Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
The function lists the public IP addresses in a particular Azure region
Function Get-AzureRegionPublicIPAddressList
{
<#
.SYNOPSIS
The function lists the public IP addresses in a particular Azure region
.DESCRIPTION
The function lists the public IP addresses in a particular Azure region.
.PARAMETER Region
The Azure region for which you want to retrieve public IP addresses.
.PARAMETER AzureIPRangeXMLFile
The XML file containing the Azure IP ranges.
.PARAMETER OutputAsNSGAllowRuleFormat
This switch will result in the IP addresses to be output as outbound allow Network Security Group (NSG) rules in CSV form.
Placeholder values will be used for the rule priority (RulePriority), subnet address prefix (SubnetAddressPrefix).
For each IP address/range two rules will be listed one for HTTP and another for HTTPS.
.PARAMETER OutputAsIpSecurityXMLFormat
This switch will output the IP addresses as in IP Security XML format that is typically used in IIS IP Security restrictions.
.PARAMETER OutputAsCheckpointObjectGroupFormat
This switch will output the IP addresses in Checkpoint network object group format
.EXAMPLE
Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsIisIpSecurityXMLFormat
Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsNSGAllowRuleFormat -NSGRuleNamePrefix 'Allow-AzurePlatformIP-'
Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsCheckpointObjectGroupFormat
#>
[CmdletBinding()]
Param(
[Parameter(Mandatory=$true,HelpMessage='Enter the region.')]
[String]$Region,
[Parameter(Mandatory=$true,HelpMessage='Enter the path to the Azure IP ranges XML file.')]
[String]$AzureIPRangeXMLFile,
[Parameter(ParameterSetName='NSGFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')]
[Switch]$OutputAsNSGAllowRuleFormat,
[Parameter(ParameterSetName='NSGFormat',Mandatory=$true,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')]
[String]$NSGRuleNamePrefix = 'Allow-AzurePlatformIP-',
[Parameter(ParameterSetName='IPSecurityFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow IIS Ip Security rules XML.')]
[Switch]$OutputAsIpSecurityXMLFormat,
[Parameter(ParameterSetName='CFWNetworkObjGroupFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be output in Checkpoint firewall network object group format.')]
[Switch]$OutputAsCheckpointObjectGroupFormat
)
$IpSecuirtyXml = [xml] @'
<system.webServer>
<security>
<!--Unlisted IP addresses are denied access-->
<ipSecurity allowUnlisted="false">
<!--The following IP addresses are granted access-->
<add allowed="true" ipAddress="0.0.0.0" subnetMask="255.255.255.255" />
</ipSecurity>
</security>
</system.webServer>
'@
$IpSecuirtyXml.'system.webServer'.security.ipSecurity.InnerXml = $null
If( $OutputAsNSGAllowRuleFormat )
{
Write-Output "RuleName,Priority,Action,Direction,SourceAddressPrefix,SourcePortRange,DestinationAddressPrefix,DestinationPortRange,Protocol,Description"
}
$NetworkName = $Network = $Subnet = $null
$NetworkList = @()
$AzureIPRanges = [xml] (Get-Content $AzureIPRangeXMLFile)
#Check that the supplied region matches one in the file
If( $AzureIPRanges.AzurePublicIpAddresses.Region.Name -contains $Region)
{
$AzureIPRanges.AzurePublicIpAddresses.Region | ForEach-Object {
If($_.Name -eq $Region )
{
$RuleNumber = 1;
ForEach( $IPAddress in $_.IpRange )
{
If( $OutputAsNSGAllowRuleFormat )
{
Write-Output "$($NSGRuleNamePrefix)-HTTPS-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),443,TCP,Allow Azure VM Agent and Extension HTTPS traffic"
$RuleNumber++
Write-Output "$($NSGRuleNamePrefix)-HTTP-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),80,TCP,Allow Azure VM Agent and Extension HTTP traffic"
$RuleNumber++
}
ElseIf( $OutputAsIpSecurityXMLFormat )
{
$IPAddress = ($IPAddress.Subnet -split '/')[0]
$MaskLength = ($IPAddress.Subnet -split '/')[1]
[IPAddress] $ip = 0
$ip.Address = ([UInt32]::MaxValue -1) -shl (32 - $MaskLength) -shr (32 - $MaskLength)
$xmlElt = $IpSecuirtyXml.CreateElement("add")
$xmlAtt = $IpSecuirtyXml.CreateAttribute("ipAddress")
$xmlAtt.Value = $IPAddress.toString()
[void] $xmlElt.Attributes.Append($xmlAtt)
$xmlAtt = $IpSecuirtyXml.CreateAttribute("subnetMask")
$xmlAtt.Value = $ip.IPAddressToString.toString()
[void] $xmlElt.Attributes.Append($xmlAtt)
[void] $IpSecuirtyXml.'system.webServer'.security.ipSecurity.AppendChild($xmlElt)
}
ElseIf( $OutputAsCheckpointObjectGroupFormat )
{
$NetworkName = ("AzureNetwork$Region" + ("{0:D2}" -f $RuleNumber))
$NetworkList += $NetworkName
$Network = (ConvertFrom-CidrNotation $IPAddress.Subnet).Network
$Subnet = (ConvertFrom-CidrNotation $IPAddress.Subnet).Subnet
Write-Output "create network $($NetworkName)"
Write-Output "modify network_objects $($NetworkName) ipaddr $($Network)"
Write-Output "modify network_objects $($NetworkName) netmask $($Subnet)"
Write-Output "update network_objects $($NetworkName)"
$RuleNumber++
}
Else
{
$IPAddress
}
}
}
}
}
Else
{
Throw "The supplied region $Region is not in the list of regions in the Azure IP Range XML file ($($AzIPs.AzurePublicIpAddresses.Region.Name -join ","))"
}
If( $OutputAsIpSecurityXMLFormat )
{
return $IpSecuirtyXml.OuterXml
}
If( $OutputAsCheckpointObjectGroupFormat )
{
Write-Output "create network_object_group AzureNetworks$Region"
$NetworkList | % {
Write-Output "addelement network_objects AzureNetworks$Region '' network_objects:$($_)"
}
Write-Output "update network_objects AzureNetworks$Region"
}
}#EndFunction Get-AzureRegionPublicIPAddressList
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment