Allow and deny Azure Firewall Rule on a specific VM using powershell

Geraldo Peralta 86 Reputation points
2023-04-11T17:27:31.3033333+00:00

Hello, people. I have a Azure VM called VM1 and it is associated to a NSG. I want to automatically (using a runbook with powershell script or something else that helps) allow a inbound rule in a specific time range each day. Then deny that inbound rule after the time is over. Thanks in advanced. Regards,

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
579 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,142 questions
{count} votes

Accepted answer
  1. msrini-MSFT 9,261 Reputation points Microsoft Employee
    2023-04-18T19:18:20.01+00:00

    Hi, You can try this script:

    # Import the AzureRM module
    Import-Module AzureRM
    
    # Authenticate to your Azure account
    $connection = Get-AutomationConnection -Name 'AzureRunAsConnection'
    Connect-AzureRmAccount -ServicePrincipal -TenantId $connection.TenantId `
        -ApplicationId $connection.ApplicationId -CertificateThumbprint $connection.CertificateThumbprint
    
    # Get the VM and NSG details
    $vmName = 'VM1'
    $resourceGroupName = 'YourResourceGroupName'
    $nsgName = 'YourNSGName'
    
    # Get the current time
    $currentTime = Get-Date
    
    # Define the time range for allowing the inbound rule
    $allowStartTime = Get-Date -Year $currentTime.Year -Month $currentTime.Month -Day $currentTime.Day `
        -Hour 9 -Minute 0 -Second 0  # Change to the desired start time
    $allowEndTime = Get-Date -Year $currentTime.Year -Month $currentTime.Month -Day $currentTime.Day `
        -Hour 17 -Minute 0 -Second 0  # Change to the desired end time
    
    # Check if the current time is within the time range for allowing the inbound rule
    if ($currentTime -ge $allowStartTime -and $currentTime -lt $allowEndTime) {
        # Allow the inbound rule in the NSG
        $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $nsgName
        $ruleName = 'AllowInboundRule'  # Change to the desired rule name
        $rule = Get-AzureRmNetworkSecurityRuleConfig -Name $ruleName -Access Allow -Direction Inbound `
            -Priority 100 -SourceAddressPrefix '*' -SourcePortRange '*' -DestinationAddressPrefix '*' `
            -DestinationPortRange '*' -Protocol '*'  # Change to the desired rule configuration
        $nsg | Set-AzureRmNetworkSecurityRuleConfig -NetworkSecurityRule $rule | Set-AzureRmNetworkSecurityGroup
    
        Write-Output 'Inbound rule has been allowed.'
    } else {
        # Deny the inbound rule in the NSG
        $nsg = Get-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $nsgName
        $ruleName = 'AllowInboundRule'  # Change to the desired rule name
        $nsg | Remove-AzureRmNetworkSecurityRuleConfig -Name $ruleName | Set-AzureRmNetworkSecurityGroup
    
        Write-Output 'Inbound rule has been denied.'
    }
    
    
    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful