Export all NGS rules in ARM for all Subscriptions


You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is bound to. When that happens, all network access rules are applied to the traffic, by priority in each NSG, in the following order:

 

Inbound traffic

  1. NSG applied to subnet. If subnet NSG has a matching rule to deny traffic, packet will be dropped here.NSG applied to NIC (Resource Manager) or VM (classic).
  2. If VM\NIC NSG has a matching rule to deny traffic, packet will be dropped at VM\NIC, although subnet NSG has a matching rule to allow traffic.

 

Outbound traffic

  1. NSG applied to NIC (Resource Manager) or VM (classic). If VM\NIC NSG has a matching rule to deny traffic, packet will be dropped here.NSG applied to subnet.
  2. If subnet NSG has a matching rule to deny traffic, packet will be dropped here, although VM\NIC NSG has a matching rule to allow traffic.

 

Run the following PowerShell script to export all NSG rules in ARM portal for all subscriptions. The exported output can be easily copied and pasted to Excel for further analysis. Sample screenshot is provided below at the bottom of the blog.

 
$cred = Get-Credential

$output1 = 'Exporting NSGs from all subscriptions in Azure Resource Manager' + "`r`n"

Clear-Host

Login-AzureRmAccount -Credential $cred

$Subscriptions = Get-AzureRMSubscription

foreach ( $Subscription in $Subscriptions )

{

$output1 += "" + "`r`n"

$output1 += ('SubscriptionName:' + $Subscription.SubscriptionName) + "`r`n"

$output1 += ('SubscriptionID:' + $Subscription.SubscriptionID) + "`r`n"

$SubscriptionId = $Subscription.SubscriptionId

(Select-AzureRMSubscription -SubscriptionId $SubscriptionId)>0

$rgs = Get-AzureRmNetworkSecurityGroup

foreach ($rg in $rgs)

{

$output1 += "" + "`r`n"

$output1 += ('NSG:' + $rg.Name) + "`r`n"

$subnets = $rg.Subnets

foreach ($sn in $subnets)

{

$arrayid = $sn.id.Split('/').count – 1

$snarray = $sn.id.Split('/')

$output1 += ('Associated VNET:' + $snarray[$arrayid - 2]) + "`r`n"

$output1 += ('Associated Subnet:' + $snarray[$arrayid]) + "`r`n"

}

$nics = $rg.NetworkInterfaces

foreach ($nic in $nics)

{

$arrayid = $nic.id.Split('/').count – 1

$snarray = $nic.id.Split('/')

$output1 += ('Associated NIC:' + $snarray[$arrayid]) + "`r`n"

$vm = Get-AzureRmNetworkInterface | where {$_.id -eq $nic.id} | select-object -ExpandProperty VirtualMachine

$arrayid2 = $vm.id.Split('/').count – 1

$snarray2 = $vm.id.Split('/')

$output1 += ('Associated VM:' + $snarray2[$arrayid2]) + "`r`n"

}

$rules = Get-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $rg

$output1 += "" + "`r`n"

$output1 += ('Priority' + ',' + 'SourceAddressPrefix' + ',' + 'SourcePortRange' + ',' + 'DestinationAddressPrefix' + ',' + 'DestinationPortRange' + ',' + 'Access' + ',' + 'Direction' + ',' + 'Description') + "`r`n"

foreach ($rule in $rules)

{

$output1 += ($rule.Priority.ToString() + ',' + $rule.SourceAddressPrefix + ',' + $rule.SourcePortRange + ',' + $rule.DestinationAddressPrefix + ',' + $rule.DestinationPortRange + ',' + $rule.Access + ',' + $rule.Direction + ',' + $rule.Description) + "`r`n"

}

$rules = $rg.DefaultSecurityRules

foreach ($rule in $rules)

{

$output1 += ($rule.Priority.ToString() + ',' + $rule.SourceAddressPrefix + ',' + $rule.SourcePortRange + ',' + $rule.DestinationAddressPrefix + ',' + $rule.DestinationPortRange + ',' + $rule.Access + ',' + $rule.Direction + ',' + $rule.Description) + "`r`n"

}

}

}

$env = Get-ChildItem Env:
$env:temp
Remove-Item ($env:temp + "\nsgrules1.txt") -ErrorAction Ignore
$output1 | Out-File -filepath ($env:temp + "\nsgrules1.txt") -Force -ErrorAction Ignore

 

The expected output would be like below:

exportARMrulesNSG1


Comments (3)

  1. Dave Cooper says:

    This was a great script!!! Saved me a lot of time having to write this from scratch. Just an update the properties of $Subscription is.name & .ID. Great Job!!!!

    1. Dave Cooper says:

      UPDATED:
      foreach ($subscription in (Get-AzureRMSubscription)){
      write-host “”;
      write-host (‘SubscriptionName:’ + $subscription.Name);
      write-host (‘SubscriptionID:’ + $subscription.Id);
      (Select-AzureRMSubscription -SubscriptionId $subscription.Id) > 0;
      foreach ($rg in (Get-AzureRmNetworkSecurityGroup)){
      write-host “”;
      write-host (‘NSG:’ + $rg.Name)
      $subnets = $rg.Subnets;
      foreach ($sn in $subnets){
      $arrayid = $sn.id.Split(‘/’).count – 1;
      $snarray = $sn.id.Split(‘/’);
      write-host (‘Associated Subnet:’ + $snarray[$arrayid]);
      };
      $nics = $rg.NetworkInterfaces;
      foreach ($nic in $nics){
      $arrayid = $nic.id.Split(‘/’).count – 1;
      $snarray = $nic.id.Split(‘/’);
      write-host (‘Associated NIC:’ + $snarray[$arrayid]);
      };
      $rules = Get-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $rg;
      write-host “”;
      write-host (‘Priority’ + ‘,’ + ‘SourceAddressPrefix’ + ‘,’ + ‘SourcePortRange’ + ‘,’ + ‘DestinationAddressPrefix’ + ‘,’ + ‘DestinationPortRange’ + ‘,’ + ‘Access’ + ‘,’ + ‘Direction’ + ‘,’ + ‘Description’);
      foreach ($rule in $rules){
      write-host ($rule.Priority.ToString() + ‘,’ + $rule.SourceAddressPrefix + ‘,’ + $rule.SourcePortRange + ‘,’ + $rule.DestinationAddressPrefix + ‘,’ + $rule.DestinationPortRange + ‘,’ + $rule.Access + ‘,’ + $rule.Direction + ‘,’ + $rule.Description);
      };
      $rules = $rg.DefaultSecurityRules;
      foreach ($rule in $rules){
      write-host ($rule.Priority.ToString() + ‘,’ + $rule.SourceAddressPrefix + ‘,’ + $rule.SourcePortRange + ‘,’ + $rule.DestinationAddressPrefix + ‘,’ + $rule.DestinationPortRange + ‘,’ + $rule.Access + ‘,’ + $rule.Direction + ‘,’ + $rule.Description);
      };
      };
      };

    2. Bulent Ozkir says:

      I am glad that it helped. Many customers are using to understand the NSGs that are created and their linkage to the subnets and NICs. I have recently updated it to show VNETs and VMs in addition to subnets and NICs. Regards.

Skip to main content