Skip to content

PR for merging PowerShell Script for Ingress and Egress Rules for AzureBastionSubnet NSG #127491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

PR for merging PowerShell Script for Ingress and Egress Rules for AzureBastionSubnet NSG #127491

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions articles/bastion/bastion-nsg.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,120 @@ Azure Bastion is deployed specifically to ***AzureBastionSubnet***.

:::image type="content" source="./media/bastion-nsg/outbound.png" alt-text="Screenshot shows outbound security rules for Azure Bastion connectivity." lightbox="./media/bastion-nsg/outbound.png":::

### Powershell Script to create the above mentioned Ingress and Egress traffic rules ###
```
# Connect to Azure Account
Connect-AzAccount
# Get the Network Security Group details
$resourceGroupName = Read-Host ("Enter the name of the Resource Group")
$nsgName = Read-Host ("Enter the name of the Network Security Group")
# Ingress and Egress rules
$rules = @(
@{
Name = "AllowHttpsInbound"
Priority = 120
Direction = "Inbound"
Access = "Allow"
SourceAddressPrefix = "Internet"
SourcePortRange = "*"
DestinationAddressPrefix = "*"
DestinationPortRange = "443"
Protocol = "TCP"
},
@{
Name = "AllowGatewayManagerInbound"
Priority = 130
Direction = "Inbound"
Access = "Allow"
SourceAddressPrefix = "GatewayManager"
SourcePortRange = "*"
DestinationAddressPrefix = "*"
DestinationPortRange = "443"
Protocol = "TCP"
},
@{
Name = "AllowAzureLoadBalancerInbound"
Priority = 140
Direction = "Inbound"
Access = "Allow"
SourceAddressPrefix = "AzureLoadBalancer"
SourcePortRange = "*"
DestinationAddressPrefix = "*"
DestinationPortRange = "443"
Protocol = "TCP"
},
@{
Name = "AllowBastionHostCommunication"
Priority = 150
Direction = "Inbound"
Access = "Allow"
SourceAddressPrefix = "VirtualNetwork"
SourcePortRange = "*"
DestinationAddressPrefix = "VirtualNetwork"
DestinationPortRange = 8080,5701
Protocol = "Ah"
}
@{
Name = "AllowSshRdpOutbound"
Priority = 100
Direction = "Outbound"
Access = "Allow"
SourceAddressPrefix = "*"
SourcePortRange = "*"
DestinationAddressPrefix = "VirtualNetwork"
DestinationPortRange = 22,3389
Protocol = "Ah"
},
@{
Name = "AllowAzureCloudOutbound"
Priority = 110
Direction = "Outbound"
Access = "Allow"
SourceAddressPrefix = "*"
SourcePortRange = "*"
DestinationAddressPrefix = "AzureCloud"
DestinationPortRange = "443"
Protocol = "TCP"
},
@{
Name = "AllowBastionCommunication"
Priority = 120
Direction = "Outbound"
Access = "Allow"
SourceAddressPrefix = "VirtualNetwork"
SourcePortRange = "*"
DestinationAddressPrefix = "VirtualNetwork"
DestinationPortRange = 8080,5701
Protocol = "Ah"
},
@{
Name = "AllowHttpOutbound"
Priority = 130
Direction = "Outbound"
Access = "Allow"
SourceAddressPrefix = "*"
SourcePortRange = "*"
DestinationAddressPrefix = "Internet"
DestinationPortRange = "80"
Protocol = "Ah"
}
)
foreach ($rule in $rules) {
$nsgRule = New-AzNetworkSecurityRuleConfig -Name $rule.Name `
-Priority $rule.Priority `
-Direction $rule.Direction `
-Access $rule.Access `
-SourceAddressPrefix $rule.SourceAddressPrefix `
-SourcePortRange $rule.SourcePortRange `
-DestinationAddressPrefix $rule.DestinationAddressPrefix `
-DestinationPortRange $rule.DestinationPortRange `
-Protocol $rule.Protocol
# Get the details of the Network Security Group and Add rules to the group
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $resourceGroupName -Name $nsgName
$nsg.SecurityRules.Add($nsgRule)
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsg
}

### Target VM Subnet
This is the subnet that contains the target virtual machine that you want to RDP/SSH to.

Expand Down