Criando as regras do Azure API Manager no Network Security Group com Powershell
on
Olá,
Recentemente precisei configurar um API Gateway no Azure e nesse deployment, o serviço era provisionado em uma Virtual Network. Para que os serviços comuniquem corretamente, há uma série de regras a serem configuradas no Network Security Group aplicado a subnet onde foi criado o serviço. Essas regras estão documentadas aqui, e precisariam ser criadas em cada Network Security Group de cada deployment feito. Resolvi então fazer um script para facilitar o processo.
Primeiro precisamos retornar o Network Security Group que vamos alterar:
$NetworkSecurityGroup = Get-AzureRmNetworkSecurityGroup -Name 'az-nsg-apimanagement' -ResourceGroupName 'az-rg-nsg'Em seguida, vamos definir o CSV com a lista de regras que serão criadas:
$Rules = @"
"Name","Priority","Direction","Access","SourcePrefix","SourcePortRange","DestinationPrefix","DestinationPortRange","Protocol","Description"
"allow_inbound_internet_80_443_vnet","1000","Inbound","Allow","Internet","*","VirtualNetwork","80,443","Tcp","Client communication to API Management"
"allow_inbound_internet_3443_vnet","1010","Inbound","Allow","ApiManagement","*","VirtualNetwork","3443","Tcp","Management endpoint for Azure portal and Powershell"
"allow_outbound_vnet_80_443_storage","1000","Outbound","Allow","VirtualNetwork","*","Storage","80,443","Tcp","Dependency on Azure Storage"
"allow_outbound_vnet_80_443_azuread","1010","Outbound","Allow","VirtualNetwork","*","AzureActiveDirectory","80,443","Tcp","Azure Active Directory"
"allow_outbound_vnet_1433_azuresql","1020","Outbound","Allow","VirtualNetwork","*","SQL","1433","Tcp","Access to Azure SQL endpoints"
"allow_outbound_vnet_5672_eventhub","1030","Outbound","Allow","VirtualNetwork","*","EventHub","5672","Tcp","Dependency for Log to Event Hub policy and monitoring agent"
"allow_outbound_vnet_445_storage","1040","Outbound","Allow","VirtualNetwork","*","Storage","445","Tcp","Dependency on Azure File Share for GIT"
"allow_outbound_vnet_1886_internet","1050","Outbound","Allow","VirtualNetwork","*","Internet","1886","Tcp","Needed to publish Health status to Resource Health"
"allow_outbound_vnet_443_azuremonitor","1060","Outbound","Allow","VirtualNetwork","*","AzureMonitor","443","Tcp","Publish Diagnostics Logs and Metrics"
"allow_outbound_vnet_25_internet","1070","Outbound","Allow","VirtualNetwork","*","Internet","25","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_587_internet","1080","Outbound","Allow","VirtualNetwork","*","Internet","587","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_25028_internet","1090","Outbound","Allow","VirtualNetwork","*","Internet","25028","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_6381-6383_vnet","1100","Outbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_vnet_6381-6383_vnet","1020","Inbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_azurelb_all_vnet","1030","Inbound","Allow","AzureLoadBalancer","*","VirtualNetwork","*","Tcp","Azure Infrastructure Load Balancer"
"@Agora vamos converter o CSV em Objeto e com um laço foreach acrescentar as novas regras ao Network Security Group com o comando Add-AzureRmNetworkSecurityRuleConfig:
ConvertFrom-CSV -InputObject $Rules | ForEach-Object -Process {
$AzureRmNetworkSecurityRuleConfig = @{
NetworkSecurityGroup = $NetworkSecurityGroup
Name = $PSItem.Name
Priority = $PSItem.Priority
Access = $PSItem.Access
Direction = $PSItem.Direction
SourceAddressPrefix = $PSItem.SourcePrefix
SourcePortRange = $PSItem.SourcePortRange -Split ','
DestinationAddressPrefix = $PSItem.DestinationPrefix
DestinationPortRange = $PSItem.DestinationPortRange -Split ','
Protocol = $PSItem.Protocol
Description = $PSItem.Description
Verbose = $true
}
Add-AzureRmNetworkSecurityRuleConfig @AzureRmNetworkSecurityRuleConfig
}e por fim com o comando Set-AzureRmNetworkSecurityGroup vamos aplicar as mudanças ao objeto:
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NetworkSecurityGroup
Juntando tudo temos o script completo assim:
$NetworkSecurityGroup = Get-AzureRmNetworkSecurityGroup -Name 'az-nsg-apimanagement' -ResourceGroupName 'az-rg-nsg'
$Rules = @"
"Name","Priority","Direction","Access","SourcePrefix","SourcePortRange","DestinationPrefix","DestinationPortRange","Protocol","Description"
"allow_inbound_internet_80_443_vnet","1000","Inbound","Allow","Internet","*","VirtualNetwork","80,443","Tcp","Client communication to API Management"
"allow_inbound_internet_3443_vnet","1010","Inbound","Allow","ApiManagement","*","VirtualNetwork","3443","Tcp","Management endpoint for Azure portal and Powershell"
"allow_outbound_vnet_80_443_storage","1000","Outbound","Allow","VirtualNetwork","*","Storage","80,443","Tcp","Dependency on Azure Storage"
"allow_outbound_vnet_80_443_azuread","1010","Outbound","Allow","VirtualNetwork","*","AzureActiveDirectory","80,443","Tcp","Azure Active Directory"
"allow_outbound_vnet_1433_azuresql","1020","Outbound","Allow","VirtualNetwork","*","SQL","1433","Tcp","Access to Azure SQL endpoints"
"allow_outbound_vnet_5672_eventhub","1030","Outbound","Allow","VirtualNetwork","*","EventHub","5672","Tcp","Dependency for Log to Event Hub policy and monitoring agent"
"allow_outbound_vnet_445_storage","1040","Outbound","Allow","VirtualNetwork","*","Storage","445","Tcp","Dependency on Azure File Share for GIT"
"allow_outbound_vnet_1886_internet","1050","Outbound","Allow","VirtualNetwork","*","Internet","1886","Tcp","Needed to publish Health status to Resource Health"
"allow_outbound_vnet_443_azuremonitor","1060","Outbound","Allow","VirtualNetwork","*","AzureMonitor","443","Tcp","Publish Diagnostics Logs and Metrics"
"allow_outbound_vnet_25_internet","1070","Outbound","Allow","VirtualNetwork","*","Internet","25","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_587_internet","1080","Outbound","Allow","VirtualNetwork","*","Internet","587","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_25028_internet","1090","Outbound","Allow","VirtualNetwork","*","Internet","25028","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_6381-6383_vnet","1100","Outbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_vnet_6381-6383_vnet","1020","Inbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_azurelb_all_vnet","1030","Inbound","Allow","AzureLoadBalancer","*","VirtualNetwork","*","Tcp","Azure Infrastructure Load Balancer"
"@
ConvertFrom-CSV -InputObject $Rules | ForEach-Object -Process {
$AzureRmNetworkSecurityRuleConfig = @{
NetworkSecurityGroup = $NetworkSecurityGroup
Name = $PSItem.Name
Priority = $PSItem.Priority
Access = $PSItem.Access
Direction = $PSItem.Direction
SourceAddressPrefix = $PSItem.SourcePrefix
SourcePortRange = $PSItem.SourcePortRange -Split ','
DestinationAddressPrefix = $PSItem.DestinationPrefix
DestinationPortRange = $PSItem.DestinationPortRange -Split ','
Protocol = $PSItem.Protocol
Description = $PSItem.Description
Verbose = $true
}
Add-AzureRmNetworkSecurityRuleConfig @AzureRmNetworkSecurityRuleConfig
}
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NetworkSecurityGroup
Espero que tenha aprendido a não apenas acrescentar as regras do Azure API Gateway a um Network Security Group, mas tambem como fazer o processo em Lote para quaisquer regras que precise aplicar.
Dúvidas? Sugestões? Comente!
Até a próxima!
