Useful CLI about Azure NSG

Search Rule include ‘Any Port’

$inbound = @();
$outbound = @();
$nsgList = az network nsg list | convertFrom-Json
foreach($nsg in $nsgList) {
        foreach($rule in $nsg.securityRules) {
                if( $rule.destinationPortRange -eq '*' ) {
                        $details = @{
                                        nsgName=$nsg.name
                                        direction=$rule.direction
                                        priority=$rule.priority
                                        ruleName=$rule.name
                                        source=''
                                        dest=''
                        }
                        if($rule.direction -eq 'Inbound') {
                                $inbound += New-Object PSObject -Property $details
                        } else {
                                $outbound += New-Object PSObject -Property $details
                        }
                }
        }
}
$inbound | select-object nsgName, direction, ruleName, priority, source, dest | sort-object -property nsgName, priority | format-table
$outbound | select-object nsgName, direction, ruleName, priority, source, dest | sort-Object -property nsgName, priority | format-table

Search NSG Rule include ‘Any Source, Any Destination’

$inbound = @();
$outbound = @();
$nsgList = az network nsg list | convertFrom-Json
foreach($nsg in $nsgList) {
        foreach($rule in $nsg.securityRules) {
                if( $rule.sourceAddressPrefix -eq '*' -OR $rule.destinationAddressPrefix -eq '*' ) {
                        $details = @{
                                        nsgName=$nsg.name
                                        direction=$rule.direction
                                        priority=$rule.priority
                                        ruleName=$rule.name
                                        source=''
                                        dest=''
                        }
                        if($rule.direction -eq 'Inbound') {
                                $inbound += New-Object PSObject -Property $details
                        } else {
                                $outbound += New-Object PSObject -Property $details
                        }
                }
        }
}
$inbound | select-object nsgName, direction, ruleName, priority, source, dest | sort-object -property nsgName, priority | format-table
$outbound | select-object nsgName, direction, ruleName, priority, source, dest | sort-Object -property nsgName, priority | format-table

Export NSG to CSV by resourceGroup

param($rgName)
if($rgName -eq $null) {
  $rgName = read-host -Prompt "please enter a rgName"
}
$nsgs = Get-AzureRmNetworkSecurityGroup -ResourceGroupName $rgName
$exportPath = '.'

#backup nsgs to csv
Foreach ($nsg in $nsgs) {
    New-Item -ItemType file -Path "$exportPath\$($nsg.Name).csv" -Force

    $nsgRules = $nsg.SecurityRules | Sort-Object @{ e = 'Direction'; a = $true }, @{ e = 'Priority'; a = $true }
    foreach ($nsgRule in $nsgRules) {
        $nsgRule | Select-Object Name,Direction,Access,Priority,Protocol,@{Name=’SourceAddressPrefix’;Expression={[string]::join(“ ”, ($_.SourceAddressPrefix))}},@{Name=’SourcePortRange’;Expression={[string]::join(“ ”, ($_.SourcePortRange))}},@{Name=’DestinationAddressPrefix’;Expression={[string]::join(“ ”, ($_.DestinationAddressPrefix))}},@{Name=’DestinationPortRange’;Expression={[string]::join(“ ”, ($_.DestinationPortRange))}},Description `
        | Export-Csv "$exportPath\$($nsg.Name).csv" -NoTypeInformation -Encoding UTF-8 -Append
    }
}

Get Nsg rule include specific IP

param($checkIp, $rgName)
if($checkIp -eq $null) {
  $checkIp = read-host -Prompt "please enter a checkIp"
}
if($rgName -eq $null) {
  $rgName = read-host -Prompt "please enter a rgName"
}

$inbound = @();
$outbound = @();
$nsgList = az network nsg list | convertFrom-Json
foreach($nsg in $nsgList) {
        foreach($rule in $nsg.securityRules) {
                if( $rule.sourceAddressPrefix -eq $checkIp -or $rule.destinationAddressPrefix -eq $checkIp `
                        -or $rule.sourceAddressPrefixes -contains $checkIp -or $rule.destinationAddressPrefixes -contains $checkIp) {
                        $details = @{
                                        nsgName=$nsg.name
                                        direction=$rule.direction
                                        priority=$rule.priority
                                        ruleName=$rule.name
                                        source=''
                                        dest=''
                        }

                        if($sourceAddressPrefix -eq $checkIp -or $rule.sourceAddressPrefixes -contains $checkIp ) {
                                $details.source = 'true'
                        }
                        if($rule.destinationAddressPrefix -eq $checkIp -or $rule.destinationAddressPrefixes -contains $checkIp) {
                                $details.dest = 'true'
                        }

                        if($rule.direction -eq 'Inbound') {
                                $inbound += New-Object PSObject -Property $details
                        } else {
                                $outbound += New-Object PSObject -Property $details
                        }
                }
        }
}
$inbound | select-object nsgName, direction, ruleName, priority, source, dest | sort-object -property nsgName, priority | format-table
$outbound | select-object nsgName, direction, ruleName, priority, source, dest | sort-Object -property nsgName, priority | format-table

Related Posts