Azure (PowerShell) 如何将额外的 IP 添加到多个现有的网络安全组(源地址前缀字段)?
Azure (PowerShell) How to add an additional IP to multiple existent Network Security Groups (Source Address Prefix field)?
我需要一些帮助来为 Azure 中的一堆 NSG 添加一个额外的 IP (122.21.20.3/12)。这是为了允许额外的源地址。
我能够编写一个脚本来帮助我找到受影响的 NSG。我必须仅将新 IP 添加到包含另一个类似 IP (122.21.20.2/12) 的 NSG:
$azSubs = Get-AzSubscription
foreach ( $azSub in $azSubs ) {
Set-AzContext -Subscription $azSub | Out-Null
$azNsgs = Get-AzNetworkSecurityGroup
foreach ( $azNsg in $azNsgs ) {
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.SourceAddressPrefix -eq '122.21.20.2/12' } | `
Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } },
@{label = 'Rule Name'; expression = { $_.Name } },
@{label = 'Source IP'; expression = { $_.SourceAddressPrefix } },
@{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
@{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } }
}
}
我可以获得受影响的 NSG 列表。不确定如何将其放入它们每个的 SourceAddressPrefix 中。
Set-AzNetworkSecurityRuleConfig 用于此吗?请问有人有例子吗?
非常感谢!
是的,但您需要更改 NSG。
可能是这样的吧?
$NSG = Get-AzNetworkSecurityGroup -Name 'MyNSG' -ResourceGroupName 'MyRG'
$Params = @{
'Name' = 'NewRule'
'NetworkSecurityGroup' = $NSG
'Protocol' = '*'
'Direction' = 'Outbound'
'Priority' = 200
'SourceAddressPrefix' = '*'
'SourcePortRange' = '*'
'DestinationAddressPrefix' = '*'
'DestinationPortRange' = @('80', '443')
'Access' = 'Deny'
}
Add-AzNetworkSecurityRuleConfig @Params | Set-AzNetworkSecurityGroup
根据上述要求,我们创建了以下 PowerShell 脚本,它将提取所有现有网络安全组及其各自的 NSG 规则。
我们在下面的脚本中添加了一个条件,以仅提取具有我们想要的 ParticularIP 的 SourceAddressPrefix 的 NSG 规则,并且它会使用 Required SourceIPAddressPrefixes[=14= 更新 NSG 规则]
这是 PowerShell 脚本:
connect-azaccount
$requiredIp=("10.x.x.x/27") ##Ip that you want to check
$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription
foreach($ng in $ngs){
$nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups
foreach( $item in $nsgrule) {
$ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
foreach( $ip in $ruleip)
{
if( $ip.SourceAddressPrefix -eq $requiredIp){
$rec=Get-AzNetworkSecurityGroup -Name $ng.Name
## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address
Set-AzNetworkSecurityRuleConfig -Name $ip.Name -NetworkSecurityGroup $rec -SourceAddressPrefix ($($requiredIp),"10.x.x.x/27") -Protocol Tcp -Access Allow -Direction Inbound -DestinationAddressPrefix * -SourcePortRange * -DestinationPortRange * -Priority 310
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
}
}
}
}
这里是示例输出以供参考:
执行此任务的完整脚本是:
connect-azaccount
$requiredIp=("10.x.x.x/27") ##Ip that you want to check
$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription
foreach($ng in $ngs){
$nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups
foreach( $item in $nsgrule) {
$ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
foreach( $ip in $ruleip)
{
if( $ip.SourceAddressPrefix -eq $requiredIp){
$rec=Get-AzNetworkSecurityGroup -Name $ng.Name
## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address
Set-AzNetworkSecurityRuleConfig `
-Name $ip.Name `
-NetworkSecurityGroup $rec `
-SourceAddressPrefix ( @($item.SourceAddressPrefix) + $newIP ) `
-Protocol * `
-Access Allow `
-Direction Inbound `
-DestinationAddressPrefix * `
-SourcePortRange * `
-DestinationPortRange * `
-Priority $item.Priority
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
}
}
}
}
我需要一些帮助来为 Azure 中的一堆 NSG 添加一个额外的 IP (122.21.20.3/12)。这是为了允许额外的源地址。 我能够编写一个脚本来帮助我找到受影响的 NSG。我必须仅将新 IP 添加到包含另一个类似 IP (122.21.20.2/12) 的 NSG:
$azSubs = Get-AzSubscription
foreach ( $azSub in $azSubs ) {
Set-AzContext -Subscription $azSub | Out-Null
$azNsgs = Get-AzNetworkSecurityGroup
foreach ( $azNsg in $azNsgs ) {
Get-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $azNsg | Where-Object { $_.SourceAddressPrefix -eq '122.21.20.2/12' } | `
Select-Object @{label = 'NSG Name'; expression = { $azNsg.Name } },
@{label = 'Rule Name'; expression = { $_.Name } },
@{label = 'Source IP'; expression = { $_.SourceAddressPrefix } },
@{label = 'Port Range'; expression = { $_.DestinationPortRange } }, Access, Priority, Direction, `
@{label = 'Resource Group Name'; expression = { $azNsg.ResourceGroupName } }
}
}
我可以获得受影响的 NSG 列表。不确定如何将其放入它们每个的 SourceAddressPrefix 中。 Set-AzNetworkSecurityRuleConfig 用于此吗?请问有人有例子吗?
非常感谢!
是的,但您需要更改 NSG。
可能是这样的吧?
$NSG = Get-AzNetworkSecurityGroup -Name 'MyNSG' -ResourceGroupName 'MyRG'
$Params = @{
'Name' = 'NewRule'
'NetworkSecurityGroup' = $NSG
'Protocol' = '*'
'Direction' = 'Outbound'
'Priority' = 200
'SourceAddressPrefix' = '*'
'SourcePortRange' = '*'
'DestinationAddressPrefix' = '*'
'DestinationPortRange' = @('80', '443')
'Access' = 'Deny'
}
Add-AzNetworkSecurityRuleConfig @Params | Set-AzNetworkSecurityGroup
根据上述要求,我们创建了以下 PowerShell 脚本,它将提取所有现有网络安全组及其各自的 NSG 规则。
我们在下面的脚本中添加了一个条件,以仅提取具有我们想要的 ParticularIP 的 SourceAddressPrefix 的 NSG 规则,并且它会使用 Required SourceIPAddressPrefixes[=14= 更新 NSG 规则]
这是 PowerShell 脚本:
connect-azaccount
$requiredIp=("10.x.x.x/27") ##Ip that you want to check
$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription
foreach($ng in $ngs){
$nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups
foreach( $item in $nsgrule) {
$ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
foreach( $ip in $ruleip)
{
if( $ip.SourceAddressPrefix -eq $requiredIp){
$rec=Get-AzNetworkSecurityGroup -Name $ng.Name
## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address
Set-AzNetworkSecurityRuleConfig -Name $ip.Name -NetworkSecurityGroup $rec -SourceAddressPrefix ($($requiredIp),"10.x.x.x/27") -Protocol Tcp -Access Allow -Direction Inbound -DestinationAddressPrefix * -SourcePortRange * -DestinationPortRange * -Priority 310
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
}
}
}
}
这里是示例输出以供参考:
执行此任务的完整脚本是:
connect-azaccount
$requiredIp=("10.x.x.x/27") ##Ip that you want to check
$ngs=Get-AzNetworkSecurityGroup ##list all Network Security Groups in the subscription
foreach($ng in $ngs){
$nsgrule=$ng.SecurityRules ##appending the nsg rules of that particular Network Security Groups
foreach( $item in $nsgrule) {
$ruleip=$item| Select-Object -Property SourceAddressPrefix,name ##pulling the sourceIPAddressPrefix of that existing NSG rule
foreach( $ip in $ruleip)
{
if( $ip.SourceAddressPrefix -eq $requiredIp){
$rec=Get-AzNetworkSecurityGroup -Name $ng.Name
## add the required IP in the "-SourceAddressPrefix" flag in the below cmdlet to update the NSG rule with the required IP address
Set-AzNetworkSecurityRuleConfig `
-Name $ip.Name `
-NetworkSecurityGroup $rec `
-SourceAddressPrefix ( @($item.SourceAddressPrefix) + $newIP ) `
-Protocol * `
-Access Allow `
-Direction Inbound `
-DestinationAddressPrefix * `
-SourcePortRange * `
-DestinationPortRange * `
-Priority $item.Priority
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $rec
}
}
}
}