyXml.OuterXml
    }

    If( $OutputAsCheckpointObjectGroupFormat )
    {
        Write-Output "create network_object_group AzureNetworks$Region"
        $NetworkList | % {
	        Write-Output "addelement network_objects AzureNetworks$Region '' network_objects:$($_)"
        }
        Write-Output "update network_objects AzureNetworks$Region"
    }

}#EndFunction Get-AzureRegionPublicIPAddressList
	Function Get-AzureRegionPublicIPAddressList
	{
	<#
	.SYNOPSIS
	The function lists the public IP addresses in a particular Azure region
	.DESCRIPTION
	The function lists the public IP addresses in a particular Azure region.
	.PARAMETER Region
	The Azure region for which you want to retrieve public IP addresses.
	.PARAMETER AzureIPRangeXMLFile
	The XML file containing the Azure IP ranges.
	.PARAMETER OutputAsNSGAllowRuleFormat
	This switch will result in the IP addresses to be output as outbound allow Network Security Group (NSG) rules in CSV form.
	Placeholder values will be used for the rule priority (RulePriority), subnet address prefix (SubnetAddressPrefix).
	For each IP address/range two rules will be listed one for HTTP and another for HTTPS.
	.PARAMETER OutputAsIpSecurityXMLFormat
	This switch will output the IP addresses as in IP Security XML format that is typically used in IIS IP Security restrictions.
	.PARAMETER OutputAsCheckpointObjectGroupFormat
	This switch will output the IP addresses in Checkpoint network object group format
	.EXAMPLE
	Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsIisIpSecurityXMLFormat
	Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsNSGAllowRuleFormat -NSGRuleNamePrefix 'Allow-AzurePlatformIP-'
	Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsCheckpointObjectGroupFormat
	#>
	[CmdletBinding()]
	Param(
	[Parameter(Mandatory=$true,HelpMessage='Enter the region.')]
	[String]$Region,
	[Parameter(Mandatory=$true,HelpMessage='Enter the path to the Azure IP ranges XML file.')]
	[String]$AzureIPRangeXMLFile,
	[Parameter(ParameterSetName='NSGFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')]
	[Switch]$OutputAsNSGAllowRuleFormat,
	[Parameter(ParameterSetName='NSGFormat',Mandatory=$true,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')]
	[String]$NSGRuleNamePrefix = 'Allow-AzurePlatformIP-',
	[Parameter(ParameterSetName='IPSecurityFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow IIS Ip Security rules XML.')]
	[Switch]$OutputAsIpSecurityXMLFormat,
	[Parameter(ParameterSetName='CFWNetworkObjGroupFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be output in Checkpoint firewall network object group format.')]
	[Switch]$OutputAsCheckpointObjectGroupFormat
	)

	$IpSecuirtyXml = [xml] @'
	<system.webServer>
	<security>
	<!--Unlisted IP addresses are denied access-->
	<ipSecurity allowUnlisted="false">
	<!--The following IP addresses are granted access-->
	<add allowed="true" ipAddress="0.0.0.0" subnetMask="255.255.255.255" />
	</ipSecurity>
	</security>
	</system.webServer>
	'@

	$IpSecuirtyXml.'system.webServer'.security.ipSecurity.InnerXml = $null

	If( $OutputAsNSGAllowRuleFormat )
	{
	Write-Output "RuleName,Priority,Action,Direction,SourceAddressPrefix,SourcePortRange,DestinationAddressPrefix,DestinationPortRange,Protocol,Description"
	}

	$NetworkName = $Network = $Subnet = $null
	$NetworkList = @()

	$AzureIPRanges = [xml] (Get-Content $AzureIPRangeXMLFile)
	#Check that the supplied region matches one in the file
	If( $AzureIPRanges.AzurePublicIpAddresses.Region.Name -contains $Region)
	{
	$AzureIPRanges.AzurePublicIpAddresses.Region \| ForEach-Object {
	If($_.Name -eq $Region )
	{
	$RuleNumber = 1;
	ForEach( $IPAddress in $_.IpRange )
	{
	If( $OutputAsNSGAllowRuleFormat )
	{
	Write-Output "$($NSGRuleNamePrefix)-HTTPS-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),443,TCP,Allow Azure VM Agent and Extension HTTPS traffic"
	$RuleNumber++
	Write-Output "$($NSGRuleNamePrefix)-HTTP-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),80,TCP,Allow Azure VM Agent and Extension HTTP traffic"
	$RuleNumber++
	}
	ElseIf( $OutputAsIpSecurityXMLFormat )
	{
	$IPAddress = ($IPAddress.Subnet -split '/')[0]
	$MaskLength = ($IPAddress.Subnet -split '/')[1]
	[IPAddress] $ip = 0
	$ip.Address = ([UInt32]::MaxValue -1) -shl (32 - $MaskLength) -shr (32 - $MaskLength)
	$xmlElt = $IpSecuirtyXml.CreateElement("add")
	$xmlAtt = $IpSecuirtyXml.CreateAttribute("ipAddress")
	$xmlAtt.Value = $IPAddress.toString()
	[void] $xmlElt.Attributes.Append($xmlAtt)
	$xmlAtt = $IpSecuirtyXml.CreateAttribute("subnetMask")
	$xmlAtt.Value = $ip.IPAddressToString.toString()
	[void] $xmlElt.Attributes.Append($xmlAtt)
	[void] $IpSecuirtyXml.'system.webServer'.security.ipSecurity.AppendChild($xmlElt)
	}
	ElseIf( $OutputAsCheckpointObjectGroupFormat )
	{
	$NetworkName = ("AzureNetwork$Region" + ("{0:D2}" -f $RuleNumber))
	$NetworkList += $NetworkName
	$Network = (ConvertFrom-CidrNotation $IPAddress.Subnet).Network
	$Subnet = (ConvertFrom-CidrNotation $IPAddress.Subnet).Subnet
	Write-Output "create network $($NetworkName)"
	Write-Output "modify network_objects $($NetworkName) ipaddr $($Network)"
	Write-Output "modify network_objects $($NetworkName) netmask $($Subnet)"
	Write-Output "update network_objects $($NetworkName)"
	$RuleNumber++
	}
	Else
	{
	$IPAddress
	}
	}
	}
	}
	}
	Else
	{
	Throw "The supplied region $Region is not in the list of regions in the Azure IP Range XML file ($($AzIPs.AzurePublicIpAddresses.Region.Name -join ","))"
	}

	If( $OutputAsIpSecurityXMLFormat )
	{
	return $IpSecuirtyXml.OuterXml
	}

	If( $OutputAsCheckpointObjectGroupFormat )
	{
	Write-Output "create network_object_group AzureNetworks$Region"
	$NetworkList \| % {
	Write-Output "addelement network_objects AzureNetworks$Region '' network_objects:$($_)"
	}
	Write-Output "update network_objects AzureNetworks$Region"
	}

	}#EndFunction Get-AzureRegionPublicIPAddressList