So i ran into a little bit of an issue today, i was trying to find out how i can add more network security rules to a network security group (NSG) in the Azure Resource Manager (ARM) mode under Powershell. Now the old trick under the classic mode of using SET wasn’t working (where the rule will be created if it doesn’t exists) as it was giving me an error that the rule didn’t exists, fair enough ADD would be used for new rules and SET to modify existing once, so i tried that but my rules weren’t saving. After some investigating i found out that you also need to SET (by using the pipeline) the Azure Network Security Group in order for the rules to be saved and since i couldn’t find this information anywhere online here is a blog about it with some examples below.
For Azure Powershell 1.0
Using the Add command to add an additional rule to An Azure ARM NSG:
|
1
|
Get-AzureRmNetworkSecurityGroup -Name Networkgroup1 -ResourceGroupName TestResourceGroup | Add-AzureRmNetworkSecurityRuleConfig -Name "BlockAllTcp" -Direction Inbound -Priority 100 -Access Deny -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol 'TCP' | Set-AzureRmNetworkSecurityGroup
|
Using the Set command to change the Rule (change the above rule to UDP):
|
1
|
Get-AzureRMNetworkSecurityGroup -Name Networkgroup1 -ResourceGroupName TestResourceGroup | Set-AzureRmNetworkSecurityRuleConfig -Name "BlockAllTcp" -Direction Inbound -Priority 100 -Access Deny -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol 'UDP' | Set-AzureRmNetworkSecurityGroup
|
Using the Remove command to remove a rule:
|
1
|
Get-AzureRmNetworkSecurityGroup -Name Networkgroup1 -ResourceGroupName TestResourceGroup | Remove-AzureRmNetworkSecurityRuleConfig -Name "BlockAllTcp" | Set-AzureRmNetworkSecurityGroup
|
For Azure Powershell 0.9.8
Using the Add command to add an additional rule to An Azure ARM NSG:
|
1
|
Get-AzureNetworkSecurityGroup -Name Networkgroup1 -ResourceGroupName TestResourceGroup | Add-AzureNetworkSecurityRuleConfig -Name "BlockAllTcp" -Direction Inbound -Priority 100 -Access Deny -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol 'TCP' | Set-AzureNetworkSecurityGroup
|
Using the Set command to change the Rule (change the above rule to UDP):
|
1
|
Get-AzureNetworkSecurityGroup -Name Networkgroup1 -ResourceGroupName TestResourceGroup | Set-AzureNetworkSecurityRuleConfig -Name "BlockAllTcp" -Direction Inbound -Priority 100 -Access Deny -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol 'UDP' | Set-AzureNetworkSecurityGroup
|
Using the Remove command to remove a rule:
|
1
|
Get-AzureNetworkSecurityGroup -Name Networkgroup1 -ResourceGroupName TestResourceGroup | Remove-AzureNetworkSecurityRuleConfig -Name "BlockAllTcp" | Set-AzureNetworkSecurityGroup
|
Hi,
Thankyou so much for this blog entry! I have spent the last 4 hours banging my head against this trying to work it out.
I also found out that in classic it was possible to create an address prefix of VIRTUAL_NETWORK but in AzureRM it errors out as below
SecurityRuleInvalidAddressPrefix: Security rule has invalid Address prefix. Value provided: VIRTUAL_NETWORK
They appear to have changed it to VirtualNetwork instead…just a quick gotcha in return