In my previous blog post “Working with NSG augmented security rules in Azure” I described what the NSG augmented security rules are and how you can leverage them with PowerShell.
-> https://www.danielstechblog.io/working-nsg-augmented-security-rules-azure/
In this blog post I will briefly describe how to implement the augmented security rules in your Azure Resource Manager template. First, let us have a look at the standard security rule definition we are familiar with.
"resources": [
{
"apiVersion": "2017-10-01",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "value",
"location": "[resourceGroup().location]",
"properties": {
"securityRules":[
{
"name": "value",
"properties":{
"description": "value",
"protocol": "Tcp",
"sourcePortRange": "value",
"destinationPortRange": "value",
"sourceAddressPrefix": "value",
"destinationAddressPrefix": "value",
"access": "Allow",
"priority": 100,
"direction": "Outbound"
}
}
]
}
}
]
The thing is with the augmented security rules, that we must provide for the properties sourcePortRange, destinationPortRange, sourceAddressPrefix and destinationAddressPrefix the plural versions sourcePortRanges, destinationPortRanges, sourceAddressPrefixes and destinationAddressPrefixes. Furthermore, we must provide the values for these properties as an array otherwise the deployment will fail.
"resources": [
{
"apiVersion": "2017-10-01",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "value",
"location": "[resourceGroup().location]",
"properties": {
"securityRules":[
{
"name": "value",
"properties":{
"description": "value",
"protocol": "Tcp",
"sourcePortRanges": [ "value","value" ],
"destinationPortRanges": [ "value","value" ],
"sourceAddressPrefixes": [ "value","value" ],
"destinationAddressPrefixes": [ "value","value" ],
"access": "Allow",
"priority": 100,
"direction": "Outbound"
}
}
]
}
}
]
Finally, let us have a look on the same scenario I had described in my previous blog article to create a NSG augmented security rule to cover the IP range for the Azure region East US and open the ports 22, 3389 and 443.
Template file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"nsgPrefixName": {
"type": "string",
"metadata": {
"description": "NSG prefix name"
}
},
"azureRegionName": {
"type": "string",
"metadata": {
"description": "Azure Region name"
}
},
"destinationPrefix": {
"type": "array",
"metadata": {
"description": "Destination prefix"
}
},
"allowedPorts": {
"type": "array",
"metadata": {
"description": "Define allowed inbound ports"
}
}
},
"variables": {
"basePorts": [
22,
3389
],
"allPorts": "[concat(variables('basePorts'), parameters('allowedPorts'))]"
},
"resources": [
{
"apiVersion": "[providers('Microsoft.Network','networkSecurityGroups').apiVersions[0]]",
"type": "Microsoft.Network/networkSecurityGroups",
"name": "[concat(parameters('nsgPrefixName'),'-', parameters('azureRegionName'),'-nsg')]",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "enabledPorts",
"properties": {
"description": "enabledPorts",
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRanges": "[variables('allPorts')]",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefixes": "[parameters('destinationPrefix')]",
"access": "Allow",
"priority": 100,
"direction": "Outbound"
}
}
]
}
}
],
"outputs": {
"apiVersionNSG": {
"type": "string",
"value": "[providers('Microsoft.Network','networkSecurityGroups').apiVersions[0]]"
},
"enabledPorts": {
"type": "array",
"value": "[variables('allPorts')]"
}
}
}
Template parameters file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"nsgPrefixName": {
"value": "Azure-region"
},
"azureRegionName": {
"value": "eastus"
},
"destinationPrefix": {
"value": []
},
"allowedPorts": {
"value": [
443
]
}
}
}
PowerShell deployment script:
[xml]$azureRegions=Get-Content .\PublicIPs_20171031.xml
$filter="useast"
$selectedRegion=($azureRegions.AzurePublicIpAddresses.Region|Where-Object {$_.Name -eq $filter}).IpRange.Subnet
New-AzureRmResourceGroupDeployment -Name "augmented-security-rules" -ResourceGroupName "augmented-security-rules" -TemplateParameterFile .\NSG_ASR.parameters.json -TemplateFile .\NSG_ASR.json -destinationPrefix $selectedRegion -Verbose