@@ -54,6 +54,121 @@ Azure Bastion is deployed specifically to ***AzureBastionSubnet***.
5454
5555 :::image type="content" source="./media/bastion-nsg/outbound.png" alt-text="Screenshot shows outbound security rules for Azure Bastion connectivity." lightbox="./media/bastion-nsg/outbound.png":::
5656
57+ ### Powershell Script to create the above mentioned Ingress and Egress traffic rules ###
58+ ```
59+ # Connect to Azure Account
60+ Connect-AzAccount
61+ # Get the Network Security Group details
62+ $resourceGroupName = Read-Host ("Enter the name of the Resource Group")
63+ $nsgName = Read-Host ("Enter the name of the Network Security Group")
64+ # Ingress and Egress rules
65+ $rules = @(
66+ @{
67+ Name = "AllowHttpsInbound"
68+ Priority = 120
69+ Direction = "Inbound"
70+ Access = "Allow"
71+ SourceAddressPrefix = "Internet"
72+ SourcePortRange = "*"
73+ DestinationAddressPrefix = "*"
74+ DestinationPortRange = "443"
75+ Protocol = "TCP"
76+ },
77+ @{
78+ Name = "AllowGatewayManagerInbound"
79+ Priority = 130
80+ Direction = "Inbound"
81+ Access = "Allow"
82+ SourceAddressPrefix = "GatewayManager"
83+ SourcePortRange = "*"
84+ DestinationAddressPrefix = "*"
85+ DestinationPortRange = "443"
86+ Protocol = "TCP"
87+ },
88+ @{
89+ Name = "AllowAzureLoadBalancerInbound"
90+ Priority = 140
91+ Direction = "Inbound"
92+ Access = "Allow"
93+ SourceAddressPrefix = "AzureLoadBalancer"
94+ SourcePortRange = "*"
95+ DestinationAddressPrefix = "*"
96+ DestinationPortRange = "443"
97+ Protocol = "TCP"
98+ },
99+ @{
100+ Name = "AllowBastionHostCommunication"
101+ Priority = 150
102+ Direction = "Inbound"
103+ Access = "Allow"
104+ SourceAddressPrefix = "VirtualNetwork"
105+ SourcePortRange = "*"
106+ DestinationAddressPrefix = "VirtualNetwork"
107+ DestinationPortRange = 8080,5701
108+ Protocol = "Ah"
109+ }
110+ @{
111+ Name = "AllowSshRdpOutbound"
112+ Priority = 100
113+ Direction = "Outbound"
114+ Access = "Allow"
115+ SourceAddressPrefix = "*"
116+ SourcePortRange = "*"
117+ DestinationAddressPrefix = "VirtualNetwork"
118+ DestinationPortRange = 22,3389
119+ Protocol = "Ah"
120+ },
121+ @{
122+ Name = "AllowAzureCloudOutbound"
123+ Priority = 110
124+ Direction = "Outbound"
125+ Access = "Allow"
126+ SourceAddressPrefix = "*"
127+ SourcePortRange = "*"
128+ DestinationAddressPrefix = "AzureCloud"
129+ DestinationPortRange = "443"
130+ Protocol = "TCP"
131+ },
132+ @{
133+ Name = "AllowBastionCommunication"
134+ Priority = 120
135+ Direction = "Outbound"
136+ Access = "Allow"
137+ SourceAddressPrefix = "VirtualNetwork"
138+ SourcePortRange = "*"
139+ DestinationAddressPrefix = "VirtualNetwork"
140+ DestinationPortRange = 8080,5701
141+ Protocol = "Ah"
142+ },
143+ @{
144+ Name = "AllowHttpOutbound"
145+ Priority = 130
146+ Direction = "Outbound"
147+ Access = "Allow"
148+ SourceAddressPrefix = "*"
149+ SourcePortRange = "*"
150+ DestinationAddressPrefix = "Internet"
151+ DestinationPortRange = "80"
152+ Protocol = "Ah"
153+ }
154+ )
155+ foreach ($rule in $rules) {
156+ $nsgRule = New-AzNetworkSecurityRuleConfig -Name $rule.Name `
157+ -Priority $rule.Priority `
158+ -Direction $rule.Direction `
159+ -Access $rule.Access `
160+ -SourceAddressPrefix $rule.SourceAddressPrefix `
161+ -SourcePortRange $rule.SourcePortRange `
162+ -DestinationAddressPrefix $rule.DestinationAddressPrefix `
163+ -DestinationPortRange $rule.DestinationPortRange `
164+ -Protocol $rule.Protocol
165+ # Get the details of the Network Security Group and Add rules to the group
166+ $nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $nsgName
167+ $nsg.SecurityRules.Add($nsgRule)
168+ Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg
169+ }
170+ ```
171+
57172### Target VM Subnet
58173This is the subnet that contains the target virtual machine that you want to RDP/SSH to.
59174
0 commit comments