Table of Contents
An NSG comes with some default rules to allow the essential services to run on the new VMs, and the cloud administrator is responsible for managing all other traffic required. All rules will be evaluated based on their priority using these following five types of information: source, source port, destination, destination port, and protocol.
Understanding the basic PowerShell cmdlets
Before diving into the cmdlets to configure either a VNet or vNIC, we need to get acquainted with some basic PowerShell cmdlets that are required when managing NSGs.
Get-AzResourceGroup | Select ResourceGroupName
Get-AzNetworkInterface -ResourceGroupName “<ResourceGroupName>”
Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
Get-AzVM | select Name,ResourceGroupName,Location -ExpandProperty NetworkProfile | flManaging network security groups at the virtual network interface level
If you want something more specific and are applying an NSG at the VM level, in this case, the Set-AzNetworkInterface cmdlet will be your tool of choice to perform this task.
The first step is to retrieve the network security groups and save the specific NSG into a variable. These two cmdlets are required:
$ResourceGroupName = "EASTUS-RG"
$Location = "eastus"
$SecurityGroupName = "EASTUS-nsg"
New-AzNetworkSecurityGroup `
-Name $SecurityGroupName `
-ResourceGroupName $ResourceGroupName `
-Location $Location$nsg = Get-AzNetworkSecurityGroup `
-ResourceGroupName $ResourceGroupName `
-Name $SecurityGroupNameThe second step is to list all vNICs available. First, find the vNIC attached to the VM that you want to apply the NSG. Then, we need to add the vNIC to a PowerShell variable.
Get-AzVM | select Name,ResourceGroupName,Location -ExpandProperty NetworkProfile | fl$vNIC = Get-AzNetworkInterface `
-ResourceGroupName $ResourceGroupName `
-Name "vm-001-NIC"The final step is to use the variables that we created in the previous step and apply the changes. We are going to do that using the $vNIC variable that we have just populated and configured the network security group. We are going to use the $nsg variable that we defined in the first step of this section. The process to apply the changes is to run the Set-AzNetworkInterface as an output of the $vNIC variable.
$vNIC.NetworkSecurityGroup = $nsg
$vNIC | Set-AzNetworkInterfaceManaging NSGs at VNet level
The recommendation is always to reduce the number of network security groups, and by doing that, we can have smaller building blocks applied to a subnet instead of a specific VM.
To assign network security groups to a VNet/Subnet level is using the Set-AzVirtualNetworkSubnetConfig cmdlet, which associates an NSG to a virtual network (VNet).
Get-AzNetworkSecurityGroup | Select Name,ResourceGroupName,Location
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg -Name "NSGName"Get-AzVirtualNetwork | select Name
$VNet = get-azvirtualnetwork -Name "VNet-Name"Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet | select Name,AddressPrefix
$VNetSubnet = Get-AzVirtualNetworkSubnetConfig -VirtualNetwork $VNet -Name defaultSet-AzVirtualNetworkSubnetConfig `
-Name $VNetSubnet.Name `
-VirtualNetwork $VNet `
-AddressPrefix $VNetSubnet.AddressPrefix `
-NetworkSecurityGroup $nsg`
$VNet | Set-AzVirtualNetworkThe results can be seen in the Azure Portal. Logged on to the portal, click on the VNet, click on Subnets, select the desired subnet, check the network security group to see if there is an NSG associated to the subnet.
