![\"\"](\"https:\/\/blog.redbaronofazure.com\/wp-content\/uploads\/2017\/06\/nsg-script-01.png\")
<\/a><\/p>\nPublic ip address<\/h2>\n
Whenever I come to a new location, I modify the “allow-all-from-temp-ip” rule to reflect the current public ip address I’m using. Going to webpage http:\/\/ipinfo.io<\/a>\u00a0you can find your ip address. If you want to manually update your NSG rules, grab the ip address from ipinfo and use the Azure portal to update your inbound rule(s).<\/p>\n But if you want to automate, ipinfo.io supports REST API calls which means\u00a0you can call the API and get the result back as a JSON structure. In powershell, this might look like this:<\/p>\n The NSG rules work with something known as CIDR notation when it comes to specifying ip addresses. The \/32 means 32 bits of the ip address\u00a0are the mask bits and for an IPv4 address this means all the bits so\u00a0using \/32 basically means 1 ip address.\u00a0You can play with CIDR online calculaters, like\u00a0http:\/\/www.subnet-calculator.com\/cidr.php<\/a>, where you can see that 10.4.3.0\/24 gives you 10.4.3.0 – 10.4.3.255 since 24 mask bits means 255.255.255.0, etc.<\/p>\n The call to Get-AzureRmAccount is there just so I can add it to the description which user I was running as when I made the change.<\/p>\n Updating the NSG is quite simple. It is just a matter of retrieving the NSG, finding the specific NSG inbound rule and updating it. If the rule isn’t already defined we need to add it with the next available priority.<\/p>\n So whenever I enter a new location, I just run the script to update the NSG rule of whatever work I was doing. It is especially usefull if I know I’m going to be showing something on a projector to a group of people, because troubleshooting network ports being blocked is a sure thing to loose time and interrest of the people around you.<\/p>\n My script opens ALL ports for TCP\/UDP from a single ip address, which is basically disabling the firewall for it. I do it just during dev\/test so I can work productively. In a real world case, where you do hybrid cloud networking, you should of course specify a list of known ports and source addresses instead of making it wide open.<\/p>\n The powershell script can be found on github$acct = Get-AzureRmContext\r\n$user = $acct.Account.Id\r\n\r\n$resp = Invoke-RestMethod \"http:\/\/ipinfo.io\"\r\nWrite-Host \"Current ip addr $($resp.ip) via provider $($resp.org)\"\r\n\r\n$sourceAddrPrefix = \"$($resp.ip)\/32\"\r\n$description = \"allow all inbound from temp ip $($resp.ip), provider $($resp.org). Set by $user at $(Get-Date -format 's')\"<\/pre>\n
Updating the NSG<\/h2>\n
$rule = ($nsg | Get-AzureRmNetworkSecurityRuleConfig -Name $SecurityRuleName -ErrorAction SilentlyContinue)\r\nif ($rule -eq $null) {\r\n $prio = [int]($nsg.SecurityRules[$nsg.SecurityRules.Count-1].Priority)\r\n $prio += 10\r\n Write-Host \"Adding $SecurityRuleName rule to allow $sourceAddrPrefix with priority $prio\"\r\n $ret = ($nsg | Add-AzureRmNetworkSecurityRuleConfig -Name $SecurityRuleName `\r\n -SourceAddressPrefix $sourceAddrPrefix -SourcePortRange \"*\" `\r\n -DestinationAddressPrefix \"*\" -DestinationPortRange \"*\" `\r\n -Protocol \"*\" -Direction \"Inbound\" -Access \"Allow\" `\r\n -Priority $prio -Description $description)\r\n} else {\r\n Write-Host \"Updating $SecurityRuleName rule to allow $sourceAddrPrefix\"\r\n $ret = ($nsg | Set-AzureRmNetworkSecurityRuleConfig -Name $SecurityRuleName `\r\n -SourceAddressPrefix $sourceAddrPrefix -SourcePortRange \"*\" `\r\n -DestinationAddressPrefix \"*\" -DestinationPortRange \"*\" `\r\n -Protocol \"*\" -Direction \"Inbound\" -Access \"Allow\" `\r\n -Priority $rule.Priority -Description $description)\r\n}\r\nWrite-Host \"Saving to Azure...\"\r\n$ret = ($nsg | Set-AzureRmNetworkSecurityGroup)\r\n<\/pre>\nRunning the script<\/h2>\n
<\/a><\/p>\nA word of warning<\/h2>\n
Sources<\/h2>\n
\nhttps:\/\/github.com\/cljung\/azps\/blob\/master\/change-nsg-ipaddr.ps1<\/a><\/p>\n