Azure (PowerShell) How to add an additional IP to multiple existent Network Security Groups (Source Address Prefix field)?

Question

I need some help to add an extra IP (122.21.20.3/12) to a bunch of NSG in Azure. This is to allow an additional Source Address. I was able to put together a script to help me find impacted NSGs. I have to add the new IP only to the NSGs containing another similar IP (122.21.20.2/12):

$azSubs = Get-AzSubscription

foreach ( $azSub in $azSubs ) {
    Set-AzContext -Subscription $azSub | Out-Null

    $azNsgs = Get-AzNetworkSecurityGroup 
    
    foreach ( $azNsg in $azNsgs ) {
        Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.SourceAddressPrefix -eq '122.21.20.2/12' } | `
            Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } }, 
                          @{label = 'Rule Name'; expression = { $_.Name } },
                          @{label = 'Source IP'; expression = { $_.SourceAddressPrefix } },
                          @{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
                          @{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } } 
      
    }    
}

I am able to get the list of affected NSGs. Not sure how to fit this into the SourceAddressPrefix for each of them. Is Set-AzNetworkSecurityRuleConfig used for that? Does anyone have an example, please?

Thank you very much!

Answer 1

The complete script to perform this task is:

connect-azaccount

$requiredIp=("10.x.x.x/27") ##Ip that you want to check 

$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription

foreach($ng in $ngs){
    $nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups

foreach( $item in $nsgrule) {
    $ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
       
foreach( $ip in $ruleip)
    {
        if( $ip.SourceAddressPrefix -eq $requiredIp){
        
        $rec=Get-AzNetworkSecurityGroup -Name $ng.Name

        ## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address

        Set-AzNetworkSecurityRuleConfig `
            -Name $ip.Name `
            -NetworkSecurityGroup $rec `
            -SourceAddressPrefix ( @($item.SourceAddressPrefix) + $newIP ) `
            -Protocol * `
            -Access Allow `
            -Direction Inbound `
            -DestinationAddressPrefix * `
            -SourcePortRange * `
            -DestinationPortRange * `
            -Priority $item.Priority
        Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
    }
   }
}
}

Answer 2

Based on the above requirement , we have created the below PowerShell script which will pull all the existing Network Security Groups & their respective NSG rules.

We have added a condition in the below script to pull only the NSG rule that has SourceAddressPrefix with ParticularIP that we want & it will updated the NSG rule with Required SourceIPAddressPrefixes

Here is the PowerShell Script :

connect-azaccount

$requiredIp=("10.x.x.x/27") ##Ip that you want to check 

$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription

foreach($ng in $ngs){
    $nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups

foreach( $item in $nsgrule) {
    $ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
       
foreach( $ip in $ruleip)
    {
        if( $ip.SourceAddressPrefix -eq $requiredIp){
        
        $rec=Get-AzNetworkSecurityGroup -Name $ng.Name

        ## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address

        Set-AzNetworkSecurityRuleConfig -Name $ip.Name -NetworkSecurityGroup $rec -SourceAddressPrefix ($($requiredIp),"10.x.x.x/27") -Protocol Tcp -Access Allow -Direction Inbound -DestinationAddressPrefix * -SourcePortRange * -DestinationPortRange * -Priority 310
        Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
    }
   }
}
}

Here is the Sample Output for reference:

Answer 3

Yes, but you need to change your NSG.

Something like that, maybe?

$NSG = Get-AzNetworkSecurityGroup -Name 'MyNSG' -ResourceGroupName 'MyRG'

$Params = @{
  'Name'                     = 'NewRule'
  'NetworkSecurityGroup'     = $NSG
  'Protocol'                 = '*'
  'Direction'                = 'Outbound'
  'Priority'                 = 200
  'SourceAddressPrefix'      = '*'
  'SourcePortRange'          = '*'
  'DestinationAddressPrefix' = '*'
  'DestinationPortRange'     = @('80', '443')
  'Access'                   = 'Deny'
}

Add-AzNetworkSecurityRuleConfig @Params | Set-AzNetworkSecurityGroup