Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)

Here I had got a task to clone or copy existing NSG in the Azure Powershell. I already have created one Template Network Security Group and all rules are created in it. As I required Rules, Need to run below command to know store all the rule in powershell variable. This will not copy default firewall rules, Only manually created rules information are stored.

$TemplateNSGRules =  Get-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN' | Get-AzureRmNetworkSecurityRuleConfig

Cloning, copying, Importing, copy, clone, import, Microsoft Azure NSG network security Group Template to another NSG, Get-azurermNetworkSecurityGroup, Get-AzureRmNetworkSecurityRuleConfig

As I need rules only I will create new NSG.

$NSG = New-AzureRmNetworkSecurityGroup -ResourceGroupName 'POC-VPN' -Location 'East US 2' -Name 'Copy-of-Windows-NSG'

Next with the help of foreach loop I will copy inject all the rules from Template NSG to newly created rules.

foreach ($rule in $TemplateNSGRules) {
    $NSG | Add-AzureRmNetworkSecurityRuleConfig -Name $rule.Name -Direction $rule.Direction -Priority $rule.Priority -Access $rule.Access -SourceAddressPrefix $rule.SourceAddressPrefix -SourcePortRange $rule.SourcePortRange -DestinationAddressPrefix $rule.DestinationAddressPrefix -DestinationPortRange $rule.DestinationPortRange -Protocol $rule.Protocol # -Description $rule.Description
    $NSG | Set-AzureRmNetworkSecurityGroup
}

Cloning, copying, Importing, copy, clone, import, Microsoft Azure NSG network security Group Template to another NSG, New-AzureRmNetworkSecurityGroup, Add-AzureRmNetworkSecurityRuleConfig, direction, source.png

Sane way importing NSG from excel file will work. follow this article to create CSV excel file - POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL.to import.

$TemplateNSGRules = Import-CSV -Path C:\Temp\TestNSG01.csv 

Create new empty NSG firewall, and run the foreach script block as shown above.

Go Back

Hi,

@Mike: Thanks for that solution! It helped me a lot.

As cyberbastion mentioned source / destination and source port / destination port can contain multiple values. I modified your script to address that. The complete modified script can be found below. I used semicolon to separate these multiple values because I export the whole report to CSV.

$report = @()

foreach ($nsg in Get-AzureRmNetworkSecurityGroup){

foreach($rule in $nsg.SecurityRules){

$info = "" | select-object nsg, rule, description, protocol, SourcePortRange, DestinationPortRange, SourceApplicationSecurityGroups, DestinationApplicationSecurityGroups, SourceAddressPrefix, DestinationAddressPrefix, Access, Priority, Direction
$info.nsg = $nsg.Name
$info.rule = $rule.name
$info.Description = $rule.Description
$info.Protocol = $rule.Protocol

foreach ($sport in $rule.SourcePortRange) {

if ($sport -ne $rule.SourcePortRange[0]) {

$sport=";" + $sport

}

$info.SourcePortRange += $sport

}

foreach ($dport in $rule.DestinationPortRange) {

if ($dport -ne $rule.DestinationPortRange[0]) {

$dport=";" + $dport

}

$info.DestinationPortRange += $dport

}

foreach ($sprefix in $rule.SourceAddressPrefix) {

if ($sprefix -ne $rule.SourceAddressPrefix[0]) {

$sprefix=";" + $sprefix

}

$info.SourceAddressPrefix += $sprefix

}

foreach ($dprefix in $rule.DestinationAddressPrefix) {

if ($dprefix -ne $rule.DestinationAddressPrefix[0]) {

$dprefix=";" + $dprefix

}

$info.DestinationAddressPrefix += $dprefix

}

$info.SourceApplicationSecurityGroups = $rule.SourceApplicationSecurityGroups[0]
$info.DestinationApplicationSecurityGroups = $rule.DestinationApplicationSecurityGroups[0]
$info.Access = $rule.Access
$info.Priority = $rule.Priority
$info.Direction = $rule.Direction

$report += $info
}
}

$report

Hi Mike,

Thanks your script. But i found out if the source/destination address/port having multiple value. It will only return first IP/port due to the SourcePortRange"[0] ". Do you have any idea how to change the coding on export and import too?

Thanks
Cyberbastion

Nice work @Mike.

Yes, it does appear this has recently changed. these fields now appear to be multivalued arrays. I was able to get my results by doing something like this:

$report = @()

foreach ($nsg in Get-AzureRmNetworkSecurityGroup){

foreach($rule in $nsg.SecurityRules){

$info = "" | select-object nsg, rule, description, protocol, SourcePortRange, DestinationPortRange, SourceApplicationSecurityGroups, DestinationApplicationSecurityGroups, SourceAddressPrefix, DestinationAddressPrefix, Access, Priority, Direction
$info.nsg = $nsg.Name
$info.rule = $rule.name
$info.Description = $rule.Description
$info.Protocol = $rule.Protocol
$info.SourcePortRange = $rule.SourcePortRange[0]
$info.DestinationPortRange = $rule.DestinationPortRange[0]
$info.SourceAddressPrefix = $rule.SourceAddressPrefix[0]
$info.DestinationAddressPrefix = $rule.DestinationAddressPrefix[0]
$info.SourceApplicationSecurityGroups = $rule.SourceApplicationSecurityGroups[0]
$info.DestinationApplicationSecurityGroups = $rule.DestinationApplicationSecurityGroups[0]
$info.Access = $rule.Access
$info.Priority = $rule.Priority
$info.Direction = $rule.Direction

$report += $info

}

}

$report

Something has changed recently, these scripts and others like it are now returning: System.Collections.Generic.List`1[System.String]

So all my scripts and tools for exporting and importing NSG's are CSVs are now broken.

Hi Chung,

How do we can create a new NSG rule and import all the rules from CSV ?

Thanks,
Jijos

Chung,
Instead using '*' use 'any'.

Hi Kunal,

The original value for my "Source port ranges" setting is "*"

Using command:
Get-AzureRmNetworkSecurityGroup -Name -ResourceGroupName | Get-AzureRmNetworkSecurityRuleConfig | Select * | Export-Csv -NoTypeInformation -Path C:\Temp\TestNSG01.csv

The exported CSV contains value "System.Collections.Generic.List`1[System.String]" for that, which seems to be not acceptable by Set-AzureRmNetworkSecurityGroup ...

Hi Chung, As pasted error it looks like "Security rule has invalid Port range", check you CSV file once.

When import NSG from CSV I got the following Error:

Set-AzureRmNetworkSecurityGroup : Security rule has invalid Port range. Value provided:
System.Collections.Generic.List`1[System.String]. Value should be an integer OR integer range with '-' delimiter.
Valid range 0-65535.
StatusCode: 400
ReasonPhrase: Bad Request
OperationID : '1258b0ff-17e0-450f-861c-bd74a4c380fa'
At line:3 char:12
+ $NSG | Set-AzureRmNetworkSecurityGroup
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : CloseError: (:) [Set-AzureRmNetworkSecurityGroup], NetworkCloudException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.Network.SetAzureNetworkSecurityGroupCommand

The original value for my "Source port ranges" setting is "*", and the exported CSV use value "System.Collections.Generic.List`1[System.String]" for that, which seems to be not acceptable by Set-AzureRmNetworkSecurityGroup ...



Comment

Blog Search

Page Views

1290891

Follow me on Blogarama