Редактиране

Споделяне чрез


Relocate Azure network security group (NSG) to another region

This article shows you how to relocate an NSG to a new region by creating a copy of the source configuration and security rules of the NSG to another region.

Prerequisites

  • Make sure that the Azure network security group is in the target Azure region.

  • Associate the new NSG to resources in the target region.

  • To export an NSG configuration and deploy a template to create an NSG in another region, you'll need the Network Contributor role or higher.

  • Identify the source networking layout and all the resources that you're currently using. This layout includes but isn't limited to load balancers, public IPs, and virtual networks.

  • Verify that your Azure subscription allows you to create NSGs in the target region that's used. Contact support to enable the required quota.

  • Make sure that your subscription has enough resources to support the addition of NSGs for this process. See Azure subscription and service limits, quotas, and constraints.

Downtime

To understand the possible downtimes involved, see Cloud Adoption Framework for Azure: Select a relocation method.

Prepare

The following steps show how to prepare the network security group for the configuration and security rule move using a Resource Manager template, and move the NSG configuration and security rules to the target region using the portal.

Export and modify a template

To export and modify a template by using Azure portal:

  1. Sign in to the Azure portal.

  2. Select All resources and then select your storage account.

  3. Select > Automation > Export template.

  4. Choose Deploy in the Export template blade.

  5. Select TEMPLATE > Edit parameters to open the parameters.json file in the online editor.

  6. To edit the parameter of the NSG name, change the value property under parameters:

            {
            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
            "contentVersion": "1.0.0.0",
            "parameters": {
            "networkSecurityGroups_myVM1_nsg_name": {
               "value": "<target-nsg-name>"
                }
               }
            }
    
  7. Change the source NSG value in the editor to a name of your choice for the target NSG. Ensure you enclose the name in quotes.

  8. Select Save in the editor.

  9. Select TEMPLATE > Edit template to open the template.json file in the online editor.

  10. To edit the target region where the NSG configuration and security rules will be moved, change the location property under resources in the online editor:

            "resources": [
            {
            "type": "Microsoft.Network/networkSecurityGroups",
            "apiVersion": "2019-06-01",
            "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
            "location": "<target-region>",
            "properties": {
                "provisioningState": "Succeeded",
                "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",
             }
            }
           ]
    
    
  11. To obtain region location codes, see Azure Locations. The code for a region is the region name with no spaces, Central US = centralus.

  12. You can also change other parameters in the template if you choose, and are optional depending on your requirements:

    • Security rules - You can edit which rules are deployed into the target NSG by adding or removing rules to the securityRules section in the template.json file:

         "resources": [
          {
          "type": "Microsoft.Network/networkSecurityGroups",
          "apiVersion": "2019-06-01",
          "name": "[parameters('networkSecurityGroups_myVM1_nsg_name')]",
          "location": "<target-region>",
          "properties": {
              "provisioningState": "Succeeded",
              "resourceGuid": "2c846acf-58c8-416d-be97-ccd00a4ccd78",
              "securityRules": [
                  {
                      "name": "RDP",
                      "etag": "W/\"c630c458-6b52-4202-8fd7-172b7ab49cf5\"",
                      "properties": {
                          "provisioningState": "Succeeded",
                          "protocol": "TCP",
                          "sourcePortRange": "*",
                          "destinationPortRange": "3389",
                          "sourceAddressPrefix": "*",
                          "destinationAddressPrefix": "*",
                          "access": "Allow",
                          "priority": 300,
                          "direction": "Inbound",
                          "sourcePortRanges": [],
                          "destinationPortRanges": [],
                          "sourceAddressPrefixes": [],
                          "destinationAddressPrefixes": []
                           }
                  },
              ]
          }
      

      To complete the addition or the removal of the rules in the target NSG, you must also edit the custom rule types at the end of the template.json file in the format of the example below:

           {
            "type": "Microsoft.Network/networkSecurityGroups/securityRules",
            "apiVersion": "2019-06-01",
            "name": "[concat(parameters('networkSecurityGroups_myVM1_nsg_name'), '/Port_80')]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroups_myVM1_nsg_name'))]"
            ],
            "properties": {
                "provisioningState": "Succeeded",
                "protocol": "*",
                "sourcePortRange": "*",
                "destinationPortRange": "80",
                "sourceAddressPrefix": "*",
                "destinationAddressPrefix": "*",
                "access": "Allow",
                "priority": 310,
                "direction": "Inbound",
                "sourcePortRanges": [],
                "destinationPortRanges": [],
                "sourceAddressPrefixes": [],
                "destinationAddressPrefixes": []
            }
      
  13. Select Save in the online editor.

Redeploy

  1. Select BASICS > Subscription to choose the subscription where the target NSG will be deployed.

  2. Select BASICS > Resource group to choose the resource group where the target NSG will be deployed. You can click Create new to create a new resource group for the target NSG. Ensure the name isn't the same as the source resource group of the existing NSG.

  3. Select BASICS > Location is set to the target location where you wish for the NSG to be deployed.

  4. Verify under SETTINGS that the name matches the name that you entered in the parameters editor above.

  5. Check the box under TERMS AND CONDITIONS.

  6. Select the Purchase button to deploy the target network security group.

Discard

If you wish to discard the target NSG, delete the resource group that contains the target NSG. To do so, select the resource group from your dashboard in the portal and select Delete at the top of the overview page.

Clean up

To commit the changes and complete the move of the NSG, delete the source NSG or resource group. To do so, select the network security group or resource group from your dashboard in the portal and select Delete at the top of each page.

Next steps

In this tutorial, you moved an Azure network security group from one region to another and cleaned up the source resources. To learn more about moving resources between regions and disaster recovery in Azure, refer to: