CODEWITHSUNDEEP
azureazure-powershellnatazure-load-balancertargeting
Gary S
Gary S

Reputation: 46

Can I set target VM in azure powershell when adding inbound nat rule?

In an azure RM load-balancer I can create a nat rule FTP using powershell, but would also like to set the target virtual machine using powershell. The only way I know how to set the target is in the portal.

I have two VMs in the load balancer. I tried using Add-AzLoadBalancerInboundNatRuleConfig, but don't see a parameter for target VM.

My script: $lb | Add-AzLoadBalancerInboundNatRuleConfig -Name $EndpointName -FrontendIPConfiguration $feip -Protocol "Tcp" -FrontendPort $i -BackendPort $i

If it's not possible to set the target in powershell, what alternatives are there besides the portal?

I found the answer. The key is to add the LoadBalancerInboundNatRuleId to the Ip Configuration.

Here's a function to get the LoadBalancerInboundNatRuleId that I created for this purpose:

Function natRuleID ($sourcePortName) {
return  "/subscriptions/$subscriptionID/resourceGroups/$rgName/providers/Microsoft.Network/loadBalancers/$lbName/InboundNatRules/$sourcePortName"
}

And here is my sample script that adds two load balancer nat rules and then sets the target network interface for a virtual machine:

# Add Load Balancer Nat Rules:
$lb = Get-AzLoadBalancer -Name $lbName -ResourceGroupName $rgName
$feip = Get-AzLoadBalancerFrontendIpConfig -Name $feipName -LoadBalancer $lb
$lb | Add-AzLoadBalancerInboundNatRuleConfig -Name $natRuleRdpName-FrontendIpConfiguration $feip -Protocol tcp -FrontendPort $rdpPortNumber -BackendPort 3389
$lb | Add-AzLoadBalancerInboundNatRuleConfig -Name $natRuleFtpName -FrontendIPConfiguration $feip -Protocol "Tcp" -FrontendPort $ftpPublicPortForImplicit990  -BackendPort 990
$lb | Set-AzLoadBalancer  #save the new LB rules

# Set nat rule targets:
Function natRuleID ($sourcePortName) {
    return  "/subscriptions/$subscriptionID/resourceGroups/$rgName/providers/Microsoft.Network/loadBalancers/$lbName/InboundNatRules/$sourcePortName"
    }
$rules = @()
$rules = $rules += natRuleID($natRuleFtpName)
$rules = $rules += natRuleID($natRuleRdpName)
$nic = Get-AzNetworkInterface -Name $nicName -ResourceGroupName $rgName
$nic | Set-AzNetworkInterfaceIpConfig -Name $ipConfigName  -LoadBalancerInboundNatRuleId $rules
$nic | Set-AzNetworkInterface #save the new ipConfig rules

Upvotes: 0

Views: 1683

Answers (4)

Craig
Craig

Reputation: 414

To extend Charles' and Gary's Answer:

Executing the following allowed me to setup a inbound nat rule via powershell.

  1. Add-AzLoadBalancerInboundNatRuleConfig
  2. Set-AzLoadBalancer
  3. Get-AzLoadBalancerInboundNatRuleConfig
  4. Set-AzNetworkInterfaceIpConfig
  5. Set-AzNetworkInterface

Example:

    $ibNatSSHData = @{
        Name = "$($vmName)_SSH"
    }
    $ibNatRuleSSH = Get-AzLoadBalancerInboundNatRuleConfig @ibNatSSHData  -LoadBalancer $loadBalancer -erroraction 'silentlycontinue'
    if (-not $ibNatRuleSSH)
    {
        Write-Verbose "Creating IB Nat Rule [$($ibNatSSHData['Name'])]"

        $ibNatSSHData.add('FrontendIPConfiguration', $loadBalancer.FrontendIPConfigurations[0])
        $ibNatSSHData.add('Protocol', "Tcp")
        $ibNatSSHData.add('FrontendPort', "22")
        $ibNatSSHData.add('BackendPort', "22")
        $loadBalancer | Add-AzLoadBalancerInboundNatRuleConfig @ibNatSSHData -EnableTcpReset
        $loadBalancer | Set-AzLoadBalancer
        $ibNatRuleSSH = Get-AzLoadBalancerInboundNatRuleConfig -Name $ibNatSSHData['Name'] -Loadbalancer $loadBalancer
        if (-not $ibNatRuleSSH)
        {
            throw "Unable to Create IB Nat Rule"
        }

        $natRules = Get-AzLoadBalancerInboundNatRuleConfig -LoadBalancer $loadBalancer | Where-Object {($_.Name -like "$($vmName)*")}
        $nic | Set-AzNetworkInterfaceIpConfig -Name 'ipconfig1' -LoadBalancerInboundNatRule $natRules
        $nic | Set-AzNetworkInterface
    }
    Write-Verbose "Found IB Nat Rule [$($ibNatRuleSSH.Name)]"

Upvotes: 0

Garima Goyal
Garima Goyal

Reputation: 1

Gary, I understand the issue you are facing, I am also trying to configure Target VM and Network IP Configuration (incase VM is associated with two NICs) through PS. However I am not able to do so, since the commandlet "Add-AzLoadBalancerInboundNatRuleConfig" doesn't come with Target VM Parameter.

I was able to get the FrontendIPs and Inbound NAT Rules. However to set the Target VM and NIC associated to those inbound nat rules is a challenge.

"Add-AzLoadBalancerInboundNatRuleConfig" doesn't show the inbound nat rule in the LB Settings section though.

Below Script will help you get existing Target VM Name and NIC.

$lb = Get-AzLoadBalancer -ResourceGroupName $rgname -Name $lbname $lbinboudnatrule = Get-AzLoadBalancerInboundNatRuleConfig -LoadBalancer $lb foreach($lbrule in $lbinboudnatrule) { $bip = $lbrule.BackendIPConfiguration.Id -split '/subscriptions/---------------/Microsoft.Network/networkInterfaces/' $info = $bip -split '-----------/ipConfigurations/' $wrapper = New-Object PSObject -Property @{ NATRuleName = $lbrule.Name; TargetVirtualMachine = $info[1]; NetworkIPConfiguration = $info[2]} $wrapper | Export-csv -Path C:/Temp/lb.csv -Append -NoTypeInformation }

Upvotes: 0

Charles Xu
Charles Xu

Reputation: 31424

For the Load Balancer Nat rules, it describes like this:

Standard Load Balancer backend pools expand to any virtual machine resource in a virtual network. It can contain up to 1000 backend instances. A backend instance is an IP configuration, which is a property of a NIC resource.

So there are two steps to create for the VM:

  1. create the nat rule in the load balancer, the PowerShell command is Add-AzLoadBalancerInboundNatRuleConfig, Azure CLI command is az network lb inbound-nat-rule create.
  2. associate the nat rule to the VM nic, the PowerShell command is Add-AzNetworkInterfaceIpConfig, Azure CLI command is az network nic ip-config inbound-nat-rule add.

You can add the Nat rule in one step in the portal, but you need to do two steps through command. And you also need to pay attention to that the NSG rule is also necessary to allow the traffic to the port.

Upvotes: 2

Hannel
Hannel

Reputation: 1706

You need to set it up on the NSG, below is a snippet sample from a script i created to do similar for RDP port.

Add-AzureRmNetworkSecurityRuleConfig -Name $ruleName -NetworkSecurityGroup $nsg -Access Allow -Description "Allowing RDP connection from current location" -DestinationAddressPrefix * -DestinationPortRange $port -Direction Inbound -Priority $priorityNew -Protocol * -SourceAddressPrefix $current_IP -SourcePortRange *
$hout = Set-AzureRmNetworkSecurityGroup -NetworkSecurityGroup $nsg

Upvotes: -2

Related Questions