Export all NGS rules in ARM for all Subscriptions


You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is bound to. When that happens, all network access rules are applied to the traffic, by priority in each NSG, in the following order:

 

Inbound traffic

  1. NSG applied to subnet. If subnet NSG has a matching rule to deny traffic, packet will be dropped here.NSG applied to NIC (Resource Manager) or VM (classic).
  2. If VM\NIC NSG has a matching rule to deny traffic, packet will be dropped at VM\NIC, although subnet NSG has a matching rule to allow traffic.

 

Outbound traffic

  1. NSG applied to NIC (Resource Manager) or VM (classic). If VM\NIC NSG has a matching rule to deny traffic, packet will be dropped here.NSG applied to subnet.
  2. If subnet NSG has a matching rule to deny traffic, packet will be dropped here, although VM\NIC NSG has a matching rule to allow traffic.

 

Run the following PowerShell script to export all NSG rules in ARM portal for all subscriptions. The exported output can be easily copied and pasted to Excel for further analysis. Sample screenshot is provided below at the bottom of the blog.

$cred = Get-Credential

 

Write-Information 'Exporting NSGs from all subscriptions in Azure Resource Manager'

Clear-Host

 

Login-AzureRmAccount -Credential $cred

$Subscriptions = Get-AzureRMSubscription

 

foreach ( $Subscription in $Subscriptions )

{

    write-host ""

    write-host ('SubscriptionName:' + $Subscription.SubscriptionName)

    write-host ('SubscriptionID:' + $Subscription.SubscriptionID)

    $SubscriptionId = $Subscription.SubscriptionId

    (Login-AzureRmAccount -Credential $cred -subscriptionid $SubscriptionId)>0

    (Select-AzureRMSubscription -SubscriptionId $SubscriptionId)>0

 

    $rgs = Get-AzureRmNetworkSecurityGroup

 

    foreach ($rg in $rgs)

    {

        write-host ""

        write-host ('NSG:' + $rg.Name)

        $subnets = $rg.Subnets

 

        foreach ($sn in $subnets)

        {

           $arrayid = $sn.id.Split('/').count - 1

           $snarray = $sn.id.Split('/')

            write-host ('Associated Subnet:' + $snarray[$arrayid])

        }

 

        $nics = $rg.NetworkInterfaces

 

        foreach ($nic in $nics)

        {

           $arrayid = $nic.id.Split('/').count - 1

           $snarray = $nic.id.Split('/')

            write-host ('Associated NIC:' + $snarray[$arrayid])

        }

 

        $rules = Get-AzureRmNetworkSecurityRuleConfig -NetworkSecurityGroup $rg

 

        write-host ""

        write-host ('Priority' + ',' + 'SourceAddressPrefix' + ',' + 'SourcePortRange' + ',' + 'DestinationAddressPrefix' + ',' + 'DestinationPortRange' + ',' + 'Access' + ',' + 'Direction' + ',' + 'Description')

        foreach ($rule in $rules)

        {

 

            write-host ($rule.Priority.ToString() + ',' + $rule.SourceAddressPrefix + ',' + $rule.SourcePortRange + ',' + $rule.DestinationAddressPrefix + ',' + $rule.DestinationPortRange + ',' + $rule.Access + ',' + $rule.Direction + ',' + $rule.Description)

 

        }

 

        $rules = $rg.DefaultSecurityRules

        foreach ($rule in $rules)

        {

 

            write-host ($rule.Priority.ToString() + ',' + $rule.SourceAddressPrefix + ',' + $rule.SourcePortRange + ',' + $rule.DestinationAddressPrefix + ',' + $rule.DestinationPortRange + ',' + $rule.Access + ',' + $rule.Direction + ',' + $rule.Description)

 

        }

    }

}

 

The expected output would be like below:

exportARMrulesNSG1


Comments (0)

Skip to main content