我正在尝试读取 ARM 模式网络安全组中的现有规则,但奇怪的是 SourceAddressPrefix 属性(包含有关列入白名单的 IP 范围的信息的属性)报告为布尔值(如“True”或“False” ) 字符串形式。
我已经尝试使用Get-AzureRmNetworkSecurityGroup和读取该::SecurityRules属性来检索组,并且也尝试$nsg | Get-AzureRmNetworkSecurityRuleConfig过$nsg | Get-AzureRmNetworkSecurityRuleConfig -Name MyRule. 在每种情况下SourceAddressPrefix,返回的规则都是“真”或“假”。
如果没有该值,我无法判断是否已经为我正在检查的 IP 制定了规则。只要名称和优先级不同,系统就可以让我设置多个具有相同细节的规则,所以我现在正在创建重复项。
我认为这是某种安全“功能”?有没有办法检索门户中显示的实际 IP CIDR 范围?
编辑 - 由于这个来来去去,我发布了完整的代码
该代码获取分配给所有 NIC 的 IP 地址,$proxyResGrp并尝试将它们列入端口 80 和 443 的源资源组中的白名单。
proxyResGrp = "arr"
originResGrps = "int", "uat", "auth", "live"
elect-AzureRmSubscription -SubscriptionID $subscriptionId -ErrorAction SilentlyContinue -ErrorVariable err | Out-Null
f ( $err ) {
Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionID $subscriptionId -ErrorAction Stop | Out-Null
get the source IPs for the arr
proxyIPs = Get-AzureRmNetworkInterface -ResourceGroupName $proxyResGrp | % {
$_.IpConfigurations | % {
if ( $_.PublicIpAddress.Id -like '*Microsoft.Network/publicIPAddresses*' )
{
$ipAddress = Get-AzureRmResource -ResourceId ($_.PublicIpAddress.Id)
$ip = Get-AzureRmPublicIpAddress -ResourceGroupName $ipAddress.ResourceGroupName -Name $ipAddress.Name
return @{ IPAddress = $ip.IpAddress; Name = $_.Name }
}
}
}
get NSG for each source resourceGroup and add the inbound rules
originResGrps | % {
$originResGrp = $_
Get-AzureRmNetworkSecurityGroup -ResourceGroupName $originResGrp | % {
# have to re-get the NSG for some reason
$nsg = $_
$nsg.SecurityRules | ? { $_.SourceAddressPrefix = $arrIP.IPAddress -and $_.DestinationPortRange -eq "80" }
$rules = $nsg.SecurityRules
$maxPriority = $rules | Sort Priority -Descending | select Priority -First 1 | % { $_.Priority }
$isChanged = $false
foreach ( $proxyIP in $proxyIPs )
{
# HTTP
# $rule = $rules | ? { $_.Name -eq "HTTP-$($arrIP.Name.ToUpper())" }
$rule = $rules | ? { $_.SourceAddressPrefix -eq $proxyIP.IPAddress -and $_.DestinationPortRange -eq "80" }
if ( ! $rule )
{
$maxPriority += 100
Write-Host "Creating a rule for HTTP-$($proxyIP.Name.ToUpper()) in nsg '$($nsg.Name)'" -ForegroundColor DarkGreen
# have to re-get the NSG for some reason
#Get-AzureRmNetworkSecurityGroup -ResourceGroupName $originResGrp -Name $nsg.Name |
$nsg |
Add-AzureRmNetworkSecurityRuleConfig `
-Name "HTTP-$($proxyIP.Name.ToUpper())" `
-Protocol Tcp `
-SourceAddressPrefix $proxyIP.IPAddress `
-SourcePortRange "*" `
-DestinationAddressPrefix "*" `
-DestinationPortRange "80" `
-Access Allow `
-Direction Inbound `
-Priority $maxPriority
# Set-AzureRmNetworkSecurityGroup |
# Out-Null
$isChanged = $true
}
else
{
Write-Host "Rule for HTTP-$($proxyIP.Name.ToUpper()) already exists in nsg '$($nsg.Name)'" -ForegroundColor DarkYellow
}
# HTTPS
# $rule = $rules | ? { $_.Name -eq "HTTPS-$($arrIP.Name.ToUpper())" }
$rule = $rules | ? { $_.SourceAddressPrefix -eq $proxyIP.IPAddress -and $_.DestinationPortRange -eq "443" }
if ( ! $rule )
{
$maxPriority += 100
Write-Host "Creating a rule for HTTPS-$($proxyIP.Name.ToUpper()) in nsg '$($nsg.Name)'" -ForegroundColor DarkGreen
# have to re-get the NSG for some reason
#Get-AzureRmNetworkSecurityGroup -ResourceGroupName $originResGrp -Name $nsg.Name |
$nsg |
Add-AzureRmNetworkSecurityRuleConfig `
-Name "HTTPS-$($proxyIP.Name.ToUpper())" `
-Protocol Tcp `
-SourceAddressPrefix $proxyIP.IPAddress `
-SourcePortRange "*" `
-DestinationAddressPrefix "*" `
-DestinationPortRange "443" `
-Access Allow `
-Direction Inbound `
-Priority $maxPriority
# Set-AzureRmNetworkSecurityGroup |
# Out-Null
$isChanged = $true
}
else
{
Write-Host "Rule for HTTPS-$($proxyIP.Name.ToUppeR()) already exists in nsg '$($proxyIP.Name)'" -ForegroundColor DarkYellow
}
}
if ( $isChanged )
{
Write-Host "Updating $($nsg.Name)" -ForegroundColor Green
$nsg | Set-AzureRmNetworkSecurityGroup
}
}