So… there was an Azure outage today. Related to Azure Front Door. That was my evening gone!
As the resident PowerShell person on the incident call, as part of implementing some workarounds I had to add a bunch of IP addresses to a Network Security Group. I was given a text file with a bunch of IP addresses, and my task was to add them all to the NSG as “Deny” for “Inbound” traffic. Here’s what I did:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Connect-AzAccount -Subscription <SubscriptionName> # get the NSG $nsg = Get-AzNetworkSecurityGroup -Name '<NSG Name>' -ResourceGroupName '<Resource Group Name>' $counter = 1000 # replace with whatever priority the rules must start from foreach ($address in Get-Content .\ipblocklist.txt | Select-Object -Unique) { # construct the rule name # todo: the -replace needs improvement via some regex to remove *any* unaccepted characters $ruleName = "Deny-" + $($address -replace '\/','-' -replace '\:','') # rule name can't exceed 80 chracters if ($ruleName.Length -gt 80) { $ruleName = $ruleName.substring(0,79) } # add the rule to the in-memory copy of the rules $nsg | Add-AzNetworkSecurityRuleConfig -Name $ruleName -SourceAddressPrefix $address -Access "Deny" -DestinationPortRange "80","443" -DestinationAddressPrefix "*" -SourcePortRange "*" -Priority $counter -Protocol '*' -Direction 'Inbound' # increment the counter $counter++ } # commit to Azure $nsg | Set-AzNetworkSecurityGroup |
Had to piecemeal the code from various sources as the Microsoft Learn website was down so I couldn’t refer to it for the cmdlets and their switches.
Two things the code could do with improving:
- Check if the IP address/ subnet is already in the NSG
- Fix the bit where I construct the rule name to remove any unaccepted characters than just the two I happened to encounter.