Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

MICROSOFT AZURE POWERSHELL: CREATING NEW NSG (NETWORK SECURITY GROUP)

January 23, 2017 02:18PM

This post is based on article CREATE NEW NSG (NETWORK SECURITY GROUP - VIRTUAL FIREWALL ACL) ON MICROSOFT AZURE. Although it is same, but in this I will be showing how to do the same task using PowerShell. Below command creates new NSG with no custom Security Rules. 3 parameters are required -Name, -ResourceGroupName and -Location and they are self explanatory. And new NSG information is stored into a $NSG Variable, which I require to add inbound and outbound rules.

$NSG = New-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN' -Location 'East US 2'

As currently no rules (There are by default three default security rules) are there in newly created network security group, I will creating one using below command.

$NSG | Add-AzureRmNetworkSecurityRuleConfig -Name 'rule-default-allow-RDP' -Direction Inbound -Priority 100 -Access Allow -SourceAddressPrefix '*'  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange 3389 -Protocol Tcp  -Description 'RDP exception for Windows'

Parameters Breakdown
-Name: This is the Name for rule under NSG
-Direction: Direction will be either Inbound or Outbound
-Prioirty: Rule priority (should be between 100 - 4096), Lower The priority number, Higher the precedence. 
-Access: This will be either Allow or Deny
-SourceaddressPrefix: Provide the IP or subnet range, * means any IP can connect. Source is the machine from you will be generating connection to destination.
-SourcePortRange: Provide Port range of Source. * means any port.
-DestinationAddressPrefix: Provide the IP or subnet range, Destination is the Azure VM or services.
-DestinationPortRange: Here I am opening only 3389 port on azure virttual machine for RDP.
-Protocol: This can be TCP, UDP or Both
-Description: This option is not visible on Azure Resource manager portal, and can be set through only Powershell, It is good practice to put information about rule.

POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL

Now Rule is created, but still changes are not committed into Azure, they are still on Local Powershell memory.

Microsoft Azure powershell create NSG, Network Security Group, New-AzureRmNetworkSecurityGrouP, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny

To commit changes of new security rules into NSG, execute below command, Once successful It will show the new rules provisioningstate as succeeded, It can be compared with above and below screenshots.

$NSG | Set-AzureRmNetworkSecurityGroup

Microsoft Azure powershell create NSG, Network Security Group, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny set-azurermnetworksecuritygroup commit changes

You can use below command on powershell to know about existing NSGs.

Get-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN'

Microsoft Azure powershell NSG, Network Security Group, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny set-azurermnetworksecuritygroup, get-AzureRMNetworkSecurityGroup changes.png

Subsequently Use below One-Liner command to check Network Security rules under NSG.

Get-AzureRmNetworkSecurityGroup -Name 'Windows-NSG' -ResourceGroupName 'POC-VPN' | Get-AzureRmNetworkSecurityRuleConfig -Name 'rule-default-allow-RDP'

Microsoft Azure powershell NSG, Network Security Group, Add-AzurermnetworkSecurityRuleConfig, NSG inbound outbound rules, tcp udp allow deny Get-AzurermnetworkSecurityRuleConfig, get-AzureRMNetworkSecurityGroup change

Associating NSG to VM Nic is relatively easy with below commands.

$VMNetoworkInterface = Get-AzureRmNetworkInterface -Name 'NIC_Interface' -ResourceGroupName POC-VPN
$VMNetoworkInterface.NetworkSecurityGroup =  $NSG
$VMNetoworkInterface | Set-AzureRmNetworkInterface

Microsoft Azure associate NSG (Network Security Group) to Virtual Machine vm Nic interface, Network, Get-AzureRmNetworkinterface - NetworkSecurityGroup, Set-Azure RmNetworkInterfaces

Next is associating Network security group to virtual network subnet. First command I need information about existing vNet stored in $vNet variable

$vNet = Get-AzureRmVirtualNetwork -ResourceGroupName 'POC-VPN' -Name 'POC-VPN-vNet'

And set the existing vNet subnet, make sure you are using correct existing address prefix only.

Set-AzureRmVirtualNetworkSubnetConfig -VirtualNetwork $vNet -Name 'Default' -NetworkSecurityGroup $NSG -AddressPrefix '10.0.0.0/24'

Associating, assigning NSG, network security group to a Virtual Network vNet subnet microsoft azure powershell get-azurermvirtualnetwork, set-azurermvirtualnetworksubnetconfig networksecuritygroup, virtualnetwork, vnet

This is the last piece of command, associating NSG in vNet subnet and need to commit the changes in azure.

Set-AzureRmVirtualNetwork -VirtualNetwork $vNet

Associating NSG network security group to a Virtual Network vNet subnet microsoft azure powershell get-azurermvirtualnetwork, set-azurermvirtualnetworksubnetconfig , Set-AzureRmVirtualNetwork -virtualNetwork.png

Useful Links
INSTALLING MICROSOFT AZURE POWERSHELL
PART 9: CREATING AND MANAGING VIRTUAL MACHINE (VM) USING MICROSOFT AZURE RESOURCE MANAGER PORTAL
POWERSHELL - EXPORT AZURE NSG (NETWORK SECURITY GROUP) RULES TO EXCEL
MICROSOFT AZURE POWERSHELL: CLONING (COPING) OR IMPORTING EXISTING NSG (NETWORK SECURITY GROUP) FROM EXCEL

Go Back

Comment