Created
May 21, 2017 09:47
-
-
Save vijayjt/d07e14be98a5fbbb93f3927e9f67cd3e to your computer and use it in GitHub Desktop.
The function lists the public IP addresses in a particular Azure region
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Get-AzureRegionPublicIPAddressList | |
{ | |
<# | |
.SYNOPSIS | |
The function lists the public IP addresses in a particular Azure region | |
.DESCRIPTION | |
The function lists the public IP addresses in a particular Azure region. | |
.PARAMETER Region | |
The Azure region for which you want to retrieve public IP addresses. | |
.PARAMETER AzureIPRangeXMLFile | |
The XML file containing the Azure IP ranges. | |
.PARAMETER OutputAsNSGAllowRuleFormat | |
This switch will result in the IP addresses to be output as outbound allow Network Security Group (NSG) rules in CSV form. | |
Placeholder values will be used for the rule priority (RulePriority), subnet address prefix (SubnetAddressPrefix). | |
For each IP address/range two rules will be listed one for HTTP and another for HTTPS. | |
.PARAMETER OutputAsIpSecurityXMLFormat | |
This switch will output the IP addresses as in IP Security XML format that is typically used in IIS IP Security restrictions. | |
.PARAMETER OutputAsCheckpointObjectGroupFormat | |
This switch will output the IP addresses in Checkpoint network object group format | |
.EXAMPLE | |
Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsIisIpSecurityXMLFormat | |
Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsNSGAllowRuleFormat -NSGRuleNamePrefix 'Allow-AzurePlatformIP-' | |
Get-AzureRegionPublicIPAddressList -Region 'europenorth' -AzureIPRangeXMLFile C:\AzurePublicIPs.xml -OutputAsCheckpointObjectGroupFormat | |
#> | |
[CmdletBinding()] | |
Param( | |
[Parameter(Mandatory=$true,HelpMessage='Enter the region.')] | |
[String]$Region, | |
[Parameter(Mandatory=$true,HelpMessage='Enter the path to the Azure IP ranges XML file.')] | |
[String]$AzureIPRangeXMLFile, | |
[Parameter(ParameterSetName='NSGFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')] | |
[Switch]$OutputAsNSGAllowRuleFormat, | |
[Parameter(ParameterSetName='NSGFormat',Mandatory=$true,HelpMessage='This switch causes the IP addresses to be listed as allow NSG rules.')] | |
[String]$NSGRuleNamePrefix = 'Allow-AzurePlatformIP-', | |
[Parameter(ParameterSetName='IPSecurityFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be listed as allow IIS Ip Security rules XML.')] | |
[Switch]$OutputAsIpSecurityXMLFormat, | |
[Parameter(ParameterSetName='CFWNetworkObjGroupFormat',Mandatory=$false,HelpMessage='This switch causes the IP addresses to be output in Checkpoint firewall network object group format.')] | |
[Switch]$OutputAsCheckpointObjectGroupFormat | |
) | |
$IpSecuirtyXml = [xml] @' | |
<system.webServer> | |
<security> | |
<!--Unlisted IP addresses are denied access--> | |
<ipSecurity allowUnlisted="false"> | |
<!--The following IP addresses are granted access--> | |
<add allowed="true" ipAddress="0.0.0.0" subnetMask="255.255.255.255" /> | |
</ipSecurity> | |
</security> | |
</system.webServer> | |
'@ | |
$IpSecuirtyXml.'system.webServer'.security.ipSecurity.InnerXml = $null | |
If( $OutputAsNSGAllowRuleFormat ) | |
{ | |
Write-Output "RuleName,Priority,Action,Direction,SourceAddressPrefix,SourcePortRange,DestinationAddressPrefix,DestinationPortRange,Protocol,Description" | |
} | |
$NetworkName = $Network = $Subnet = $null | |
$NetworkList = @() | |
$AzureIPRanges = [xml] (Get-Content $AzureIPRangeXMLFile) | |
#Check that the supplied region matches one in the file | |
If( $AzureIPRanges.AzurePublicIpAddresses.Region.Name -contains $Region) | |
{ | |
$AzureIPRanges.AzurePublicIpAddresses.Region | ForEach-Object { | |
If($_.Name -eq $Region ) | |
{ | |
$RuleNumber = 1; | |
ForEach( $IPAddress in $_.IpRange ) | |
{ | |
If( $OutputAsNSGAllowRuleFormat ) | |
{ | |
Write-Output "$($NSGRuleNamePrefix)-HTTPS-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),443,TCP,Allow Azure VM Agent and Extension HTTPS traffic" | |
$RuleNumber++ | |
Write-Output "$($NSGRuleNamePrefix)-HTTP-$RuleNumber-Outbound,RulePriority,Allow,Outbound,SubnetAddressPrefix,*,$($IpAddress.Subnet),80,TCP,Allow Azure VM Agent and Extension HTTP traffic" | |
$RuleNumber++ | |
} | |
ElseIf( $OutputAsIpSecurityXMLFormat ) | |
{ | |
$IPAddress = ($IPAddress.Subnet -split '/')[0] | |
$MaskLength = ($IPAddress.Subnet -split '/')[1] | |
[IPAddress] $ip = 0 | |
$ip.Address = ([UInt32]::MaxValue -1) -shl (32 - $MaskLength) -shr (32 - $MaskLength) | |
$xmlElt = $IpSecuirtyXml.CreateElement("add") | |
$xmlAtt = $IpSecuirtyXml.CreateAttribute("ipAddress") | |
$xmlAtt.Value = $IPAddress.toString() | |
[void] $xmlElt.Attributes.Append($xmlAtt) | |
$xmlAtt = $IpSecuirtyXml.CreateAttribute("subnetMask") | |
$xmlAtt.Value = $ip.IPAddressToString.toString() | |
[void] $xmlElt.Attributes.Append($xmlAtt) | |
[void] $IpSecuirtyXml.'system.webServer'.security.ipSecurity.AppendChild($xmlElt) | |
} | |
ElseIf( $OutputAsCheckpointObjectGroupFormat ) | |
{ | |
$NetworkName = ("AzureNetwork$Region" + ("{0:D2}" -f $RuleNumber)) | |
$NetworkList += $NetworkName | |
$Network = (ConvertFrom-CidrNotation $IPAddress.Subnet).Network | |
$Subnet = (ConvertFrom-CidrNotation $IPAddress.Subnet).Subnet | |
Write-Output "create network $($NetworkName)" | |
Write-Output "modify network_objects $($NetworkName) ipaddr $($Network)" | |
Write-Output "modify network_objects $($NetworkName) netmask $($Subnet)" | |
Write-Output "update network_objects $($NetworkName)" | |
$RuleNumber++ | |
} | |
Else | |
{ | |
$IPAddress | |
} | |
} | |
} | |
} | |
} | |
Else | |
{ | |
Throw "The supplied region $Region is not in the list of regions in the Azure IP Range XML file ($($AzIPs.AzurePublicIpAddresses.Region.Name -join ","))" | |
} | |
If( $OutputAsIpSecurityXMLFormat ) | |
{ | |
return $IpSecuirtyXml.OuterXml | |
} | |
If( $OutputAsCheckpointObjectGroupFormat ) | |
{ | |
Write-Output "create network_object_group AzureNetworks$Region" | |
$NetworkList | % { | |
Write-Output "addelement network_objects AzureNetworks$Region '' network_objects:$($_)" | |
} | |
Write-Output "update network_objects AzureNetworks$Region" | |
} | |
}#EndFunction Get-AzureRegionPublicIPAddressList |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment