Guido Oliveira
  • Home
  • Sobre
  • Contato
  • Home
  • Sobre
  • Contato
Menu
  • Home
  • Sobre
  • Contato

Criando as regras do Azure API Manager no Network Security Group com Powershell

Published by Guido Oliveira on 21/01/2019
Categories
  • Powershell
Tags
  • API Manager
  • azure
  • Network Security Group
  • powershell
Facebook0
Twitter0
LinkedIn0
Google+0
Pinterest0

Olá,

Recentemente precisei configurar um API Gateway no Azure e nesse deployment, o serviço era provisionado em uma Virtual Network. Para que os serviços comuniquem corretamente, há uma série de regras a serem configuradas no Network Security Group aplicado a subnet onde foi criado o serviço. Essas regras estão documentadas aqui, e precisariam ser criadas em cada Network Security Group de cada deployment feito. Resolvi então fazer um script para facilitar o processo.

Primeiro precisamos retornar o Network Security Group que vamos alterar:

$NetworkSecurityGroup = Get-AzureRmNetworkSecurityGroup -Name 'az-nsg-apimanagement' -ResourceGroupName 'az-rg-nsg'

Em seguida, vamos definir o CSV com a lista de regras que serão criadas:

$Rules = @"
"Name","Priority","Direction","Access","SourcePrefix","SourcePortRange","DestinationPrefix","DestinationPortRange","Protocol","Description"
"allow_inbound_internet_80_443_vnet","1000","Inbound","Allow","Internet","*","VirtualNetwork","80,443","Tcp","Client communication to API Management"
"allow_inbound_internet_3443_vnet","1010","Inbound","Allow","ApiManagement","*","VirtualNetwork","3443","Tcp","Management endpoint for Azure portal and Powershell"
"allow_outbound_vnet_80_443_storage","1000","Outbound","Allow","VirtualNetwork","*","Storage","80,443","Tcp","Dependency on Azure Storage"
"allow_outbound_vnet_80_443_azuread","1010","Outbound","Allow","VirtualNetwork","*","AzureActiveDirectory","80,443","Tcp","Azure Active Directory"
"allow_outbound_vnet_1433_azuresql","1020","Outbound","Allow","VirtualNetwork","*","SQL","1433","Tcp","Access to Azure SQL endpoints"
"allow_outbound_vnet_5672_eventhub","1030","Outbound","Allow","VirtualNetwork","*","EventHub","5672","Tcp","Dependency for Log to Event Hub policy and monitoring agent"
"allow_outbound_vnet_445_storage","1040","Outbound","Allow","VirtualNetwork","*","Storage","445","Tcp","Dependency on Azure File Share for GIT"
"allow_outbound_vnet_1886_internet","1050","Outbound","Allow","VirtualNetwork","*","Internet","1886","Tcp","Needed to publish Health status to Resource Health"
"allow_outbound_vnet_443_azuremonitor","1060","Outbound","Allow","VirtualNetwork","*","AzureMonitor","443","Tcp","Publish Diagnostics Logs and Metrics"
"allow_outbound_vnet_25_internet","1070","Outbound","Allow","VirtualNetwork","*","Internet","25","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_587_internet","1080","Outbound","Allow","VirtualNetwork","*","Internet","587","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_25028_internet","1090","Outbound","Allow","VirtualNetwork","*","Internet","25028","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_6381-6383_vnet","1100","Outbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_vnet_6381-6383_vnet","1020","Inbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_azurelb_all_vnet","1030","Inbound","Allow","AzureLoadBalancer","*","VirtualNetwork","*","Tcp","Azure Infrastructure Load Balancer"
"@

Agora vamos converter o CSV em Objeto e com um laço foreach acrescentar as novas regras ao Network Security Group com o comando Add-AzureRmNetworkSecurityRuleConfig:

ConvertFrom-CSV -InputObject $Rules | ForEach-Object -Process {
    $AzureRmNetworkSecurityRuleConfig = @{
        NetworkSecurityGroup     = $NetworkSecurityGroup
        Name                     = $PSItem.Name
        Priority                 = $PSItem.Priority
        Access                   = $PSItem.Access
        Direction                = $PSItem.Direction
        SourceAddressPrefix      = $PSItem.SourcePrefix
        SourcePortRange          = $PSItem.SourcePortRange -Split ','
        DestinationAddressPrefix = $PSItem.DestinationPrefix
        DestinationPortRange     = $PSItem.DestinationPortRange -Split ','
        Protocol                 = $PSItem.Protocol
        Description              = $PSItem.Description
        Verbose                  = $true
    }
    Add-AzureRmNetworkSecurityRuleConfig @AzureRmNetworkSecurityRuleConfig
}

e por fim com o comando Set-AzureRmNetworkSecurityGroup vamos aplicar as mudanças ao objeto:

Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NetworkSecurityGroup

 

Juntando tudo temos o script completo assim:

$NetworkSecurityGroup = Get-AzureRmNetworkSecurityGroup -Name 'az-nsg-apimanagement' -ResourceGroupName 'az-rg-nsg'

$Rules = @"
"Name","Priority","Direction","Access","SourcePrefix","SourcePortRange","DestinationPrefix","DestinationPortRange","Protocol","Description"
"allow_inbound_internet_80_443_vnet","1000","Inbound","Allow","Internet","*","VirtualNetwork","80,443","Tcp","Client communication to API Management"
"allow_inbound_internet_3443_vnet","1010","Inbound","Allow","ApiManagement","*","VirtualNetwork","3443","Tcp","Management endpoint for Azure portal and Powershell"
"allow_outbound_vnet_80_443_storage","1000","Outbound","Allow","VirtualNetwork","*","Storage","80,443","Tcp","Dependency on Azure Storage"
"allow_outbound_vnet_80_443_azuread","1010","Outbound","Allow","VirtualNetwork","*","AzureActiveDirectory","80,443","Tcp","Azure Active Directory"
"allow_outbound_vnet_1433_azuresql","1020","Outbound","Allow","VirtualNetwork","*","SQL","1433","Tcp","Access to Azure SQL endpoints"
"allow_outbound_vnet_5672_eventhub","1030","Outbound","Allow","VirtualNetwork","*","EventHub","5672","Tcp","Dependency for Log to Event Hub policy and monitoring agent"
"allow_outbound_vnet_445_storage","1040","Outbound","Allow","VirtualNetwork","*","Storage","445","Tcp","Dependency on Azure File Share for GIT"
"allow_outbound_vnet_1886_internet","1050","Outbound","Allow","VirtualNetwork","*","Internet","1886","Tcp","Needed to publish Health status to Resource Health"
"allow_outbound_vnet_443_azuremonitor","1060","Outbound","Allow","VirtualNetwork","*","AzureMonitor","443","Tcp","Publish Diagnostics Logs and Metrics"
"allow_outbound_vnet_25_internet","1070","Outbound","Allow","VirtualNetwork","*","Internet","25","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_587_internet","1080","Outbound","Allow","VirtualNetwork","*","Internet","587","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_25028_internet","1090","Outbound","Allow","VirtualNetwork","*","Internet","25028","Tcp","Connect to SMTP Relay for sending e-mails"
"allow_outbound_vnet_6381-6383_vnet","1100","Outbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_vnet_6381-6383_vnet","1020","Inbound","Allow","VirtualNetwork","*","VirtualNetwork","6381-6383","Tcp","Access Azure Cache for Redis Instances between RoleInstances"
"allow_inbound_azurelb_all_vnet","1030","Inbound","Allow","AzureLoadBalancer","*","VirtualNetwork","*","Tcp","Azure Infrastructure Load Balancer"
"@

ConvertFrom-CSV -InputObject $Rules | ForEach-Object -Process {
    $AzureRmNetworkSecurityRuleConfig = @{
        NetworkSecurityGroup     = $NetworkSecurityGroup
        Name                     = $PSItem.Name
        Priority                 = $PSItem.Priority
        Access                   = $PSItem.Access
        Direction                = $PSItem.Direction
        SourceAddressPrefix      = $PSItem.SourcePrefix
        SourcePortRange          = $PSItem.SourcePortRange -Split ','
        DestinationAddressPrefix = $PSItem.DestinationPrefix
        DestinationPortRange     = $PSItem.DestinationPortRange -Split ','
        Protocol                 = $PSItem.Protocol
        Description              = $PSItem.Description
        Verbose                  = $true
    }
    Add-AzureRmNetworkSecurityRuleConfig @AzureRmNetworkSecurityRuleConfig
}
Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $NetworkSecurityGroup

 

Espero que tenha aprendido a não apenas acrescentar as regras do Azure API Gateway a um Network Security Group, mas tambem como fazer o processo em Lote para quaisquer regras que precise aplicar.

 

Dúvidas? Sugestões? Comente!

Até a próxima!

Share
Guido Oliveira
Guido Oliveira

Related posts

25/11/2019

Baixando as Sessões do Ignite 2019 por Keyword pelo Powershell


Read more
24/11/2019

Tocando um Som ao fim de cada comando no Powershell


Read more
30/04/2019

Usando o Plaster para criar novos Módulos


Read more

Deixe uma resposta Cancelar resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *

Esse site utiliza o Akismet para reduzir spam. Aprenda como seus dados de comentários são processados.

ME SIGA:

  • youtube
  • facebook
  • twitter
  • instagram
  • github
  • linkedin
  • telegram

Busca

Prêmios

Powershell MVP
Facebook
© 2019 Guido Oliveira. All Rights Reserved.
Menu
  • Home
  • Sobre
  • Contato