Introduction
In Azure, I have security group rules that allow access to everything from my public IP address. I have a rule for the office and another for home. For sensitive ports such as SSH and RDP, similar rules are the only ones that allow such access. I never allow the entire public Internet to be able to hammer away at these ports. I also create similar rules for HTTP and HTTPS when I am developing an API so that nobody can access these systems except for me.
At home, I have high-speed Internet. Great service but my public IP address changes often, sometimes several times per day. This means I must log in to the Azure Portal and update the security rule. This is simple to do, but I prefer to automate this kind of change. I wrote a Windows batch script to update my home allow rule. I set up Windows Task Scheduler to run this program automatically several times per day.
Preparation
Collect the following details about your account:
- Resource Group name.
- Network Security Group name.
- Network Security Group rule name to update.
- The jq command-line tool. [link]
If you do not have a security group rule to update, scroll to the bottom and I show you how to create a rule using the CLI.
For the Update Security Group Rule script below, we need values for several variables:
- RESOURCE_GROUP
- NSG_NAME
- RULE_NAME
List Resource Group Names
Select a resource group and store the value in RESOURCE_GROUP.
|
1 |
az group list --query "[].name" |
List Network Security Group Names
Select a network security group and store the value in NSG_NAME.
|
1 |
az network nsg list --resource-group %RESOURCE_GROUP% --query "[].name" |
List Network Security Group Rule Names
Select a network security group rule and store the value in RULE_NAME.
This command does not show the default rules.
|
1 |
az network nsg rule list --resource-group %RESOURCE_GROUP% --nsg-name %NSG_NAME% --query "[].name" |
List Network Security Group Rule Names, Direction, and Priority
Use this command to see the rule names, direction, and priority, including the default rules, formatted into a table.
|
1 |
az network nsg rule list --resource-group %RESOURCE_GROUP% --nsg-name %NSG_NAME% --include-default --query "[].{Name:name, Direction:direction Priority:priority}" --output table |
The output will be similar to this:
|
1 2 3 4 5 6 7 8 9 10 11 |
Name Direction Priority ----------------------------- ----------- ---------- Home-All-Traffic Inbound 100 http Inbound 110 https Inbound 120 AllowVnetInBound Inbound 65000 AllowAzureLoadBalancerInBound Inbound 65001 DenyAllInBound Inbound 65500 AllowVnetOutBound Outbound 65000 AllowInternetOutBound Outbound 65001 DenyAllOutBound Outbound 65500 |
Update Security Group Rule
The following script will update the Source Address Prefixes of an existing security group rule. This script does not change any other values.
For a rule created similar to the one created later in this article by the “Create Network Security Group Rule” script, traffic will be allowed from the public IP address of the machine running the script.
This script calls the endpoint https://ipinfo.io which returns JSON. The CLI tool jq extracts the IP address.
Example data returned by ipinfo.io:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
{ "ip": "97.113.238.135", "hostname": "97-113-238-135.tukw.qwest.net", "city": "Seattle", "region": "Washington", "country": "US", "loc": "", "org": "AS209 CenturyLink Communications, LLC", "postal": "98111", "timezone": "America/Los_Angeles", "readme": "https://ipinfo.io/missingauth" } |
Windows Script:
Copy the following script to a file. I use the name azure_update_fw_rule_home.bat. Then you can update the Azure network security group firewall rule with your current public IP address by just typing azure_update_fw_rule_home in a Windows Command Prompt. Using command completion means I do not have to type all characters of the file name.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
@set RESOURCE_GROUP=REPLACE_ME @set NSG_NAME=REPLACE_ME @set RULE_NAME=REPLACE_ME @set FILENAME=myip.txt @curl -s https://ipinfo.io | jq -r ".ip" @set /p MYIP=<%FILENAME% az network nsg rule update ^ --resource-group %RESOURCE_GROUP% ^ --nsg-name %NSG_NAME% ^ --name %RULE_NAME% ^ --source-address-prefixes %MYIP% |
Create Network Security Group Rule
If you do not already have a firewall rule to update, the following script will create a compatible rule allowing all traffic from the public IP address of the computer running this script.
Windows Script:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
@set RESOURCE_GROUP=REPLACE_ME @set NSG_NAME=REPLACE_ME @set RULE_NAME=REPLACE_ME @set RULE_PRIORITY=REPLACE_ME @set FILENAME=myip.txt @curl -s http://ipinfo.io | jq -r ".ip" @set /p MYIP=<%FILENAME% az network nsg rule create ^ --resource-group %RESOURCE_GROUP% ^ --nsg-name %NSG_NAME% ^ --name %RULE_NAME% ^ --direction Inbound ^ --priority %RULE_PRIORITY% ^ --source-address-prefixes %MYIP% ^ --source-port-ranges "*" ^ --destination-address-prefixes "*" ^ --destination-port-ranges "*" ^ --access Allow ^ --protocol Tcp ^ --description "Allow all access from home" |
Future Ideas
This script could be easily run automatically by Windows Task Manager. Windows Central has a good article on how to set up a program to run automatically. Tip: This script uses the credentials from the Azure CLI. When you schedule the script to run, use your Windows user to run the program so that the stored Azure credentials can be used. Consider using an Azure Service Principal as well. On my system, I have the script scheduled to run at 6 AM, Noon, and 6 PM.
This is the script that I use with Windows Task Scheduler. The difference is that I added some logging so that I can check on success or failure.
Note: For the last line I redirect standard error to standard output using 2>&1 which is the same for Windows and Linux (Microsoft copied this from AT&T Unix).
How to Redirect stderr to stdout in Bash
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
@set RESOURCE_GROUP=REPLACE_ME @set NSG_NAME=REPLACE_ME @set RULE_NAME=REPLACE_ME @set FILENAME=c:\tmp\myip.txt @set LOGFILE=c:\bin\azure_update_home_fw_rule.log @curl -s https://ipinfo.io | jq -r ".ip" @set /p MYIP=&<%FILENAME% date /t >> %LOGFILE% time /t >> %LOGFILE% echo %MYIP% >> %LOGFILE% az network nsg rule update ^ --resource-group %RESOURCE_GROUP% ^ --nsg-name %NSG_NAME% ^ --name %RULE_NAME% ^ --source-address-prefixes %MYIP% >> %LOGFILE% 2&>1 |
Photography Credits
I write free articles about technology. Recently, I learned about Pexels.com which provides free images. The image in this article is courtesy of Pixabay at Pexels.
I design software for enterprise-class systems and data centers. My background is 30+ years in storage (SCSI, FC, iSCSI, disk arrays, imaging) virtualization. 20+ years in identity, security, and forensics.
For the past 14+ years, I have been working in the cloud (AWS, Azure, Google, Alibaba, IBM, Oracle) designing hybrid and multi-cloud software solutions. I am an MVP/GDE with several.
September 30, 2021 at 1:34 AM
very interesting , good job and thanks for sharing such a good blog.
May 26, 2022 at 4:51 AM
Thanks for sharing informative blog.