How to create a network security group that allows only a certain ip in inbound rules

Question

I would like to migrate about 80 instances from AWS to Azure.

Each instance allows only a certain set of connections, for example:

Instance A: allow http + https connection from ip 1.2.3.4 on inbound and all ips in outbound.
Instance B: allow http + https connection from ip 5.6.7.8 on inbound and all ips in outbound.

some instances have 1-20 allowed IPs.

I saw that there is no import options for security groups, so i wonder if there is any other way to do that, maybe some kind of script?

Answer 1

Hi @Ilia Naleva ,

this should be possible using a CSV file and a PowerShell script (Az module required).

Create a CSV file, for instance nsg_Rules.csv . Content should look like this:

Name,Protocol,Direction,Priority,SourceAddressPrefix,SourcePortRange,DestinationAddressPrefix,DestinationPortRange,Access
Rule1,TCP,Inbound,100,*,*,*,80,Allow
Rule2,TCP,Inbound,110,10.0.0.0/24,*,*,4711,Allow
Rule3,TCP,Outbound,110,10.0.0.0/24,*,*,4711,Allow

The following PowerShell script will read the CSV file and creates a NSG rule per line:

$NSG = "testNSG1"
$rules = Import-Csv -Path .\Junk\nsg_Rules.csv
$nsgObj = Get-AzNetworkSecurityGroup -Name $NSG
foreach ($rule in $rules) {
  $Params = @{
    'Name'                     = $rule.Name
    'Protocol'                 = $rule.Protocol
    'Direction'                = $rule.Direction
    'Priority'                 = $rule.Priority
    'SourceAddressPrefix'      = $rule.SourceAddressPrefix
    'SourcePortRange'          = $rule.SourcePortRange
    'DestinationAddressPrefix' = $rule.DestinationAddressPrefix
    'DestinationPortRange'     = $rule.DestinationPortRange
    'Access'                   = $rule.Access
  }
  $nsgObj | Add-AzNetworkSecurityRuleConfig @Params | Set-AzNetworkSecurityGroup
}

---

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards

Andreas Baumgarten